vlan 1 on switches

Unanswered Question
May 5th, 2009

Hi all, when configuring my network, is it advisable to shut vlan 1 down, and use another one for management, and make this management vlan native on all trunks ?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
dario.didio Tue, 05/05/2009 - 05:12

Hi,

it is not possible to shutdown VLAN1. You can hower shutdown the SVI of VLAN1.

Best practices are never to use VLAN1. Also, create a dummy VLAN (for example VLAN999) and use it as your native vlan on your trunks.

Then, create a third VLAN that you use a management VLAN for your switches.

HTH,

Dario

carl_townshend Tue, 05/05/2009 - 06:42

Hi There

what do you mean, shut down the svi of vlan 1? isnt this just shutting it down ?

davy.timmermans Tue, 05/05/2009 - 10:45

with svi or switch virtual interface is the 'virtual'lan layer 3 interface meant (interface vlan1)

Shutdown of the svi interface vlan1 has no impact on the Layer2 operation of eventually access ports in vlan1 or native vlan1. (Except when it's a multilayer switch and acting as default-gateway for the access-ports in the corresponding vlan)

As Dario says: evite the use of vlan1 as much as possible. Vlan1 should normally only be used by protocols like CDP,VTP,DTP (=default and cannot be changed, that's why vlan1 is always allowed over a trunk)

deepa.muralidharan Wed, 05/06/2009 - 01:21

HI,

By using an unused VLAN as the Native VLAN, we can address a security threat in LAN environment.

Please note that if no native VLAN is configured, then VLAN-1 is taken as the default native VLAN.

iyde Wed, 05/06/2009 - 10:59

Hmm; I believe that I may times have cleared VLAN1 from trunks:

int gig0/1

switchport trunk native vlan xxx

switchport trunk allowed vlan 100,200

switchport mode trunk

As far as I'm aware no problems from VLAN1 missing on trunks.

davy.timmermans Wed, 05/06/2009 - 23:11

if you check via show interface switchport or show interface trunk you'll see that it's not cleared

milan.kulik Thu, 05/07/2009 - 04:34

Hi Davy,

yes, it's cleared.

VLAN1 is disabled for user data.

It's remaining available for Control Plane traffic, though, see

http://www.cisco.com/en/US/products/hw/switches/ps700/products_white_paper09186a00801b49a4.shtml#pre6

You might get into some STP troubles in some cases with VLAN1 disabled, as explained in the nice article mentioned.

IMHO, the safest (paranoid) approach is to disable VLAN1 on all trunks, create another VLAN (no ports assigned to it) as Native VLAN on trunks and third VLAN for switch management (again, no user port assigned).

BR,

Milan

davy.timmermans Thu, 05/07/2009 - 04:40

edit:

what I said is not true.

sh int trunk

Port Mode Encapsulation Status Native vlan

Gi0/3 on 802.1q trunking 1

Port Vlans allowed on trunk

Gi0/3 108-110,521

Port Vlans allowed and active in management domain

Gi0/3 108-110,521

and

sh int G0/3 switch

Trunking VLANs Enabled: 108-110,521

also if no ports are configured in vlan1, svi 1 doesn't come up. Even if the trunk is up.

Anyway, vlan1 is still used by protocols like CDP,DTP,...

My excuses for the misleading information

edit bis:

Hi Milan,

indeed I just tested it.

Amit Singh Thu, 05/07/2009 - 06:17

You can safely remove Vlan 1 from the trunk interfaces, this is called as Vlan 1 minimization and has been supported since a long time on all the cisco switches. Typically all the control traffic like VTP, DTP, Pagp and CDP always travel on Vlan 1 being the default native vlan on cisco switches. If you remove the Vlan 1 on the trunk interfaces you have to create another vlan as native vlan so all the control traffic could pass through safely to various neighbouring switches. We always send CDP packets on vlan 1 so if you remove vlan 1 over the trunks you might see some CDP info problem.

milan.kulik Thu, 05/07/2009 - 06:58

Hi Amit,

according to

http://www.cisco.com/en/US/products/hw/switches/ps700/products_white_paper09186a00801b49a4.shtml#pre6

you are not 100% correct.

"CDP, VTP, and PAgP updates are always forwarded on trunks with a VLAN 1 tag. This is the case even if VLAN 1 has been cleared from the trunks and is not the native VLAN. If you clear VLAN 1 for user data, the action has no impact on control plane traffic that is still sent with the use of VLAN 1."

"On an 802.1Q trunk, DTP packets are sent on the native VLAN. This is the case even if the native VLAN has been cleared from the trunk."

So

1) If you remove the Vlan 1 on the trunk interfaces you DON'T have to create another vlan as native vlan.

2) If you remove vlan 1 over the trunks there should be NO problem with CDP.

3) The only problem could happen in some cases with STP, as described also in the article.

BR,

Milan

Amit Singh Thu, 05/07/2009 - 07:04

Milan,

My bad...:-). Yes I remember it now. We always send all control traffic using Vlan 1 even if it is removed on the trunk links.

See if you are not regular on these forums, this is what gonna happen to you. Sorry guys for the wrong info posted above.

regards,

Actions

This Discussion