Unsolved PCs in Native VLAN is only a security concern if switch's management IP is in Native VLAN as well?

---

Please correct me if I am wrong, but I've been thinking about it and I think having PCs in the native VLAN it's only a security issue when the switch's management IP is on the native VLAN as well.

If you disagree, can you please explain why else would leaving PCs on the native VLAN be a security issue?

Following my logic, as long as we configure the switch's management IP to be on a VLAN other than the native, there shouldn't be any security issue related to leaving PCs in the native VLAN.

Please help me understand. Thanks

@Jorge-Sosa,

It's not necessarily bad for you to use it.

The conventional wisdom is that by default, for example on a Cisco switch, All ports are in VLAN1. Also because it is the VLAN default vlan, it makes it the NATIVE VLAN as well. The Native VLAN is distinguished in 802.1q (ISL doesn't recognize native vlan) as the vlan that doesn't tag it's traffic.

The best practice is to set the native vlan different from the default vlan. Conceptually, it's not VLAN 1 that's a security risk but the NATIVE VLAN that is the risk. The risk is double-tagging. So if you have devices on the native vlan, and an attacker figures out your native vlan that your devices are connected to they have a opening to attack those devices. The chances are not very high but it's still something to consider.

Also there are some devices that will not allow you to change your native vlan. The best practice here is to see if your device will allow you to tag the native vlan traffic so that even native vlan traffic going across the trunk will be tagged.