NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

peos42's avatar
peos42
Tutor
Mar 04, 2018
Solved

Forbidden VLANs

Hi all   Let´s assume I configure a a trunk port this way.... --snip-- interface 1/xg26 description 'SERVER3' switchport mode trunk switchport trunk native vlan 2026 switchport trunk allowed ...
Security
security VLAN
  • peos42's avatar
    peos42
    Mar 29, 2018

    I am satisfied by doing exclude. Therefor I do not want to spend more time with a private chat. Also... I think the community deserve to know. To get help in the forum is one thing. To share info is another. The second one is not fulfilled if going into a private chat.

     

    As I have a work around with the exclude (that I think should not be needed), I am done in this thread. But I do think netgear should consider to clarify for all as it is a securrity matter.

     

    Tnx for your time

    /Peo

peos42's avatar
peos42
Tutor
Mar 04, 2018

Hi again. 

 

Did some more checks. It at least seems like there is a potential security issuse by not using..

vlan participation exclude <vlannum>

 

At least for VLAN1 that seems to be allowed anyway..... Or do I interprete the output of the show command wrong?

 

 

 

(switch0.incedo.org) #show running-config interface 1/g3

!Current Configuration:
!
interface 1/g3
description 'TRUNK - Switch 2 level3'
switchport mode trunk
switchport trunk native vlan 2003
switchport trunk allowed vlan 2-4,21,899,2003
exit

 

(switch0.incedo.org) #show interfaces switchport 1/g3

Port: 1/g3
VLAN Membership Mode: Trunk
Access Mode VLAN: 1 (default)
General Mode PVID: 1 (default)
General Mode Ingress Filtering: Disabled
General Mode Acceptable Frame Type: Admit all
General Mode Dynamically Added VLANs:
General Mode Untagged VLANs: 1
General Mode Tagged VLANs:
General Mode Forbidden VLANs:
Trunking Mode Native VLAN: 2003
Trunking Mode Native VLAN tagging: Disable
Trunking Mode VLANs Enabled: 2-4,21,899,2003
Protected Port: False

 

  • peos42's avatar
    peos42
    Tutor
    Mar 12, 2018

    Is this maybe the wrong part of the forum for such questions?

     

    Tnx

    Peo

    • DaneA's avatar
      DaneA
      NETGEAR Employee Retired
      Mar 13, 2018

      Hi peos42,

       

      Welcome to the community! :) 

       

      I inquired your concern to the higher tier of NETGEAR Support.  As per the higher tier of NETGEAR Support, when using the switchport trunk allowed vlan command, if the switch port receives traffic with a VLAN tag for a VLAN ID not in the allowed list, it will drop the packet. 

       

      As reference, kindly read page 416 of the CLI Command reference manual here.  

       

      The command vlan participation exclude is used so the interface (port) is never a member of a particular VLAN. This is equivalent to registration forbidden.

       

       

      Regards,


      DaneA

      NETGEAR Community Team

      • peos42's avatar
        peos42
        Tutor
        Mar 13, 2018

        I had this on an interface...

         

        (switch0.incedo.org) #show running-config interface 1/xg28
        !Current Configuration:
        !
        interface 1/xg28
        description 'FIBER IN'
        switchport mode trunk
        switchport trunk native vlan 999
        switchport trunk allowed vlan 21,999
        no lldp transmit
        no lldp receive
        no lldp transmit-tlv port-desc
        no lldp transmit-tlv sys-name
        no lldp transmit-tlv sys-desc
        no lldp transmit-tlv sys-cap
        no lldp transmit-mgmt
        no lldp med
        exit

         

        (switch0.incedo.org) #show interfaces switchport 1/xg28
        Port: 1/xg28
        VLAN Membership Mode: Trunk
        Access Mode VLAN: 1 (default)
        General Mode PVID: 1 (default)
        General Mode Ingress Filtering: Disabled
        General Mode Acceptable Frame Type: Admit all
        General Mode Dynamically Added VLANs:
        General Mode Untagged VLANs: 1
        General Mode Tagged VLANs:
        General Mode Forbidden VLANs:
        Trunking Mode Native VLAN: 999
        Trunking Mode Native VLAN tagging: Disable
        Trunking Mode VLANs Enabled: 21,999
        Protected Port: False

         

        Looks fishy... So I added...

         

        (switch0.incedo.org) #show running-config interface 1/xg28

        !Current Configuration:
        !
        interface 1/xg28
        description 'FIBER IN'
        switchport mode trunk
        switchport trunk native vlan 999
        switchport trunk allowed vlan 21,999
        vlan participation exclude 1
        no lldp transmit
        no lldp receive
        no lldp transmit-tlv port-desc
        no lldp transmit-tlv sys-name
        no lldp transmit-tlv sys-desc
        no lldp transmit-tlv sys-cap
        no lldp transmit-mgmt
        no lldp med
        exit


        (switch0.incedo.org) (Interface 1/xg28)#show interfaces switchport 1/xg28

        Port: 1/xg28
        VLAN Membership Mode: Trunk
        Access Mode VLAN: 1 (default)
        General Mode PVID: 1 (default)
        General Mode Ingress Filtering: Disabled
        General Mode Acceptable Frame Type: Admit all
        General Mode Dynamically Added VLANs:
        General Mode Untagged VLANs:
        General Mode Tagged VLANs:
        General Mode Forbidden VLANs: 1
        Trunking Mode Native VLAN: 999
        Trunking Mode Native VLAN tagging: Disable
        Trunking Mode VLANs Enabled: 21,999
        Protected Port: False

         

         

        But you mean this os not neccessary?

         

        /Peo

         

         

NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology! 

Join Us!

ProSupport for Business

Comprehensive support plans for maximum network uptime and business peace of mind.

 

Learn More