Correct, it's essentially a 802.1q native VLAN issue, not a VLAN 1 issue per se. I would note though that although the change to make a non-active VLAN the native VLAN is an obvious fix, it strikes me as a bug that Cisco does not perform a sanity check on native VLAN frames to ensure that they in fact, do not have a 802.1q frame tag. This is what causes the issue since packets on the native VLAN are not supposed to have a 802.1q frame tag.
On a related note, it _is_ now possible to clear VLAN 1 from a trunk. It disallows all non-management related traffic, i.e. anything other than VTP, CDP, etc. So this should in theory also "fix" the VLAN hopping issue, although it's probably cleaner to just assign a non-active VLAN as the native VLAN. http://www.cisco.com/warp/public/473/21.html#case The Case of VLAN 1 VTP pruning cannot be applied to VLANs that need to exist everywhere and to be allowed on all switches in the campus (to be able to carry VTP, CDP traffic, and other control traffic). There is a way, however, to limit the extent of VLAN 1. This is a feature called VLAN 1 disable on trunk, and it is available on Catalyst 4000, 5000, and 6000 family switches since Cisco IOS releave 5.4(x). This allow you to prune VLAN 1 from a trunk as you would do for any other VLAN, but this pruning will not include all of the control protocol traffic that will still be allowed on the trunk (DTP, PagP, CDP, VTP, and so on). However, you will block all user traffic on that trunk. Using this feature, you can completely avoid the VLAN spanning the entire campus, and as such, STP loops will be limited in extent, even in VLAN 1. You can configure VLAN 1 to be disabled as you would configure other VLANs to be cleared from the trunk by issuing the following commands: Console> (enable) set trunk 2/1 des Port(s) 2/1 trunk mode set to desirable. Console> (enable) clear trunk 2/1 1 Removing Vlan(s) 1 from allowed list. Port 2/1 allowed vlans modified to 2-1005. Regards, Kent -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Steven A. Ridder Sent: Friday, March 22, 2002 7:18 PM To: [EMAIL PROTECTED] Subject: Re: Catalyst 6509 [7:39192] I'm embarrased to say, I got it wrong, you must use any Vlan but 1 on the trunk port. Here's the direct quote from the link below" "... prolonged discussions took place with the switch vendor to discuss the implications of the results above. After consultation with their developers it was concluded that the traffic from VLAN 1 was allowed to hop to other VLANs because the trunk port was also set (implicitly) to native VLAN 1. They suggested that by changing the native VLAN of the trunk port the VLAN hopping could be eliminated. This was tested and was found to be true......" http://www.sans.org/newlook/resources/IDFAQ/vlan.htm -- RFC 1149 Compliant. Get in my head: http://sar.dynu.com ""MADMAN"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > How?? > > C6509> (enable) clear vlan 1 > VLAN number must be in the range 2..1000,1025..4094. > C6509> (enable) > > You can disable it on trunks however > > dave > > "Steven A. Ridder" wrote: > > > > The big problem with Vlan 1 is that if it exists on your network a hacker > > can do VLAN hopping (not a good thing). Cisco recommends deleting Vlan 1 > > from switches. > > > > -- > > > > RFC 1149 Compliant. > > Get in my head: > > http://sar.dynu.com > > > > ""maverick hurley"" wrote in message > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > absoultly it will help for security, The thing to remember is that your > > > ports are default for native vlan1. You can specify a different vlan > > number > > > for your management like vlan 5. But in case of trunking mishaps/issues > > and > > > vlan pruning issues it is safer using vlan 1. > -- > David Madland > Sr. Network Engineer > CCIE# 2016 > Qwest Communications Int. Inc. > [EMAIL PROTECTED] > 612-664-3367 > > "Emotion should reflect reason not guide it" Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=39275&t=39192 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
