I've read that it is advisable to keep vlan1 reserved for management traffic only, and use other vlans for data traffic. My question is should vlan1 be assigned an ip address, or should I access my switches through the other vlans I have configured with different subnets. Another thing I was wondering was about creating private vlans. What are the reasons for doing this? The switched I'm using are:
Distribution Layer - Cat4006 w/ SupII
Access Layer - C3550-SMI
I've read similar recommendations many times in different documents.
My personal opinion is that there are three basic choices:
1) Maximum (paranoic) security in your network.
Leave VLAN1 for management traffic (CDP, VTP, DTP,CMP, etc., etc.) only. But define another VLAN as the management VLAN, i.e. assign an IP address to another VLANx port on your switches (and shutdown the VLAN1 port). Put users to different VLANs. Disable VLAN1 on all trunks (it will be disabled for user data only, CDP,etc. will be still there. Set native VLAN on trunks to other VLAN than VLAN1. Disable all unnecessary VLANs on trunks. Don't use VTP (set all switches as VTP transparent) and configure all VLANs manually on every switch.
This is the most secure solution.
But also the most complicated one. You can expect problems:
Some switches (Cat3550, e.g.) don't support VLAN1 disabling on trunks.
This configuration is very complex, you must change many values different from the default ones and not forget to do it the same way on all switches.
Troubleshooting may become more complicated in a case of some problems (complete or partial config lost, e.g.).
2) High security (I'd recommend):
Leave VLAN1 as management one and define IP addresses of your switches in this VLAN. Put users to other VLANs.
Enable VTP (two VTP servers at least) but use VTP passwords.
Depending on the CPU utilization disable (on leave enabled) unnecessary VLANs on trunks. Leave VLAN1 as native on trunks.
My opinion is this approach gives you a reasonable security without bringing additional problems in troubleshooting times.
3) Low security:
Leave everything default and assing IP addresses of your switches in VLAN1. Leave users in VLAN1.
This is the most comfortable solution but considered dangerous from security point of view: Any user has a possibility to Telnet to your switches (but you can protect them by access lists) or to make DOS attack by broadcast flooding (even a damaged NIC could cause it).
Private VLANs can improve security inside a particular VLAN - you can define which ports are allowed to communicate each to the others inside one VLAN.
See Cat4000 configuration guide for details, e.g.