Advanced VLANs and Security
1. Management VLAN
- Enables remote access to the switch via an IP address on a dedicated VLAN interface
- By default, this IP is often set to VLAN 1, but it is recommended to create a dedicated VLAN
Configuration
| vlan 99 |
Create the VLAN with the identifier 99 Access (config-vlan) mode |
| name Management | Name the VLAN |
| interface vlan 99 |
Change state to up Access (config-if) mode |
| ip address 192.168.99.2 255.255.255.0 | |
| no shutdown | |
| ip default-gateway 192.168.99.1 |
2. Native VLAN
- The native VLAN is the only VLAN that carries untagged frames over a trunk link.
- By default, this is VLAN 1, which can cause security issues (as it is often also used for management).
Why change it?
- To prevent VLAN hopping attacks
- To clearly distinguish labeled traffic from unlabeled traffic
- For reasons of good segmentation practice
How to change it
| interface fa0/24 |
Select port Access (config-if) mode |
| switchport trunk native vlan 99 | |
| show interfaces trunk |
3. VLAN Pruning
- By default, a trunk carries all active VLANs.
- Pruning limits the number of VLANs allowed on a trunk link, which improves security and reduces unnecessary traffic.
| switchport trunk allowed vlan 10,20,99 | Allow only VLANs 10,20,99 to access this trunk |
4. Port security
| Access port | Force access mode, associate with a non-default VLAN |
| Trunk port | Restrict authorized VLANs, define the Native VLAN |
| Unused ports | Disable unused ports with shutdown |
Example of deactivation
| interface range fa0/10 - 24 | Disables ports 10 through 24 |
| shutdown | Shutdown deactivated ports |
5. Common mistakes
| Forgetting to create VLANs on all switches | Unnecessary trunk |
| Native VLAN mismatch | Encapsulation errors |
| Ports left in VLAN 1 | Security breach |
| Trunks that are not actually configured | No inter-VLAN communication |