Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Native VLAN decisions

Hi,

we are deploying new Cisco equipment at some sites and we are debating how we should go about treating the native VLAN and trunk ports.

We decided to keep VLAN 1 as the native VLAN on trunk ports but never assign any ports to VLAN 1. We thought that this would provide simplicity for deploying sites - I know that it is not best practice to leave VLAN 1 as the native VLAN and it can be a security risk because ports are assigned to VLAN 1 by default but, we have agreed we will not assign any ports to VLAN 1. 

That being said, if we do decide to change the native VLAN to an arbituary number - say 999, will switch-management trafiic (STP, ect.....) then traverse the untagged VLAN 999 and VLAN 1 will just exist as a totally unused VLAN? And would VLAN 1 then be tagged?

After all that -

Would our best bet be to create a unique VLAN for every remote site and use that VLAN excusively and only for native VLANs on trunks?

Thanks.  

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Super Bronze

Native VLAN decisions

You got it all correct Patrick.

These are all good common security practices.

Good Luck

Reza

9 REPLIES

Native VLAN decisions

I ran into this problem with Dell and Cisco interaction. I noticed that my Dell thought it was the root bridge, but my Cisco did as well. After figuring out what the problem was, the Dell recognized the Cisco as the bridge.

On the Dell, I had changed the native vlan to 95 and removed all ports from vlan 1 which shut vlan 1 down. The vlans that were active were 10 and 95, and life was fine. Since Dell doesn't support PVST, it was using CST to determine where the root bridge was. I later found out that CST only runs on vlan 1 - native or not. I had to add vlan 1 to the trunk just to bring it back up on the Dell.

That being said, I would recommend leaving vlan 1 at least running on the trunked port between switches to save for any issues later on. This is primarily for control plane traffic though, since none of your users would be on that vlan. Technically, anything that's not the native will be tagged, so I would assume that vlan 1 would be a normal tagged vlan at that point, but it's not something you'd need to worry about I wouldn't think.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
New Member

Native VLAN decisions

Thanks, John.

regarding my last question -

"Would our best bet be to create a unique VLAN for every remote site and use that VLAN excusively and only for native VLANs on trunks"?

So, do you believe we should do the above and also leave VLAN 1 on the trunk ports for the control plane traffic?

Thank you

VIP Super Bronze

Native VLAN decisions

Pat,

Would our best bet be to create a unique VLAN for every remote site and use that VLAN excusively and only for native VLANs on trunks"?

Correct, for example;

shut down vlan 1 and create vlan 999 and use it as your native vlan everywhere. Than create vlan 888 and park all unused ports in it.

So, do you believe we should do the above and also leave VLAN 1 on the trunk ports for the control plane traffic?

Yes, even when you shut vlan 1, all your control traffic still uses vlan 1.

HTH

New Member

Native VLAN decisions

Thanks Reza 

so, even if VLAN 1 is shut - control traffic uses VLAN 1? So, if we left VLAN 1 off a trunk port, would the trunk port still use VLAN 1 for control traffic?

Thank you

VIP Super Bronze

Native VLAN decisions

Correct, CDP, VTP, etc... will still use vlan 1.

HTH

New Member

Native VLAN decisions

Thanks Reza,

Not to beat a dead horse - so if we did a "switchport trunk allowed vlan 2,5,10,20" and didn't include VLAN 1 in the trunk port configuration, VLAN 1 would still exist on the trunk port and would be used for control traffic on that trunk port?

Even when I do a "show int trunk", VLAN 1 is not shown?

Thank you.

VIP Super Bronze

Native VLAN decisions

Yes,

Have a look:

CDP, VTP, and PAgP updates are always forwarded on trunks with a VLAN 1 tag. This is the case even if VLAN 1 has been cleared from the trunks and is not the native VLAN. If you clear VLAN 1 for user data, the action has no impact on control plane traffic that is still sent with the use of VLAN 1.

and here is the link:

http://www.cisco.com/en/US/customer/products/hw/switches/ps708/products_white_paper09186a00801b49a4.shtml#pre6

HTH

New Member

Native VLAN decisions

Thanks Reza - I'll give it a read.

To sum up - would you recommend creating a new VLAN for unused ports, place all unused ports in that VLAN, create a new VLAN for management and use that for Layer 2 switch management (we use loopbacks for layer 3), create a new VLAN for the native VLAN and use that native VLAN as the native VLAN on trunk ports, shut interface VLAN 1 and not include vlan 1 as an included VLAN on the trunks as we won't be using it for any user data?

It's a mouthful sorry,

VIP Super Bronze

Native VLAN decisions

You got it all correct Patrick.

These are all good common security practices.

Good Luck

Reza

864
Views
20
Helpful
9
Replies
CreatePlease login to create content