Cisco Support Community
Community Member

Management VLAN's

Per a recomendation from Cisco (I do not remenber the exact origin of this recomendation), we have decided to change (in all future deployments) the management vlan from the default VLAN1 to a VLAN other than 1. For argument sake, let's call this VLAN 500.

Catalyst 3550 :

We have a been able to succesfully change the VLAN to 500, not allowing VLAN1 to trunk, and also leaving VLAN1 in a "shutdown" state. The VTP information succesfully propagates from [server] 3550 to other [client] 3550's after a change is made (addition or deletion of a VLAN).

Catalyst 4507R:

Under the same conditions above, we are unable to propagate changes from the [server] 4507R (Supervisor IV) to the [client] Catalyst 3550. If we allow the Gig ports to trunk VLAN1 (even though VLAN1 is in a shutdown state), all VTP information will propagate to the other switches after a change is made.

Is there any benefit to changing the management VLAN to 500, if it is necessary to trunk VLAN1 in order for this to work?

Has the Management VLAN actually changed, if it is necessary to trunk VLAN1 in order for this to work?

Is there something I am missing?


Community Member

Re: Management VLAN's


You are actually asking two questions, the first I will address is VLAN 1.

In order for VTP information to pass between devices, the connection must be a trunk. VLAN 1 needs to be on this trunk as it is the only vlan that will carry VTP information.

Management VLAN other than VLAN1:

The downside of VLAN 1 as your management VLAN is the fact that you will have a single VLAN propogated throughout your entire network. With the use of VTP, you can't restrict your management VLAN to out-of-band (the preferred management implementation). With the use of a different VLAN for management, your vlan 500, you can control such things as STP loops, VLAN propogation and you can do all of this out-of-band.

These are my answers, let me know if this helps or if you need additional information. Good luck.


Re: Management VLAN's


AFAIK, disabling VLAN1 on a trunk means disabling it only for user data transfer.

It means that Cisco "management" protocols (VTP, CDP, CMP, e.g.) are still sent on VLAN1 - you can't remove it completely from a trunk, actually.

If you want to separate management traffic from user traffic (and the only reasonable reason for doing that which I know is preventing switch CPU overload in a case of user broadcast storm) I would recommend leaving VLAN1 as mangement one and moving users to other VLANs.



Community Member

Re: Management VLAN's

It is not good practice to have your management VLAN be VLAN1 because every ports' default VLAN is 1. Meaning.. potentially, if not configured correctly on the switch, user ports could easily become management ports & are a potential security hazard. Also.. you don't ever want your data traffic to see your management traffic & vice versa. Imagine this scenario.. say a user plugged into a port.. configured for the default VLAN of 1.. which is also your management VLAN.. now say that user just happened to launch a software-bridge program capable of generating BPDU/STP frames configured with a priority of less than 8192 (or anything less).. potentially STP could converge so that this machine is now the STP root for the entire network.. creating an extremely dangerous situation. Chances of that happening.. are slim.. but it's good practice to keep your management vlan anything other than 1. Hope this helps.

- Matt

Re: Management VLAN's

I would agree with you in a case it were possible to move Cisco proprietary "management" protocols (VTP, CDP, CMP, etc.) from VLAN1 to other VLAN.

But it's impossible.

To your arguments:

1) It's administrator responsibility to configure ports to split user and management data - from this point of view there is no difference between moving management to VLANx or user ports to VLANx.

2) I've noticed several times incompatibility problems when moving management VLAN from VLAN1.

3) To avoid rogue STP roots - it's possible to configure root-guard or BPDU-guard feature. If there is a hacker in your network he can try to become a root even in user VLAN. But this is not "extremly dangerous". There are more dangerous attacks existing.



CreatePlease to create content