Native VLAN Tagging

Why Native VLAN Tagging?

Native VLAN Tagging is used when you want 802.1q to act a bit more like ISL in one way, namely you want it to tag the frames destined for the native VLAN. Normally, 802.1q does not tag frames. This can leave you open to a VLAN hopping attack. In this attack, an attacker connected to an access port can send a Q-in-Q frame to your switch and trick another switch into dropping the frame onto a different VLAN. This is only a one way attack (there’s no way for a response to get back to the attacker), but it’s still undesirable.

Now let’s look at a configuration example.

interface GigabitEthernet0/3
 switchport trunk encapsulation dot1q
 switchport mode trunk

Given the above configuration, the default native VLAN is 1. All VLANs are allowed. Any frame sent or received for VLAN 1 will be untagged and the rest of the VLANs will be tagged.

Tagging the Native VLAN

So how do we make a dot1q trunk tag the native VLAN? If your switch supports it you can use this command from global configuration:

vlan dot1q tag native

That’s it, your done! All your native VLANs are tagged and you don’t have to worry about VLAN hopping.

What If My Switch Doesn’t Do That?

What if you have switches that don’t support this? Older switches like 3500XLs and even the new 2960S switches don’t support this. You can simulate it like this:

interface GigabitEthernet0/3
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 42
 switchport trunk allowed vlan 1-41,43-4094
 switchport mode trunk

Set the native VLAN to a VLAN you are NOT using. Then you configure the trunk so that the native VLAN is not permitted on the trunk. Now everything on that trunk will be tagged. It’s a workaround, it’s a little ugly, but it does work and it’s the best workaround I know of.

FIN