I have been reading the posts both current and old regarding the shutting down of VLAN1 and the use of the switchport trunk native command. We have been asked to harden a number of switches in our enviornment and shutting down VLAN1 was the first thing we noticed we need to address. I think I understand the the majority of the information/reasons for shutting down VLAN1, but there were still a few things that were not making any sense so I am coming to the experts for some clarification and help.
1. From what I read, when you "shutdown" the SVI for VLAN1 on a switch with the shutdown command, you are actually only shutting down the Layer 3 interface for VLAN1, but that VLAN1 will still pass traffic for CDP, PAgP, and other Layer 2 features. My question is can you actually completely shutdown VLAN1 from both a Layer 3 and Layer 2 perspective? The reason I ask is because all my reading indicates that you should shut down VLAN1 as a security precaution, but if the above question is correct is the security benefit only from a Layer 3 perspective (which could make sense since VLAN1 is the default and on all switches so you wouldn't want to have that VLAN span all along your network if there are Layer 3 interfaces involved).
2. Also from what I have seen in the forums, the native VLAN is always VLAN1 initially, but that you can change the native VLAN. My question here is how exactly do you change the native VLAN? It looks like the switchport trunk native command is what does that for trunk ports, but is that actually the case? If this is the case I also read that you should use a VLAN that is not used for anything else - so for example, I could use VLAN 888 (assuming that I am not using it for anything else) as my new native VLAN by simply setting that with the switchport trunk native command on each trunk link? And by changing the native vlan to something like VLAN888 is all I am really saying is that now all Layer 2 features like CDP, PAgP, etc (assuming they are enabled) are going to flow over VLAN888 instead of VLAN1?
3. I also saw that you can prune (or should prune?) VLAN1 from all the trunk links. Is this done by using the switchport trunk allowed vlan command to only allow only the vlans you want/are using (so in effect you are denying all others)? Or does VLAN1 always have access to the trunk links?
4. Finally, if the switchport trunk native command is the way to change the native VLAN, can you have more than one native VLAN on the same switch? I am thinking that if I set up multiple trunk connections to multiple switches off of one switch, you could set the switchport trunk native statement to a different VLAN as long as it matches the remote end - if you can do this is there any reason to do that or should you look to use just the same native vlan for all trunk ports.
Okay, thank you so much in advance for any assistance!!!
1) Shutting down VLAN1 SVI will only shut down the L3 interface, there is not way to shutdown/delete VLAN1 at L2.
2) Like you said in your post, you can change native VLAN with switchport trunk native command for trunk port or switchport access vlan for access port. But control traffic like CDP, DTP, PAgP, and VTP will still use VLAN1.
3) You can prune VLAN1 off the trunk link but control traffic will still use VLAN1.
4) No, you can only have one (1) native VLAN on a trunk. Using different native VLAN on different trunk is not a bad idea, as long as you remember to match them up. I will not use the same native VLAN on all the switch through out your switching domain, if this is the case, it makes no different with VLAN1.
The reason not to use VLAN1 is really saying not to use VLAN1 for any user data traffic. VLAN1 is created by default on all Cisco switches, and VLAN1 cannot be removed from the VLAN database. Since VLAN1 is created by default, you can create a spanning tree loop if you use VLAN1 to carry user data traffic, like native VLAN mis-match on a trunk. For example, two switch is connected via a trunk and one side's native VLAN is VLAN1 and the other side's native VLAN is VLANx. Both VLAN's will merge and create a spanning loop through out the network, if VLAN1 is used as the native VLAN. The following link give some examples why not to use VLAN1