Virtual Local Area Network(VLAN) 1 is the default VLAN in a network. But what does that mean to users and network admins? In this post I explain how to use and not use VLAN 1 properly. There are many pitfalls associated with VLAN 1 that need to be avoided. Most of them you won’t recognize until you’ve already fallen in and struggle to get out of the pits.
What is a VLAN?
A Virtual Local Area Network, or VLAN, is a logical segment of a physical network. As is stated in its name, it’s VIRTUAL. Meaning, the separation is done in some other manner than physically separating the network. In this case it’s defined by the IEEE 802.1Q standard. The standard defines how Ethernet Frames are tagged and how bridges and switches are to handle those tags. 802.1Q adds a VLAN Header between the Source MAC and the EtherType section of the Ethernet Header. It’s a 32 bit field with the first 16 bits is the Tag Protocol Identifier and is set to 0x8100 for an IEEE 802.1Q tagged frame. The last 16 bits are designated as the Tag Control Information and has 3 parts. The important part is the last 12 bits which indicate the VLAN Identifier or VID. This is the field that you get your VLAN number from. With 12 bits you can have 4096 different VLAN IDs. However, some of those are reserved, but that’s a topic for a different post.
I found this excellent picture on the Wikipedia article for 802.1Q that shows where the header is injected. As you can see, there are 32 bits(4 bytes) added to the Ethernet Header.
What is VLAN 1?
VLAN 1 is the default VLAN for switchports. This means that all switchports are placed in VLAN 1 unless changed in the configuration. An unconfigured switch will automatically tag all packets coming into a switchport to VLAN 1 unless an access or trunk configuration changes the default. VLAN 1 also contains control plane traffic on the switch. Control plane traffic consists of traffic used to control different protocols like VTP, CDP and PAgP to name a few. Traditionally this traffic could not be pruned from a trunk link. You might be asking yourself, “what is a trunk link?” A trunk link is a link or connection that allows multiple VLANs on the link. These are typically uplinks.
When should I use VLAN 1?
The short answer is never. Let’s dig into that answer a little deeper. VLAN 1 is the default VLAN. It’s also the control plane VLAN. This means control plane and user data can be in the same VLAN. There are security implications associated with using the default VLAN. First, if you are using a default configuration on your switchports, an attacker can inject 802.1Q tags into their packets and the switch will accept them without question. This could allow an attacker to “VLAN Hop”. If you want to know more about VLAN Hopping, then stay tuned. I have plans to talk about it. Secondly, the control plane traffic is also on VLAN 1. Users should not see this type of traffic, only the switches should see that traffic. An attacker could then craft packets matching the control plane traffic and interfere with the control of the switch. Definitely a bad situation to be in.
How can I be safe?
The easiest solution is to never leave a switch in a default state. Always configure the switch ports and explicitly set them as access ports and use another VLAN for your access ports.
interface GigabitEthernet1/0/1 description Data switchport access vlan 10 switchport mode access spanning-tree portfast
This configuration definitively defines the port as an access port in VLAN 10. When a packet enters the port and it is not tagged the switch inserts the 802.1Q header and sets the VID to 10. If a packet enters the port and it contains an 802.1Q tag already, it will remove that header and insert the correct header with VID 10. This also prevents VLAN Hopping.
Another consideration is what’s called the Native VLAN. By default it’s VLAN 1. It’s also recommended to change the Native VLAN from VLAN 1 and not use VLAN 1 at all. The below configuration shows how to make those changes.
interface GigabitEthernet1/0/1 description Uplink switchport trunk native vlan 50 switchport mode trunk
VLAN 1 is the default VLAN on switches. Don’t ever use it. Don’t leave your switchports in their default configuration and change the Native VLAN on trunk ports to something other than VLAN 1.