Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

VLAN 1

If you change your native VLAN to something other than VLAN 1, are there any ramifications in administratively shutting down VLAN 1?

5 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Super Blue

Re: VLAN 1

There are 2 things here. Firstly vlan 1 is traditionally used as the management vlan ie. the vlan you use to actually access the switches.

The native vlan is the vlan that does not have a tag attached to it when packets for that vlan are sent across a trunk.

So shutting vlan 1 down is often more to do with changing the management vlan rather than changing the native vlan. It is recommended to have a non-routed vlan for your native vlan and different vlan than 1 or the native vlan for managing the switch.

Jon

Hall of Fame Super Blue

Re: VLAN 1

Yes by default vlan 1 is the management and the native vlan. It also the vlan in which all ports by default are assigned to.

Network traffic and user traffic are not really to do with the native vlan as such. The native vlan is there purely for backwards compatability with 802.1d switches that do not understand vlan tagging.

If you change the native vlan and shutdown vlan 1 CDP/PagP/VTP will still be sent on vlan 1 - this won't change. STP is slightly different as nowadays you tend to run per-vlan STP.

The idea of having a separate management vlan is to ensure that user traffic is not in the same vlan. With a dedicated vlan you can control who can or cannot access that vlan.

The native vlan should be non-routed because it is

a) never going to have an user ports in it

b) never going to be accessed remotely from the switch.

So there is absolutely no reason why you need the native vlan to be a routable vlan and if you don't need it to be routed then it is safer not to make it. Ideally no ports should ever be allocated to the native vlan.

Have i answered your questions ?

Jon

Hall of Fame Super Bronze

Re: VLAN 1

Jon is quite correct. If you need written confirmation from a cisco article, please take a moment and read this URL

http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/prodlit/vlnwp_wp.htm#wp39009

In addition, the pruning controls data traffic, not control traffic so even while pruning Vlan 1 on the trunk, control traffic such as CDP will go thru.

HTH,

__

Edison.

Please rate helpful posts

Hall of Fame Super Blue

Re: VLAN 1

CDP/PAgP/VTP will always be sent on vlan 1. If vlan 1 happens to be the native vlan then these control protocols are sent untagged. If the native vlan has been changed to something other than vlan 1 then they will be sent as tagged frames across a trunk.

On ISL trunks DTP is always sent across vlan 1 so as above for these frames. However with 802.1q DTP frames are always sent across the native vlan so DTP frames will always be untagged (unless of course you tag even the native vlan).

UDLD i cannot say for sure what it does.

Jon

Hall of Fame Super Bronze

Re: VLAN 1

The only thing I'm not 100% sure of is whether or not VLAN1 or the new Native VLAN needs to be inlcuded in the allowed statement.

Just included the Vlans needed on the inter-switch link. I highly recommend adding the Management Vlan in the allowed list. There isn't any need to add Vlan 1 in the allowed list. Control traffic will still continue to function.

HTH,

__

Edison.

18 REPLIES

Re: VLAN 1

You can administratively shutting down VLAN 1 without any ramifications.

You can use any other Vlan for management.

Hall of Fame Super Blue

Re: VLAN 1

There are 2 things here. Firstly vlan 1 is traditionally used as the management vlan ie. the vlan you use to actually access the switches.

The native vlan is the vlan that does not have a tag attached to it when packets for that vlan are sent across a trunk.

So shutting vlan 1 down is often more to do with changing the management vlan rather than changing the native vlan. It is recommended to have a non-routed vlan for your native vlan and different vlan than 1 or the native vlan for managing the switch.

Jon

Community Member

Re: VLAN 1

Jon,

Thank you for your response.

It is my understanding that by default - VLAN 1 is the management VLAN and the Native VLAN. I thought the reason it was suggested to change your Native VLAN to something other than VLAN 1 was to ensure Network control traffic, such as CDP, DTP, PagP, VTP, would not be affected by the possibility of user traffic; that is if an access port was not purposely assigned to a particular VLAN and defaulted to using VLAN 1.

I also thought that is why the management VLAN was suggested to be something other than the native VLAN, to seperate the SSH, or telnet traffic from the control protocol traffic.

Why is it recommended that the native VLAN be a non-routed VLAN? What are your thoughts about seperating the control traffic from user and management traffic? I'm assuming STP is also carried on the Native VLAN. I read somewhere that STP uses VLAN 1 and that this can not be changed which is what prompted my question regarding shutting down VLAN 1.

Hall of Fame Super Blue

Re: VLAN 1

Yes by default vlan 1 is the management and the native vlan. It also the vlan in which all ports by default are assigned to.

Network traffic and user traffic are not really to do with the native vlan as such. The native vlan is there purely for backwards compatability with 802.1d switches that do not understand vlan tagging.

If you change the native vlan and shutdown vlan 1 CDP/PagP/VTP will still be sent on vlan 1 - this won't change. STP is slightly different as nowadays you tend to run per-vlan STP.

The idea of having a separate management vlan is to ensure that user traffic is not in the same vlan. With a dedicated vlan you can control who can or cannot access that vlan.

The native vlan should be non-routed because it is

a) never going to have an user ports in it

b) never going to be accessed remotely from the switch.

So there is absolutely no reason why you need the native vlan to be a routable vlan and if you don't need it to be routed then it is safer not to make it. Ideally no ports should ever be allocated to the native vlan.

Have i answered your questions ?

Jon

Community Member

Re: VLAN 1

Jon,

Your answer was helpful. Are you 100% certain that the control protocols will continue to be sent on VLAN 1 and regardless of whether it is up or down, including PVST? It's amazing how much conflicting documentation you can find on this subject.

If I understood correctly, this should be a valid configuration. Please confirm:

interface GigabitEthernet3/0/48

switchport trunk encapsulation dot1q

switchport trunk native vlan 500

switchport mode trunk

interface Vlan1

no ip address

shutdown

interface Vlan202

ip address 10.1.202.10 255.255.255.0

interface Vlan500

no ip address

ip default-gateway 10.1.202.1

Note:

VLAN 202 to be used for Management VLAN, VLAN 500 for the Native VLAN and

some other VLAN or VLANs for all other user access.

VLAN 1 will continue to be used for control protocols, not VLAN 500 - Correct? If that is true, then do I assume that VLAN 1 will need to be included in the manual pruning statement, "Switchport trunk allowed VLAN 1, 202, 500, etc.. as well?

I appreciate your patience and your assistance in my quest for definitive answers. Thanks again.

Hall of Fame Super Bronze

Re: VLAN 1

Jon is quite correct. If you need written confirmation from a cisco article, please take a moment and read this URL

http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/prodlit/vlnwp_wp.htm#wp39009

In addition, the pruning controls data traffic, not control traffic so even while pruning Vlan 1 on the trunk, control traffic such as CDP will go thru.

HTH,

__

Edison.

Please rate helpful posts

Community Member

Re: VLAN 1

Edison,

Thank you for directing me to the VLAN Security Best Practices whitepaper. I found it very useful, especially in regards to VLAN 1 and the importance of pruning it among other things.

However, after reading the whitepaper; I believe I have went full circle on what VLAN the Network Control Protocols will use. The paragraph below has caused additional confusion:

Reference - URL

"As a matter of fact, the proper configuration that should always be used is to clear the native VLAN from all 802.1Q trunks (alternatively, setting them to 802.1q-all-tagged mode achieves the

exact same result). In cases where the native VLAN cannot be cleared, then always pick an unused VLAN as native VLAN of all the trunks; don't use this VLAN for any other purpose. Protocols like STP, DTP, and UDLD (check out [3]) should be the only rightful users of the native VLAN and their traffic should be completely isolated from any data packets."

Are they saying prune the Native VLAN from the trunk, or do not configure the trunk with "switchport native vlan"?

Also the statement; "Protocols like STP, DTP, and UDLD should be the only rightful users of the native VLAN and their traffic should be completely isolated from any data packets." Correct me if I'm wrong, but these are also Network Control Protocols along with others like CDP, VTP and PAgP, right? The statement indicates these are the only rightful users of the native VLAN - so if that statement is true then again it sounds like if you change your native vlan to something other than VLAN 1; then your Network Control Protocols would use the new native vlan - not VLAN 1.

This is starting to feel like an Abbott and Castello movie - Who's on first?

I guess I need to call it day.... your continued responses will certainly be appreciated.

Thank you!

Re: VLAN 1

BEWARE!

There can be a complication due to a bug in CatOS (and older versions of IOS). This occurs when the native VLAN (other than VLAN 1) is manually cleared, or VTP-pruned from a trunk. In CatOS, this can stop the control traffic too, including STP BPDUs.

I know this from bitter experience! Believe me!

Kevin Dorrell

Luxembourg

Re: VLAN 1

Hi, Kevin

I think we understand the difference beween disabling "inteface vlan 1" and removing vlan 1 from the trunk.

you are speaking about the second, are you?

Re: VLAN 1

Yes I am speaking about the second.

Unusually, I have an "unused" non-1 VLAN that I use for my trunk natives. (Don't ask ... it is for historical reasons). If that gets VTP-pruned or manually removed from the trunks, then the network goes into meltdown.

CSCed00396 (IOS)

CSCdv19761 (CatOS)

I am really just warning that using a non-1 native on your trunks can have unforseen consequences. You have to make sure is cannot be pruned or disallowed on any trunk, especially one that connects to a CatOS device.

Kevin Dorrell

Luxembourg

Community Member

Re: VLAN 1

It seems that my original question, “Are there any ramifications in administratively shutting down VLAN 1 has been answered with a consensus of “No”. However, as you can see additional questions were spawned as a result of some of the responses received.

Can someone please answer this question with 100% certainty - “What VLAN does the Network Control Protocols use when you change your Native VLAN to something other than VLAN 1? Is it VLAN 1 or the New Native VLAN?

Also, if anyone can confirm that the proposed configuration listed above is an accurate approach, regarding the native VLAN and the Management VLAN, I would appreciate that as well.

Thank you!

Re: VLAN 1

The Network Control Protocols are untagged. Whether that means they are "on the native VLAN" is debateable. I would prefer to think of them as not being on any VLAN at all. In most cases their significance is link-by-link rather than layer-2-end-to-end, so does it really make sense to regard them as being on any particular VLAN?

Kevin Dorrell

Luxembourg

Community Member

Re: VLAN 1

Kevin,

Based on your previous responses it did seem to matter with regards to pruning. Did I misunderstand?

Hall of Fame Super Blue

Re: VLAN 1

CDP/PAgP/VTP will always be sent on vlan 1. If vlan 1 happens to be the native vlan then these control protocols are sent untagged. If the native vlan has been changed to something other than vlan 1 then they will be sent as tagged frames across a trunk.

On ISL trunks DTP is always sent across vlan 1 so as above for these frames. However with 802.1q DTP frames are always sent across the native vlan so DTP frames will always be untagged (unless of course you tag even the native vlan).

UDLD i cannot say for sure what it does.

Jon

Community Member

Re: VLAN 1

Jon,

Thank you for your responses; they were very helpful! I realize now that I probably should have phrased my questions differently or explained why I was asking them.

I recently started a new job and found that on most of the access switches, VLAN 1 was shutdown, a new routable VLAN was created for Management purposes but was also being used as the Native VLAN on the trunk. No manual pruning (switchport trunk allowed statements) have been implemented and the spanning tree design needs some work as well. That was the reason for my questions regarding the network control protocols and the native vlan vs. the management VLAN.

I was trying to figure out what was best practice and what the best approach was to remedying the current configuration. It's amazing how much conflicting documentation there is on this subject. Thank you for your patience.

I believe after reading the responses, that I should create a new routable Management VLAN and include it in the switchport trunk allowed statement. The only thing I'm not 100% sure of is whether or not VLAN1 or the new Native VLAN needs to be inlcuded in the allowed statement.

Hall of Fame Super Bronze

Re: VLAN 1

The only thing I'm not 100% sure of is whether or not VLAN1 or the new Native VLAN needs to be inlcuded in the allowed statement.

Just included the Vlans needed on the inter-switch link. I highly recommend adding the Management Vlan in the allowed list. There isn't any need to add Vlan 1 in the allowed list. Control traffic will still continue to function.

HTH,

__

Edison.

Hall of Fame Super Blue

Re: VLAN 1

Agree with Edison, you don't need to include vlan 1 in the allowed list.

As for the native vlan just bear in mind what Kevin has said about this. I have personally never experienced this issue but then i have never cleared the native vlan off the the trunk.

As for conflicting advice, yes it can be very confusing. Part of the problem is that Cisco best practices and recommendations can change over time so it often depends on which documentation you are referring to.

Jon

Community Member

Re: VLAN 1

Hello Jon!

One question:

The control plane traffic that flows through vlan 1 even if it is STP blocked (only blocking user/data traffic) can or cannot be stopped too?

I would like to permit in one trunk just the VLAN data traffic and stop the control plane traffic (nothing on vlan1). Is it possible?

Thanks,

Met.

661
Views
9
Helpful
18
Replies
CreatePlease to create content