I got asked why we change from VLAN 1 to another VLAN in Cisco networks. What is bad with the default setup? Is VLAN 1 really magical in a Cisco network?
When Cisco ships a Catalyst switch to you, there is no configuration provided. This means that all the ports will be access ports and the only VLAN that exists is VLAN 1. Now, we’ve all seen networks that keep it like this. Everything is one big flat network and the only VLAN in use is VLAN 1. If this is a bad configuration depends on several factors, including the size of the network, but let’s take a look at some of the drawbacks to maintaining this configuration:
- No segmentation – There is no segmentation. Every user can access every other user and anything else in the VLAN such as infrastructure, servers, IoT type devices, and so on
- Default access – The user gets access simply by connecting their PC to the switch which may not be the desired outcome
- Management access – Related to the first bullet point, if the switch has a management IP in VLAN 1, the user may be able to access and login to the switch
- Well known native VLAN – It is well known that VLAN 1 is the default and that it is used as the native VLAN. If the native VLAN was randomized, this wouldn’t be as much of a problem
- Potential VLAN hopping – This is one of those attacks that is mostly theoretical but the idea is to double tag your frame, once with the native VLAN (VLAN 1) and once with VLAN you want to access. The switch will remove the VLAN 1 tag and forward the frame with only the second VLAN
- Potential control plane attacks – Potentially a user can send for example STP packets to change the topology of the network, what switch is considered Root etc.
Now, it is important to understand that there is nothing special about VLAN 1 here other than that it is the native VLAN by default and the only VLAN in use. If we made VLAN 666 the native VLAN and only used VLAN 666 for all ports, the effect would be the same.
What can you do to increase the security from the default configuration? The list below is not comprehensive but a starting point:
- Provide segmentation – Separate users from infrastructure, management, IoT type devices etc. by creating several VLANs for different use
- Create MGMT VLAN – Use a different VLAN than the user VLAN for management and restrict access to it
- Use a parking VLAN – Create a VLAN that is used for “parking”. That is, all unused ports get configured with this VLAN that provides no connectivity
- Shut down unused ports – Shut down all unused ports. Connecting to the switch will bring no access or even link up on user’s PC
- Configure ports as access – Configure ports as access and disable DTP so that users can’t form a trunk with the switch. This will prevent a potential VLAN hopping attack
- Change the native VLAN – Change the native VLAN to something else than the default. Set it to a VLAN that is not used for anything else
- Tag the native VLAN – Ensure that all frames are tagged, including native VLAN, which can prevent VLAN hopping
So VLAN 1 is not really any special? Or is it? Let’s look at some of the reasons that people consider VLAN 1 to be special:
- It can’t be deleted – You can’t delete VLAN 1 which is different to any other VLAN
- You can’t shut it down – You can’t shut the VLAN down, also different from other VLANs
- Pruning – It seems that previously it wasn’t possible to prune VLAN 1 off a trunk, this is no longer the case, though
- Control plane protocols – There is a special relationship to control plane protocols
We have learned that VLAN 1 isn’t really special from a data plane perspective. It IS possible to prune it off a trunk. What about control plane protocols, though?
A Cisco switch runs several control plane protocols such as:
Some of these are Cisco proprietary, such as CDP, DTP, PAgP, and VTP, while others are standards such as LLDP and LACP. STP has both Cisco proprietary versions and standards. With a default configuration where VLAN 1 is in use and is the native VLAN, control plane protocol frames will be sent untagged. What happens if the native VLAN is changed and VLAN 1 is removed from the trunk? This depends on the protocol. Some protocols, such as CDP, VTP, and PAgP will be sent tagged on VLAN 1 even if VLAN 1 is not allowed on the trunk. DTP is sent untagged in the native VLAN. For STP, it is more complex, where BPDUs will be tagged or untagged depending on the VLAN and if the BPDU is IEEE compliant or PVST+ LACP PDUs should be untagged but have in some cases been sent as tagged on Cisco devices.
While VLAN 1 has no special characteristics from a data plane perspective, it does have some when it comes to control plane protocols. That is not something that has much impact on your design, though. Based on this post you should understand that VLAN 1 is not bad per se, the drawbacks come from it being the default VLAN and default native VLAN, and a lack of design and segmentation in many networks. It does have some special characteristics in the control plane. Happy to hear your experiences in the comments section. See you next time!