11-30-2009 12:19 PM - edited 03-06-2019 08:46 AM
What is the purpose of having VLAN 666 (This is a VLAN that does not have an ip address) being used for Vacant and Unused ports? Why not just shutdown the ports that are not being used?
I was received a recommendation from a CCIE consultant to use VLAN 666 as a vacant and unused port VLan and assign all vacant ports to it. I dont understand the benefit of it.
Here is an example of what he wanted me to configure as VLAN 666
interface vlan 666
description Penalty Box vlan, Assign all unused/vacant ports here
no ip address
no ip redirects
no ip proxy-arp
no ip mask-reply
no ip directed broadcast
no ip forward-protocol (etc)
Thank you for all responses to this post!!!
11-30-2009 12:25 PM
mdargin wrote:
What is the purpose of having VLAN 666 (This is a VLAN that does not have an ip address) being used for Vacant and Unused ports? Why not just shutdown the ports that are not being used?
I was received a recommendation from a CCIE consultant to use VLAN 666 as a vacant and unused port VLan and assign all vacant ports to it. I dont understand the benefit of it.
Here is an example of what he wanted me to configure as VLAN 666
interface vlan 666
description Penalty Box vlan, Assign all unused/vacant ports here
no ip address
no ip redirects
no ip proxy-arp
no ip mask-reply
no ip directed broadcast
no ip forward-protocol (etc)
Thank you for all responses to this post!!!
Well actually i wouldn't even configure a L3 interface for it as it is never meant to be used to pass traffic.
We used to use vlan 998 for the same purpose. We created vlan 998 in the vlan database but didn't create a L3 interface vlan for it.
The benefit is that by default all ports are in vlan 1. Vlan 1 is often active within the switched network even though Cisco recommends shutting down the vlan 1 interface and using different vlans for managing the switch/native vlan.
If you haven't disabled vlan 1 for end devices in your network and a port is accidentally left up then anyone connecting in on that port will have access to the network and probably on the same vlan that is used to manage the switches.
If you create an unused vlan without a L3 interface and allocate all unused ports into that then even if the port is left up there is nothing anyone can do if they connect via that port.
It's just another additional security aspect to your network.
Jon
11-30-2009 01:19 PM
Hello,
I totally agree with Jon unused ports should be put in a vlan without any L3 services there is no sense to configure an SVI without an IP address.
The usage of a vlan different from vlan1 for unused ports is a recommendation for L2 security, vlan1 can expose some sensitive information to malicious users/devices because some signaling protocols use it.
As Jon has written it is an additional security measure that can be useful.
Hope to help
Giuseppe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide