Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

management vlan as untagged on trunks - why not?

Hi all

is there a reason why your management vlan should not be the native vlan on your trunks??

if so what is the recommendation, should I use vlan 1 as native as I shit this vlan down anyway?

cheer

Carl

4 REPLIES
New Member

Re: management vlan as untagged on trunks - why not?

Mhh,

we do it just the other way.

We use our management VLAN as native VLAN on our trunks.

As a result, we have all management related stuff like CDP, STP, etc. in the management VLAN.

Works fine!

Dirk

regards, Dirk (Please rate if helpful)
Hall of Fame Super Blue

Re: management vlan as untagged on trunks - why not?

dirkwoellhaf wrote:

Mhh,

we do it just the other way.

We use our management VLAN as native VLAN on our trunks.

As a result, we have all management related stuff like CDP, STP, etc. in the management VLAN.

Works fine!

Dirk

Dirk

If your management vlan is vlan 1 then yes CDP/VTP/PaGP will be in that vlan. If you have a different vlan than vlan 1 as your management vlan then CDP/VTP/PagP etc. will not be in your management vlan.

Are you saying that your switch management vlan and native vlan are just using the default of vlan 1 ?

Jon

Hall of Fame Super Blue

Re: management vlan as untagged on trunks - why not?

carl_townshend wrote:

Hi all

is there a reason why your management vlan should not be the native vlan on your trunks??

if so what is the recommendation, should I use vlan 1 as native as I **** this vlan down anyway?

cheer

Carl

Carl

Cisco recommendation is that your switch management vlan should not be the native vlan and it should not be vlan 1.

Vlan 1 shouldn't be used for anything ie. not for users, not to manage the switches. Note that vlan 1 will still be used for Cisco L2 protocols such as CDP/VTP/PaGP etc. but you can't stop that.

The native vlan should be a different vlan altogether and the vlan you choose should not be allocated to any ports and it does not need a L3 SVI because you never need to route the native vlan.

Jon

New Member

Re: management vlan as untagged on trunks - why not?

As a security measure, remember that if you don't tag your native vlan, double-encapsulation attacks will pop out of the trunk in the native vlan. As Jon mentioned, you don't want an SVI for, or any switchports assigned to that vlan for security purposes as well.

645
Views
0
Helpful
4
Replies
CreatePlease to create content