I have recently been putting a SG300 through testing, and while the configuration is working, I am now at the stage of making sure everything is secure. At this point I've reached a question I can't quite find the answer to:
1 Port - Trunk Mode (1UP + Various VLANs Tagged)
Other Ports - Access Mode (Various VLANs Untagged)
The question comes as to how to deal with the Trunk Port. Per Cisco's own "Virtual Lan Security Best Practices", the default/native VLAN should be cleared from all Trunks... unless I am misunderstaing I see no way to accomplish this with the SG300's port in Trunk Mode (it forces 1UP, and admit-all).
The only other options I see as being possible are:
Change Port to General Mode, and switch policy to admit-tagged-only, and leave 1UP on the trunk
Change Port to General Mode, and remove 1UP (but this forces the system to add 4095P, which per the documentation states it immediately disables all other VLANS?)
Are either of these options valid/usable... or is there a better way to accomplish this?