Native VLAN confusion

Answered Question
Mar 5th, 2008

I've been reading the Cisco VLAN1 security white paper -> http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml#wp39009 , and wanted to make sure I am on the right track as I translate Cisco's best practices into an actual config.

Cisco says to;

1.) Not use VLAN 1 for inband management traffic...

2.) Prune VLAN 1 from all the trunks and from all the access ports that don't require it...

3.) Don't configure the management VLAN on any trunk or access port that doesn't require it.

Has the config listed below accomplished those goals?

!spanning-tree mode rapid-pvst

!spanning-tree portfast default

!spanning-tree portfast bpduguard default

!interface Vlan10

! description management_vlan

! ip address 1.1.1.1 255.255.255.0

!interface Vlan1

! no ip address

! shutdown

!interface range FastEthernet1/0/1 - 48

! switchport access vlan 2

! switchport mode access

!

!interface range GigabitEthernet1/0/1 - 4

! switchport trunk encapsulation dot1q

! switchport trunk native vlan 10

! switchport trunk allowed vlan 2-4094

! switchport mode trunk

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 8 years 9 months ago

Jason

Because they serve 2 totally different purposes.

The management vlan is to allow you to manage the switches remotely. No user ports should be placed in this vlan but this vlan still needs a layer 3 interface if you are going to manage the switches from a remote subnet.

The native vlan is simply the vlan on a trunk link for which packets are not tagged. It is there to provide compatability for 802.1q to non tag aware switches. It does not need a layer 3 SVI because it does not need to route anywhere.

HTH

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Istvan_Rabai Wed, 03/05/2008 - 11:19

Hi Jason,

As far as points 1. and 2. concerned, yes it has accomplished those goals.

For point 3.:

It accomplishes the goal if it follows out of your configurations and topology that all your trunks on Gig1/0/1 - 4 need to carry the management traffic for vlan10. For example, these 4 trunks may be used in an etherchannel.

Cheers:

Istvan

Jon Marshall Wed, 03/05/2008 - 11:19

Hi Jason

Only thing i would add is that you probably want to make the native vlan a different vlan than your management vlan and do not create a L3 interface for your native vlan and don't assign any access ports into it.

Jon

Jason Fraioli Wed, 03/05/2008 - 11:24

Jon, Now I'm really confused. What is the rationale to splitting the two up?

Istvan, I understand your point.

Correct Answer
Jon Marshall Wed, 03/05/2008 - 11:28

Jason

Because they serve 2 totally different purposes.

The management vlan is to allow you to manage the switches remotely. No user ports should be placed in this vlan but this vlan still needs a layer 3 interface if you are going to manage the switches from a remote subnet.

The native vlan is simply the vlan on a trunk link for which packets are not tagged. It is there to provide compatability for 802.1q to non tag aware switches. It does not need a layer 3 SVI because it does not need to route anywhere.

HTH

Jon

Actions

This Discussion