management vlan as untagged on trunks - why not?

Unanswered Question
Feb 15th, 2010
User Badges:

Hi all


is there a reason why your management vlan should not be the native vlan on your trunks??

if so what is the recommendation, should I use vlan 1 as native as I shit this vlan down anyway?


cheer


Carl

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Dirk Woellhaf Mon, 02/15/2010 - 04:42
User Badges:

Mhh,


we do it just the other way.


We use our management VLAN as native VLAN on our trunks.

As a result, we have all management related stuff like CDP, STP, etc. in the management VLAN.


Works fine!


Dirk

Jon Marshall Mon, 02/15/2010 - 05:08
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

dirkwoellhaf wrote:


Mhh,


we do it just the other way.


We use our management VLAN as native VLAN on our trunks.

As a result, we have all management related stuff like CDP, STP, etc. in the management VLAN.


Works fine!


Dirk


Dirk


If your management vlan is vlan 1 then yes CDP/VTP/PaGP will be in that vlan. If you have a different vlan than vlan 1 as your management vlan then CDP/VTP/PagP etc. will not be in your management vlan.


Are you saying that your switch management vlan and native vlan are just using the default of vlan 1 ?


Jon

Jon Marshall Mon, 02/15/2010 - 04:56
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

carl_townshend wrote:


Hi all


is there a reason why your management vlan should not be the native vlan on your trunks??

if so what is the recommendation, should I use vlan 1 as native as I **** this vlan down anyway?


cheer


Carl


Carl


Cisco recommendation is that your switch management vlan should not be the native vlan and it should not be vlan 1.


Vlan 1 shouldn't be used for anything ie. not for users, not to manage the switches. Note that vlan 1 will still be used for Cisco L2 protocols such as CDP/VTP/PaGP etc. but you can't stop that.


The native vlan should be a different vlan altogether and the vlan you choose should not be allocated to any ports and it does not need a L3 SVI because you never need to route the native vlan.


Jon

tdistlists Mon, 02/15/2010 - 14:54
User Badges:

As a security measure, remember that if you don't tag your native vlan, double-encapsulation attacks will pop out of the trunk in the native vlan. As Jon mentioned, you don't want an SVI for, or any switchports assigned to that vlan for security purposes as well.

Actions

This Discussion