dario.didio Tue, 05/05/2009 - 05:12
User Badges:
  • Silver, 250 points or more


it is not possible to shutdown VLAN1. You can hower shutdown the SVI of VLAN1.

Best practices are never to use VLAN1. Also, create a dummy VLAN (for example VLAN999) and use it as your native vlan on your trunks.

Then, create a third VLAN that you use a management VLAN for your switches.



carl_townshend Tue, 05/05/2009 - 06:42
User Badges:

Hi There

what do you mean, shut down the svi of vlan 1? isnt this just shutting it down ?

davy.timmermans Tue, 05/05/2009 - 10:45
User Badges:
  • Silver, 250 points or more

with svi or switch virtual interface is the 'virtual'lan layer 3 interface meant (interface vlan1)

Shutdown of the svi interface vlan1 has no impact on the Layer2 operation of eventually access ports in vlan1 or native vlan1. (Except when it's a multilayer switch and acting as default-gateway for the access-ports in the corresponding vlan)

As Dario says: evite the use of vlan1 as much as possible. Vlan1 should normally only be used by protocols like CDP,VTP,DTP (=default and cannot be changed, that's why vlan1 is always allowed over a trunk)

deepa.muralidharan Wed, 05/06/2009 - 01:21
User Badges:


By using an unused VLAN as the Native VLAN, we can address a security threat in LAN environment.

Please note that if no native VLAN is configured, then VLAN-1 is taken as the default native VLAN.

iyde Wed, 05/06/2009 - 10:59
User Badges:
  • Silver, 250 points or more

Hmm; I believe that I may times have cleared VLAN1 from trunks:

int gig0/1

switchport trunk native vlan xxx

switchport trunk allowed vlan 100,200

switchport mode trunk

As far as I'm aware no problems from VLAN1 missing on trunks.

davy.timmermans Wed, 05/06/2009 - 23:11
User Badges:
  • Silver, 250 points or more

if you check via show interface switchport or show interface trunk you'll see that it's not cleared

milan.kulik Thu, 05/07/2009 - 04:34
User Badges:
  • Red, 2250 points or more

Hi Davy,

yes, it's cleared.

VLAN1 is disabled for user data.

It's remaining available for Control Plane traffic, though, see


You might get into some STP troubles in some cases with VLAN1 disabled, as explained in the nice article mentioned.

IMHO, the safest (paranoid) approach is to disable VLAN1 on all trunks, create another VLAN (no ports assigned to it) as Native VLAN on trunks and third VLAN for switch management (again, no user port assigned).



davy.timmermans Thu, 05/07/2009 - 04:40
User Badges:
  • Silver, 250 points or more


what I said is not true.

sh int trunk

Port Mode Encapsulation Status Native vlan

Gi0/3 on 802.1q trunking 1

Port Vlans allowed on trunk

Gi0/3 108-110,521

Port Vlans allowed and active in management domain

Gi0/3 108-110,521


sh int G0/3 switch

Trunking VLANs Enabled: 108-110,521

also if no ports are configured in vlan1, svi 1 doesn't come up. Even if the trunk is up.

Anyway, vlan1 is still used by protocols like CDP,DTP,...

My excuses for the misleading information

edit bis:

Hi Milan,

indeed I just tested it.

Amit Singh Thu, 05/07/2009 - 06:17
User Badges:
  • Cisco Employee,

You can safely remove Vlan 1 from the trunk interfaces, this is called as Vlan 1 minimization and has been supported since a long time on all the cisco switches. Typically all the control traffic like VTP, DTP, Pagp and CDP always travel on Vlan 1 being the default native vlan on cisco switches. If you remove the Vlan 1 on the trunk interfaces you have to create another vlan as native vlan so all the control traffic could pass through safely to various neighbouring switches. We always send CDP packets on vlan 1 so if you remove vlan 1 over the trunks you might see some CDP info problem.

milan.kulik Thu, 05/07/2009 - 06:58
User Badges:
  • Red, 2250 points or more

Hi Amit,

according to


you are not 100% correct.

"CDP, VTP, and PAgP updates are always forwarded on trunks with a VLAN 1 tag. This is the case even if VLAN 1 has been cleared from the trunks and is not the native VLAN. If you clear VLAN 1 for user data, the action has no impact on control plane traffic that is still sent with the use of VLAN 1."

"On an 802.1Q trunk, DTP packets are sent on the native VLAN. This is the case even if the native VLAN has been cleared from the trunk."


1) If you remove the Vlan 1 on the trunk interfaces you DON'T have to create another vlan as native vlan.

2) If you remove vlan 1 over the trunks there should be NO problem with CDP.

3) The only problem could happen in some cases with STP, as described also in the article.



Amit Singh Thu, 05/07/2009 - 07:04
User Badges:
  • Cisco Employee,


My bad...:-). Yes I remember it now. We always send all control traffic using Vlan 1 even if it is removed on the trunk links.

See if you are not regular on these forums, this is what gonna happen to you. Sorry guys for the wrong info posted above.



This Discussion