Jon,

Thank you for your response.

It is my understanding that by default - VLAN 1 is the management VLAN and the Native VLAN. I thought the reason it was suggested to change your Native VLAN to something other than VLAN 1 was to ensure Network control traffic, such as CDP, DTP, PagP, VTP, would not be affected by the possibility of user traffic; that is if an access port was not purposely assigned to a particular VLAN and defaulted to using VLAN 1.

I also thought that is why the management VLAN was suggested to be something other than the native VLAN, to seperate the SSH, or telnet traffic from the control protocol traffic.

Why is it recommended that the native VLAN be a non-routed VLAN? What are your thoughts about seperating the control traffic from user and management traffic? I'm assuming STP is also carried on the Native VLAN. I read somewhere that STP uses VLAN 1 and that this can not be changed which is what prompted my question regarding shutting down VLAN 1.

Jon,

Your answer was helpful. Are you 100% certain that the control protocols will continue to be sent on VLAN 1 and regardless of whether it is up or down, including PVST? It's amazing how much conflicting documentation you can find on this subject.

If I understood correctly, this should be a valid configuration. Please confirm:

interface GigabitEthernet3/0/48

switchport trunk encapsulation dot1q

switchport trunk native vlan 500

switchport mode trunk

interface Vlan1

no ip address

shutdown

interface Vlan202

ip address 10.1.202.10 255.255.255.0

interface Vlan500

no ip address

ip default-gateway 10.1.202.1

Note:

VLAN 202 to be used for Management VLAN, VLAN 500 for the Native VLAN and

some other VLAN or VLANs for all other user access.

VLAN 1 will continue to be used for control protocols, not VLAN 500 - Correct? If that is true, then do I assume that VLAN 1 will need to be included in the manual pruning statement, "Switchport trunk allowed VLAN 1, 202, 500, etc.. as well?

I appreciate your patience and your assistance in my quest for definitive answers. Thanks again.

Edison,

Thank you for directing me to the VLAN Security Best Practices whitepaper. I found it very useful, especially in regards to VLAN 1 and the importance of pruning it among other things.

However, after reading the whitepaper; I believe I have went full circle on what VLAN the Network Control Protocols will use. The paragraph below has caused additional confusion:

Reference - URL

"As a matter of fact, the proper configuration that should always be used is to clear the native VLAN from all 802.1Q trunks (alternatively, setting them to 802.1q-all-tagged mode achieves the

exact same result). In cases where the native VLAN cannot be cleared, then always pick an unused VLAN as native VLAN of all the trunks; don't use this VLAN for any other purpose. Protocols like STP, DTP, and UDLD (check out [3]) should be the only rightful users of the native VLAN and their traffic should be completely isolated from any data packets."

Are they saying prune the Native VLAN from the trunk, or do not configure the trunk with "switchport native vlan"?

Also the statement; "Protocols like STP, DTP, and UDLD should be the only rightful users of the native VLAN and their traffic should be completely isolated from any data packets." Correct me if I'm wrong, but these are also Network Control Protocols along with others like CDP, VTP and PAgP, right? The statement indicates these are the only rightful users of the native VLAN - so if that statement is true then again it sounds like if you change your native vlan to something other than VLAN 1; then your Network Control Protocols would use the new native vlan - not VLAN 1.

This is starting to feel like an Abbott and Castello movie - Who's on first?

I guess I need to call it day.... your continued responses will certainly be appreciated.

Thank you!

BEWARE!

There can be a complication due to a bug in CatOS (and older versions of IOS). This occurs when the native VLAN (other than VLAN 1) is manually cleared, or VTP-pruned from a trunk. In CatOS, this can stop the control traffic too, including STP BPDUs.

I know this from bitter experience! Believe me!

Kevin Dorrell

Luxembourg

Hi, Kevin

I think we understand the difference beween disabling "inteface vlan 1" and removing vlan 1 from the trunk.

you are speaking about the second, are you?

Yes I am speaking about the second.

Unusually, I have an "unused" non-1 VLAN that I use for my trunk natives. (Don't ask ... it is for historical reasons). If that gets VTP-pruned or manually removed from the trunks, then the network goes into meltdown.

CSCed00396 (IOS)

CSCdv19761 (CatOS)

I am really just warning that using a non-1 native on your trunks can have unforseen consequences. You have to make sure is cannot be pruned or disallowed on any trunk, especially one that connects to a CatOS device.

Kevin Dorrell

Luxembourg

It seems that my original question, “Are there any ramifications in administratively shutting down VLAN 1 has been answered with a consensus of “No”. However, as you can see additional questions were spawned as a result of some of the responses received.

Can someone please answer this question with 100% certainty - “What VLAN does the Network Control Protocols use when you change your Native VLAN to something other than VLAN 1? Is it VLAN 1 or the New Native VLAN?

Also, if anyone can confirm that the proposed configuration listed above is an accurate approach, regarding the native VLAN and the Management VLAN, I would appreciate that as well.

Thank you!

The Network Control Protocols are untagged. Whether that means they are "on the native VLAN" is debateable. I would prefer to think of them as not being on any VLAN at all. In most cases their significance is link-by-link rather than layer-2-end-to-end, so does it really make sense to regard them as being on any particular VLAN?

Kevin Dorrell

Luxembourg

Kevin,

Based on your previous responses it did seem to matter with regards to pruning. Did I misunderstand?