For the most part, I think best practice would be to statically set the port to trunk and only allow those vlans needed on the trunk. I have read about vlan hopping attacks but I don't know how prevalent those really are. That being said, the native vlan does not need to be actually defined, and it does not need to be allowed on the trunk.
On Fri, Feb 5, 2010 at 4:10 PM, Bobby Munk <[email protected]> wrote: > Hi everyone, > > I’m looking for a best practice configuration for trunk ports. I have seen > several articles recommend using a dummy native VLAN and permitting only > certain VLANs on the trunk. I’ve seen other configurations take things > further by defining a dummy access VLAN just in case the port stops > trunking, the “dot1q tag native” global command and suspending the dummy > VLANs. > > Basically I’m looking for a watertight configuration but don’t want to add > unnecessary commands just for the sake of it. > > A few questions I have are: > - Does the native VLAN actually have to exist in the VLAN database? Can I > use a VLAN that does not exist on the switch? > - Does the native VLAN need to be added to the allowed VLAN list? Does the > “dot1q tag native” command have any affect on this? > - Do you need a different native VLAN for each trunk? Or will one suffice > for the entire network? > - Is it necessary to “suspend” the dummy VLANs? Does this even help? > > Putting everything together so far we have this: > > ############################## > > dot1q tag native > > vlan 40 > name DUMMY_ACCESS > state suspend > > vlan 50 > name DUMMY_NATIVE > state suspend > > vlan 100,200,300 > > interface FastEthernet0/1 > switchport access vlan 40 > switchport trunk encapsulation dot1q > switchport mode trunk > switchport trunk native vlan 50 > switchport trunk allowed vlan add 100,200,300 > switchport nonegotiate > > ############################## > > Thanks everyone, > > Bobby > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > -- Bryan Bartik CCIE #23707 (R&S, SP), CCNP Sr. Support Engineer - IPexpert, Inc. URL: http://www.IPexpert.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
