07-03-2008 08:32 AM - edited 03-05-2019 11:59 PM
If you change your native VLAN to something other than VLAN 1, are there any ramifications in administratively shutting down VLAN 1?
Solved! Go to Solution.
07-03-2008 09:32 AM
There are 2 things here. Firstly vlan 1 is traditionally used as the management vlan ie. the vlan you use to actually access the switches.
The native vlan is the vlan that does not have a tag attached to it when packets for that vlan are sent across a trunk.
So shutting vlan 1 down is often more to do with changing the management vlan rather than changing the native vlan. It is recommended to have a non-routed vlan for your native vlan and different vlan than 1 or the native vlan for managing the switch.
Jon
07-03-2008 10:32 AM
Yes by default vlan 1 is the management and the native vlan. It also the vlan in which all ports by default are assigned to.
Network traffic and user traffic are not really to do with the native vlan as such. The native vlan is there purely for backwards compatability with 802.1d switches that do not understand vlan tagging.
If you change the native vlan and shutdown vlan 1 CDP/PagP/VTP will still be sent on vlan 1 - this won't change. STP is slightly different as nowadays you tend to run per-vlan STP.
The idea of having a separate management vlan is to ensure that user traffic is not in the same vlan. With a dedicated vlan you can control who can or cannot access that vlan.
The native vlan should be non-routed because it is
a) never going to have an user ports in it
b) never going to be accessed remotely from the switch.
So there is absolutely no reason why you need the native vlan to be a routable vlan and if you don't need it to be routed then it is safer not to make it. Ideally no ports should ever be allocated to the native vlan.
Have i answered your questions ?
Jon
07-03-2008 02:33 PM
Jon is quite correct. If you need written confirmation from a cisco article, please take a moment and read this URL
http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/prodlit/vlnwp_wp.htm#wp39009
In addition, the pruning controls data traffic, not control traffic so even while pruning Vlan 1 on the trunk, control traffic such as CDP will go thru.
HTH,
__
Edison.
Please rate helpful posts
07-05-2008 10:37 AM
CDP/PAgP/VTP will always be sent on vlan 1. If vlan 1 happens to be the native vlan then these control protocols are sent untagged. If the native vlan has been changed to something other than vlan 1 then they will be sent as tagged frames across a trunk.
On ISL trunks DTP is always sent across vlan 1 so as above for these frames. However with 802.1q DTP frames are always sent across the native vlan so DTP frames will always be untagged (unless of course you tag even the native vlan).
UDLD i cannot say for sure what it does.
Jon
07-06-2008 09:29 AM
The only thing I'm not 100% sure of is whether or not VLAN1 or the new Native VLAN needs to be inlcuded in the allowed statement.
Just included the Vlans needed on the inter-switch link. I highly recommend adding the Management Vlan in the allowed list. There isn't any need to add Vlan 1 in the allowed list. Control traffic will still continue to function.
HTH,
__
Edison.
07-03-2008 08:35 AM
You can administratively shutting down VLAN 1 without any ramifications.
You can use any other Vlan for management.
07-03-2008 09:32 AM
There are 2 things here. Firstly vlan 1 is traditionally used as the management vlan ie. the vlan you use to actually access the switches.
The native vlan is the vlan that does not have a tag attached to it when packets for that vlan are sent across a trunk.
So shutting vlan 1 down is often more to do with changing the management vlan rather than changing the native vlan. It is recommended to have a non-routed vlan for your native vlan and different vlan than 1 or the native vlan for managing the switch.
Jon
07-03-2008 10:23 AM
Jon,
Thank you for your response.
It is my understanding that by default - VLAN 1 is the management VLAN and the Native VLAN. I thought the reason it was suggested to change your Native VLAN to something other than VLAN 1 was to ensure Network control traffic, such as CDP, DTP, PagP, VTP, would not be affected by the possibility of user traffic; that is if an access port was not purposely assigned to a particular VLAN and defaulted to using VLAN 1.
I also thought that is why the management VLAN was suggested to be something other than the native VLAN, to seperate the SSH, or telnet traffic from the control protocol traffic.
Why is it recommended that the native VLAN be a non-routed VLAN? What are your thoughts about seperating the control traffic from user and management traffic? I'm assuming STP is also carried on the Native VLAN. I read somewhere that STP uses VLAN 1 and that this can not be changed which is what prompted my question regarding shutting down VLAN 1.
07-03-2008 10:32 AM
Yes by default vlan 1 is the management and the native vlan. It also the vlan in which all ports by default are assigned to.
Network traffic and user traffic are not really to do with the native vlan as such. The native vlan is there purely for backwards compatability with 802.1d switches that do not understand vlan tagging.
If you change the native vlan and shutdown vlan 1 CDP/PagP/VTP will still be sent on vlan 1 - this won't change. STP is slightly different as nowadays you tend to run per-vlan STP.
The idea of having a separate management vlan is to ensure that user traffic is not in the same vlan. With a dedicated vlan you can control who can or cannot access that vlan.
The native vlan should be non-routed because it is
a) never going to have an user ports in it
b) never going to be accessed remotely from the switch.
So there is absolutely no reason why you need the native vlan to be a routable vlan and if you don't need it to be routed then it is safer not to make it. Ideally no ports should ever be allocated to the native vlan.
Have i answered your questions ?
Jon
07-03-2008 02:05 PM
Jon,
Your answer was helpful. Are you 100% certain that the control protocols will continue to be sent on VLAN 1 and regardless of whether it is up or down, including PVST? It's amazing how much conflicting documentation you can find on this subject.
If I understood correctly, this should be a valid configuration. Please confirm:
interface GigabitEthernet3/0/48
switchport trunk encapsulation dot1q
switchport trunk native vlan 500
switchport mode trunk
interface Vlan1
no ip address
shutdown
interface Vlan202
ip address 10.1.202.10 255.255.255.0
interface Vlan500
no ip address
ip default-gateway 10.1.202.1
Note:
VLAN 202 to be used for Management VLAN, VLAN 500 for the Native VLAN and
some other VLAN or VLANs for all other user access.
VLAN 1 will continue to be used for control protocols, not VLAN 500 - Correct? If that is true, then do I assume that VLAN 1 will need to be included in the manual pruning statement, "Switchport trunk allowed VLAN 1, 202, 500, etc.. as well?
I appreciate your patience and your assistance in my quest for definitive answers. Thanks again.
07-03-2008 02:33 PM
Jon is quite correct. If you need written confirmation from a cisco article, please take a moment and read this URL
http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/prodlit/vlnwp_wp.htm#wp39009
In addition, the pruning controls data traffic, not control traffic so even while pruning Vlan 1 on the trunk, control traffic such as CDP will go thru.
HTH,
__
Edison.
Please rate helpful posts
07-03-2008 04:01 PM
Edison,
Thank you for directing me to the VLAN Security Best Practices whitepaper. I found it very useful, especially in regards to VLAN 1 and the importance of pruning it among other things.
However, after reading the whitepaper; I believe I have went full circle on what VLAN the Network Control Protocols will use. The paragraph below has caused additional confusion:
Reference - URL
"As a matter of fact, the proper configuration that should always be used is to clear the native VLAN from all 802.1Q trunks (alternatively, setting them to 802.1q-all-tagged mode achieves the
exact same result). In cases where the native VLAN cannot be cleared, then always pick an unused VLAN as native VLAN of all the trunks; don't use this VLAN for any other purpose. Protocols like STP, DTP, and UDLD (check out [3]) should be the only rightful users of the native VLAN and their traffic should be completely isolated from any data packets."
Are they saying prune the Native VLAN from the trunk, or do not configure the trunk with "switchport native vlan"?
Also the statement; "Protocols like STP, DTP, and UDLD should be the only rightful users of the native VLAN and their traffic should be completely isolated from any data packets." Correct me if I'm wrong, but these are also Network Control Protocols along with others like CDP, VTP and PAgP, right? The statement indicates these are the only rightful users of the native VLAN - so if that statement is true then again it sounds like if you change your native vlan to something other than VLAN 1; then your Network Control Protocols would use the new native vlan - not VLAN 1.
This is starting to feel like an Abbott and Castello movie - Who's on first?
I guess I need to call it day.... your continued responses will certainly be appreciated.
Thank you!
07-04-2008 01:20 AM
BEWARE!
There can be a complication due to a bug in CatOS (and older versions of IOS). This occurs when the native VLAN (other than VLAN 1) is manually cleared, or VTP-pruned from a trunk. In CatOS, this can stop the control traffic too, including STP BPDUs.
I know this from bitter experience! Believe me!
Kevin Dorrell
Luxembourg
07-04-2008 01:24 AM
Hi, Kevin
I think we understand the difference beween disabling "inteface vlan 1" and removing vlan 1 from the trunk.
you are speaking about the second, are you?
07-04-2008 02:04 AM
Yes I am speaking about the second.
Unusually, I have an "unused" non-1 VLAN that I use for my trunk natives. (Don't ask ... it is for historical reasons). If that gets VTP-pruned or manually removed from the trunks, then the network goes into meltdown.
CSCed00396 (IOS)
CSCdv19761 (CatOS)
I am really just warning that using a non-1 native on your trunks can have unforseen consequences. You have to make sure is cannot be pruned or disallowed on any trunk, especially one that connects to a CatOS device.
Kevin Dorrell
Luxembourg
07-04-2008 05:46 AM
It seems that my original question, âAre there any ramifications in administratively shutting down VLAN 1 has been answered with a consensus of âNoâ. However, as you can see additional questions were spawned as a result of some of the responses received.
Can someone please answer this question with 100% certainty - âWhat VLAN does the Network Control Protocols use when you change your Native VLAN to something other than VLAN 1? Is it VLAN 1 or the New Native VLAN?
Also, if anyone can confirm that the proposed configuration listed above is an accurate approach, regarding the native VLAN and the Management VLAN, I would appreciate that as well.
Thank you!
07-04-2008 06:06 AM
The Network Control Protocols are untagged. Whether that means they are "on the native VLAN" is debateable. I would prefer to think of them as not being on any VLAN at all. In most cases their significance is link-by-link rather than layer-2-end-to-end, so does it really make sense to regard them as being on any particular VLAN?
Kevin Dorrell
Luxembourg
07-04-2008 06:22 AM
Kevin,
Based on your previous responses it did seem to matter with regards to pruning. Did I misunderstand?
07-05-2008 10:37 AM
CDP/PAgP/VTP will always be sent on vlan 1. If vlan 1 happens to be the native vlan then these control protocols are sent untagged. If the native vlan has been changed to something other than vlan 1 then they will be sent as tagged frames across a trunk.
On ISL trunks DTP is always sent across vlan 1 so as above for these frames. However with 802.1q DTP frames are always sent across the native vlan so DTP frames will always be untagged (unless of course you tag even the native vlan).
UDLD i cannot say for sure what it does.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide