Jon Marshall Sun, 01/11/2009 - 04:02
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Mark


If there are no devices that are in vlan 1 then no you do not need to assign an IP address for vlan 1 interface and you should shutdown vlan 1 interface.


Jon

Giuseppe Larosa Sun, 01/11/2009 - 05:01
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Mark,

for security reasons the best thing is to:


- shut SVI vlan1 if exists

- never use vlan 1 even for unused ports.


A suggestion is to use a dedicated parking Vlan for unused ports that:

has no Layer 3 services on it

it is never used as Native Vlan on an 802.1Q trunk in your campus.


the reason for not using Vlan1 for unused ports is that in any case a switch tells more to a PC if the port is in Vlan1.


if you don't use Vlan1 neither for management neither for data you are on the right path from a security point of view.


Hope to help

Giuseppe


Actions

This Discussion