Forbidden VLANs

Hi again. 

Did some more checks. It at least seems like there is a potential security issuse by not using..

vlan participation exclude <vlannum>

At least for VLAN1 that seems to be allowed anyway..... Or do I interprete the output of the show command wrong?

(switch0.incedo.org) #show running-config interface 1/g3

!Current Configuration:
!
interface 1/g3
description 'TRUNK - Switch 2 level3'
switchport mode trunk
switchport trunk native vlan 2003
switchport trunk allowed vlan 2-4,21,899,2003
exit

(switch0.incedo.org) #show interfaces switchport 1/g3

Port: 1/g3
VLAN Membership Mode: Trunk
Access Mode VLAN: 1 (default)
General Mode PVID: 1 (default)
General Mode Ingress Filtering: Disabled
General Mode Acceptable Frame Type: Admit all
General Mode Dynamically Added VLANs:
General Mode Untagged VLANs: 1
General Mode Tagged VLANs:
General Mode Forbidden VLANs:
Trunking Mode Native VLAN: 2003
Trunking Mode Native VLAN tagging: Disable
Trunking Mode VLANs Enabled: 2-4,21,899,2003
Protected Port: False

Is this maybe the wrong part of the forum for such questions?

Tnx

Peo

Hi @peos42,

Welcome to the community! 🙂 

I inquired your concern to the higher tier of NETGEAR Support.  As per the higher tier of NETGEAR Support, when using the switchport trunk allowed vlan command, if the switch port receives traffic with a VLAN tag for a VLAN ID not in the allowed list, it will drop the packet. 

As reference, kindly read page 416 of the CLI Command reference manual here.  

The command vlan participation exclude is used so the interface (port) is never a member of a particular VLAN. This is equivalent to registration forbidden.

Regards,

DaneA

NETGEAR Community Team

I had this on an interface...

(switch0.incedo.org) #show running-config interface 1/xg28
!Current Configuration:
!
interface 1/xg28
description 'FIBER IN'
switchport mode trunk
switchport trunk native vlan 999
switchport trunk allowed vlan 21,999
no lldp transmit
no lldp receive
no lldp transmit-tlv port-desc
no lldp transmit-tlv sys-name
no lldp transmit-tlv sys-desc
no lldp transmit-tlv sys-cap
no lldp transmit-mgmt
no lldp med
exit

(switch0.incedo.org) #show interfaces switchport 1/xg28
Port: 1/xg28
VLAN Membership Mode: Trunk
Access Mode VLAN: 1 (default)
General Mode PVID: 1 (default)
General Mode Ingress Filtering: Disabled
General Mode Acceptable Frame Type: Admit all
General Mode Dynamically Added VLANs:
General Mode Untagged VLANs: 1
General Mode Tagged VLANs:
General Mode Forbidden VLANs:
Trunking Mode Native VLAN: 999
Trunking Mode Native VLAN tagging: Disable
Trunking Mode VLANs Enabled: 21,999
Protected Port: False

Looks fishy... So I added...

(switch0.incedo.org) #show running-config interface 1/xg28

!Current Configuration:
!
interface 1/xg28
description 'FIBER IN'
switchport mode trunk
switchport trunk native vlan 999
switchport trunk allowed vlan 21,999
vlan participation exclude 1
no lldp transmit
no lldp receive
no lldp transmit-tlv port-desc
no lldp transmit-tlv sys-name
no lldp transmit-tlv sys-desc
no lldp transmit-tlv sys-cap
no lldp transmit-mgmt
no lldp med
exit

(switch0.incedo.org) (Interface 1/xg28)#show interfaces switchport 1/xg28

Port: 1/xg28
VLAN Membership Mode: Trunk
Access Mode VLAN: 1 (default)
General Mode PVID: 1 (default)
General Mode Ingress Filtering: Disabled
General Mode Acceptable Frame Type: Admit all
General Mode Dynamically Added VLANs:
General Mode Untagged VLANs:
General Mode Tagged VLANs:
General Mode Forbidden VLANs: 1
Trunking Mode Native VLAN: 999
Trunking Mode Native VLAN tagging: Disable
Trunking Mode VLANs Enabled: 21,999
Protected Port: False

But you mean this os not neccessary?

/Peo

@peos42,

I inquired the configuration you have posted to the higher tier of NETGEAR Support and just received a feedback.  According to the higher tier of NETGEAR Support, you should change the PVID on the port to match either the Native VLAN or else if you want the port in a specific VLAN, then run the show command again.

Regards,

DaneA

NETGEAR Community Team

Please explain what you mean... I must be missing something.

The Native VLAN I have is 999 to tag untagged incoming internet traffic on port 28 to be able to take it out on another switch port. TV traffic already has VLAN tag 21. So no change here as it will stop working. Everything is working well.

I only talk about it seems VLAN 1 is till allowed even though it is not configured. I think it is a design flaw to even see vlan 1 when doing "show interfaces switchport 1/xg28". This as I have actively chosen what is allowed. And vlan 1 is not a part of the allowed list.

Also.. The GUI already shows PVID is 999 on switch port 28, but CLI shows 1. This is for sure not ok with this miss match.

To exclude VLAN 1 is a solution. This is what I have done. But what I mean here is that it should not be necessary here...

@peos42,

I inquired again your concern to the higher tier of NETGEAR Support and just got a feedback.  It was suggested that you open a chat or online support ticket with NETGEAR Support here at anytime in order to further investigate if this is a possible flaw as per you have described here in the forum thread.  

Regards,

DaneA

NETGEAR Community Team