Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5155
Views
2
Helpful
2
Replies

Reason for Vlan 666 on Core Switch

mdargin
Level 1
Level 1

‎11-30-2009 12:19 PM - edited ‎03-06-2019 08:46 AM

What is the purpose of having VLAN 666 (This is a VLAN that does not have an ip address) being used for Vacant and Unused ports?  Why not just shutdown the ports that are not being used?

I was received a recommendation from a CCIE consultant to use VLAN 666 as a vacant and unused port VLan and assign all vacant ports to it.  I dont understand the benefit of it.

Here is an example of what he wanted me to configure as VLAN 666

interface vlan 666

description Penalty Box vlan, Assign all unused/vacant ports here

no ip address

no ip redirects

no ip proxy-arp

no ip mask-reply

no ip directed broadcast

no ip forward-protocol (etc)

Thank you for all responses to this post!!!

Labels:
0 Helpful
2 Replies 2

Jon Marshall
Hall of Fame
Hall of Fame

‎11-30-2009 12:25 PM 

mdargin wrote:
What is the purpose of having VLAN 666 (This is a VLAN that does not have an ip address) being used for Vacant and Unused ports?  Why not just shutdown the ports that are not being used?
I was received a recommendation from a CCIE consultant to use VLAN 666 as a vacant and unused port VLan and assign all vacant ports to it.  I dont understand the benefit of it.
Here is an example of what he wanted me to configure as VLAN 666
interface vlan 666
 description Penalty Box vlan, Assign all unused/vacant ports here
 no ip address
 no ip redirects
 no ip proxy-arp
 no ip mask-reply
 no ip directed broadcast
 no ip forward-protocol (etc)
Thank you for all responses to this post!!!

Well actually i wouldn't even configure a L3 interface for it as it is never meant to be used to pass traffic.

We used to use vlan 998 for the same purpose. We created vlan 998 in the vlan database but didn't create a L3 interface vlan for it.

The benefit is that by default all ports are in vlan 1. Vlan 1 is often active within the switched network even though Cisco recommends shutting down the vlan 1 interface and using different vlans for managing the switch/native vlan.

If you haven't disabled vlan 1 for end devices in your network and a port is accidentally left up then anyone connecting in on that port will have access to the network and probably on the same vlan that is used to manage the switches.

If you create an unused vlan without a L3 interface and allocate all unused ports into that then even if the port is left up there is nothing anyone can do if they connect via that port.

It's just another additional security aspect to your network.

Jon

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎11-30-2009 01:19 PM

Hello,

I totally agree with Jon unused ports should be put in a vlan without any L3 services there is no sense to configure an SVI without an IP address.

The usage of a vlan different  from vlan1 for unused ports is a recommendation for L2 security, vlan1 can expose some sensitive information to malicious users/devices because some signaling protocols use it.

As Jon has written it is an additional security measure that can be useful.

Hope to help

Giuseppe

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card