When it comes to information on the security of the default VLAN, everyone seems to have something to say. The biggest problem is, after awhile, all these opinions and rationale obfuscate the real security practices. Maybe I'm just burnt out on it and can't absorb the info like I should, but here are my questions:
1. The NSA switch security guide says to shutdown VLAN 1. Why should I do this as long as I, or any other admin for that matter, remember to assign all unused ports to a false VLAN (999 or so).
2. How does shutting down VLAN 1 affect the services that use it; VTP for instance?
3. Should VLAN 1 be pruned off trunk links or "allowed" on trunk links?
4. Should a different native VLAN be set for each trunk? (as specified in the NSA guide) -- And why?
5. Why do none of the guides specify that you just enable vlan 1 to be tagged by dot1q to counter VLAN hopping attacks? It seems no one actually does this?
Thanks folks, really. I'll look forward to your replies. This is the first post I've made on this site so perhaps I'll feel more comfortable posting after this!