×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Native VLAN

Answered Question
Mar 31st, 2003
User Badges:

I've read that it is advisable to keep vlan1 reserved for management traffic only, and use other vlans for data traffic. My question is should vlan1 be assigned an ip address, or should I access my switches through the other vlans I have configured with different subnets. Another thing I was wondering was about creating private vlans. What are the reasons for doing this? The switched I'm using are:

Distribution Layer - Cat4006 w/ SupII

Access Layer - C3550-SMI

Correct Answer by milan.kulik about 14 years 4 months ago

Hi,

I've read similar recommendations many times in different documents.

My personal opinion is that there are three basic choices:

1) Maximum (paranoic) security in your network.

Leave VLAN1 for management traffic (CDP, VTP, DTP,CMP, etc., etc.) only. But define another VLAN as the management VLAN, i.e. assign an IP address to another VLANx port on your switches (and shutdown the VLAN1 port). Put users to different VLANs. Disable VLAN1 on all trunks (it will be disabled for user data only, CDP,etc. will be still there. Set native VLAN on trunks to other VLAN than VLAN1. Disable all unnecessary VLANs on trunks. Don't use VTP (set all switches as VTP transparent) and configure all VLANs manually on every switch.

This is the most secure solution.

But also the most complicated one. You can expect problems:

Some switches (Cat3550, e.g.) don't support VLAN1 disabling on trunks.

This configuration is very complex, you must change many values different from the default ones and not forget to do it the same way on all switches.

Troubleshooting may become more complicated in a case of some problems (complete or partial config lost, e.g.).

2) High security (I'd recommend):

Leave VLAN1 as management one and define IP addresses of your switches in this VLAN. Put users to other VLANs.

Enable VTP (two VTP servers at least) but use VTP passwords.

Depending on the CPU utilization disable (on leave enabled) unnecessary VLANs on trunks. Leave VLAN1 as native on trunks.

My opinion is this approach gives you a reasonable security without bringing additional problems in troubleshooting times.

3) Low security:

Leave everything default and assing IP addresses of your switches in VLAN1. Leave users in VLAN1.

This is the most comfortable solution but considered dangerous from security point of view: Any user has a possibility to Telnet to your switches (but you can protect them by access lists) or to make DOS attack by broadcast flooding (even a damaged NIC could cause it).


Private VLANs can improve security inside a particular VLAN - you can define which ports are allowed to communicate each to the others inside one VLAN.

See Cat4000 configuration guide for details, e.g.


Regards,

Milan


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Correct Answer
milan.kulik Mon, 03/31/2003 - 23:08
User Badges:
  • Red, 2250 points or more

Hi,

I've read similar recommendations many times in different documents.

My personal opinion is that there are three basic choices:

1) Maximum (paranoic) security in your network.

Leave VLAN1 for management traffic (CDP, VTP, DTP,CMP, etc., etc.) only. But define another VLAN as the management VLAN, i.e. assign an IP address to another VLANx port on your switches (and shutdown the VLAN1 port). Put users to different VLANs. Disable VLAN1 on all trunks (it will be disabled for user data only, CDP,etc. will be still there. Set native VLAN on trunks to other VLAN than VLAN1. Disable all unnecessary VLANs on trunks. Don't use VTP (set all switches as VTP transparent) and configure all VLANs manually on every switch.

This is the most secure solution.

But also the most complicated one. You can expect problems:

Some switches (Cat3550, e.g.) don't support VLAN1 disabling on trunks.

This configuration is very complex, you must change many values different from the default ones and not forget to do it the same way on all switches.

Troubleshooting may become more complicated in a case of some problems (complete or partial config lost, e.g.).

2) High security (I'd recommend):

Leave VLAN1 as management one and define IP addresses of your switches in this VLAN. Put users to other VLANs.

Enable VTP (two VTP servers at least) but use VTP passwords.

Depending on the CPU utilization disable (on leave enabled) unnecessary VLANs on trunks. Leave VLAN1 as native on trunks.

My opinion is this approach gives you a reasonable security without bringing additional problems in troubleshooting times.

3) Low security:

Leave everything default and assing IP addresses of your switches in VLAN1. Leave users in VLAN1.

This is the most comfortable solution but considered dangerous from security point of view: Any user has a possibility to Telnet to your switches (but you can protect them by access lists) or to make DOS attack by broadcast flooding (even a damaged NIC could cause it).


Private VLANs can improve security inside a particular VLAN - you can define which ports are allowed to communicate each to the others inside one VLAN.

See Cat4000 configuration guide for details, e.g.


Regards,

Milan


j.arthur Tue, 04/01/2003 - 16:24
User Badges:

Question, by default does all traffic cross Vlan1?

Let’s say you are trunking between two 6500’s. One is set as the gateway out and is acting as the VTP server and the other is set as a client. Now if the client has multiple Vlanx’s, does all that data traffic heading out go across Native Vlan 1?


j.arthur Tue, 04/01/2003 - 17:39
User Badges:

Addendum:

My assumption is that all traffic is crossing over Vlan 1, assuming I’m right, is the number 2 option the right option when you have several 6500’s daisy chained together and trunking over Vlan 1 with approximately 5000 users, and growing. Along with Video conferencing and Voice over IP that will be implemented.

I guess my question is more about performance.

Example: if I have three 6500’s daisy chained together with Gig Fiber, can I create multiple Native Vlans for trunking between the 6500’s for better performance or will it be the same result as having it go over Vlan 1?


milan.kulik Tue, 04/01/2003 - 22:44
User Badges:
  • Red, 2250 points or more

Hi,

to your question:

No, by default all traffic doesn't cross Vlan1. If you configure trunk between switches each VLAN traffic goes tagged per VLAN on the trunk. I.e. if you put your users to VLAN2, 3 and 4 and leave VLAN1 as a management one user traffic goes on VLAN2-4 and the only management traffic goes on VLAN1 on the trunk.

To your Example:

Native VLAN setting is always local. So if you daise chain switches S1-S2-S3 you can define VLAN1 as native on the trunk between S1 and S2 and VLAN4 as native on the trunk between S2 and S3. But it will not improve the performace - all the traffic stlill goes on the same physical trunk and if you are sending a video conference in VLAN4 it goes on VLAN4 from S3 to S2 and still on VLAN4 from S2 to S1 without any relation to native VLAN settings.

I hope that I eplained the proble a little.

You can read http://www.cisco.com/warp/public/473/27.pdf for details.

Regards,

Milan

j.arthur Wed, 04/02/2003 - 14:31
User Badges:

So if I want to improve perfomace over the same pipe, thats when you enable QOS?

J

milan.kulik Thu, 04/03/2003 - 00:58
User Badges:
  • Red, 2250 points or more

Yes.

Another possibility (in LAN enviroment especially) is to increase bandwith - FastEtherChannel or GigabitEtherChannel.

Regards,

Milan

Actions

This Discussion