I've been reading the Cisco VLAN1 security white paper -> http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml#wp39009 , and wanted to make sure I am on the right track as I translate Cisco's best practices into an actual config.
Cisco says to;
1.) Not use VLAN 1 for inband management traffic...
2.) Prune VLAN 1 from all the trunks and from all the access ports that don't require it...
3.) Don't configure the management VLAN on any trunk or access port that doesn't require it.
Has the config listed below accomplished those goals?
!spanning-tree mode rapid-pvst
!spanning-tree portfast default
!spanning-tree portfast bpduguard default
! description management_vlan
! ip address 220.127.116.11 255.255.255.0
! no ip address
!interface range FastEthernet1/0/1 - 48
! switchport access vlan 2
! switchport mode access
!interface range GigabitEthernet1/0/1 - 4
! switchport trunk encapsulation dot1q
! switchport trunk native vlan 10
! switchport trunk allowed vlan 2-4094
! switchport mode trunk
Because they serve 2 totally different purposes.
The management vlan is to allow you to manage the switches remotely. No user ports should be placed in this vlan but this vlan still needs a layer 3 interface if you are going to manage the switches from a remote subnet.
The native vlan is simply the vlan on a trunk link for which packets are not tagged. It is there to provide compatability for 802.1q to non tag aware switches. It does not need a layer 3 SVI because it does not need to route anywhere.