Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
618
Views
0
Helpful
6
Replies

Native VLAN

Go to solution
j-foote
Level 1
Level 1

‎03-31-2003 11:19 AM - edited ‎03-02-2019 06:16 AM

I've read that it is advisable to keep vlan1 reserved for management traffic only, and use other vlans for data traffic. My question is should vlan1 be assigned an ip address, or should I access my switches through the other vlans I have configured with different subnets. Another thing I was wondering was about creating private vlans. What are the reasons for doing this? The switched I'm using are:

Distribution Layer - Cat4006 w/ SupII

Access Layer - C3550-SMI

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
milan.kulik
Level 10
Level 10

‎03-31-2003 11:08 PM

Hi,

I've read similar recommendations many times in different documents.

My personal opinion is that there are three basic choices:

1) Maximum (paranoic) security in your network.

Leave VLAN1 for management traffic (CDP, VTP, DTP,CMP, etc., etc.) only. But define another VLAN as the management VLAN, i.e. assign an IP address to another VLANx port on your switches (and shutdown the VLAN1 port). Put users to different VLANs. Disable VLAN1 on all trunks (it will be disabled for user data only, CDP,etc. will be still there. Set native VLAN on trunks to other VLAN than VLAN1. Disable all unnecessary VLANs on trunks. Don't use VTP (set all switches as VTP transparent) and configure all VLANs manually on every switch.

This is the most secure solution.

But also the most complicated one. You can expect problems:

Some switches (Cat3550, e.g.) don't support VLAN1 disabling on trunks.

This configuration is very complex, you must change many values different from the default ones and not forget to do it the same way on all switches.

Troubleshooting may become more complicated in a case of some problems (complete or partial config lost, e.g.).

2) High security (I'd recommend):

Leave VLAN1 as management one and define IP addresses of your switches in this VLAN. Put users to other VLANs.

Enable VTP (two VTP servers at least) but use VTP passwords.

Depending on the CPU utilization disable (on leave enabled) unnecessary VLANs on trunks. Leave VLAN1 as native on trunks.

My opinion is this approach gives you a reasonable security without bringing additional problems in troubleshooting times.

3) Low security:

Leave everything default and assing IP addresses of your switches in VLAN1. Leave users in VLAN1.

This is the most comfortable solution but considered dangerous from security point of view: Any user has a possibility to Telnet to your switches (but you can protect them by access lists) or to make DOS attack by broadcast flooding (even a damaged NIC could cause it).

Private VLANs can improve security inside a particular VLAN - you can define which ports are allowed to communicate each to the others inside one VLAN.

See Cat4000 configuration guide for details, e.g.

Regards,

Milan

View solution in original post

0 Helpful
6 Replies 6

Go to solution
milan.kulik
Level 10
Level 10

‎03-31-2003 11:08 PM

Hi,

I've read similar recommendations many times in different documents.

My personal opinion is that there are three basic choices:

1) Maximum (paranoic) security in your network.

Leave VLAN1 for management traffic (CDP, VTP, DTP,CMP, etc., etc.) only. But define another VLAN as the management VLAN, i.e. assign an IP address to another VLANx port on your switches (and shutdown the VLAN1 port). Put users to different VLANs. Disable VLAN1 on all trunks (it will be disabled for user data only, CDP,etc. will be still there. Set native VLAN on trunks to other VLAN than VLAN1. Disable all unnecessary VLANs on trunks. Don't use VTP (set all switches as VTP transparent) and configure all VLANs manually on every switch.

This is the most secure solution.

But also the most complicated one. You can expect problems:

Some switches (Cat3550, e.g.) don't support VLAN1 disabling on trunks.

This configuration is very complex, you must change many values different from the default ones and not forget to do it the same way on all switches.

Troubleshooting may become more complicated in a case of some problems (complete or partial config lost, e.g.).

2) High security (I'd recommend):

Leave VLAN1 as management one and define IP addresses of your switches in this VLAN. Put users to other VLANs.

Enable VTP (two VTP servers at least) but use VTP passwords.

Depending on the CPU utilization disable (on leave enabled) unnecessary VLANs on trunks. Leave VLAN1 as native on trunks.

My opinion is this approach gives you a reasonable security without bringing additional problems in troubleshooting times.

3) Low security:

Leave everything default and assing IP addresses of your switches in VLAN1. Leave users in VLAN1.

This is the most comfortable solution but considered dangerous from security point of view: Any user has a possibility to Telnet to your switches (but you can protect them by access lists) or to make DOS attack by broadcast flooding (even a damaged NIC could cause it).

Private VLANs can improve security inside a particular VLAN - you can define which ports are allowed to communicate each to the others inside one VLAN.

See Cat4000 configuration guide for details, e.g.

Regards,

Milan

0 Helpful

Go to solution
j.arthur
Level 1
Level 1
In response to milan.kulik

‎04-01-2003 04:24 PM

Question, by default does all traffic cross Vlan1?

Let’s say you are trunking between two 6500’s. One is set as the gateway out and is acting as the VTP server and the other is set as a client. Now if the client has multiple Vlanx’s, does all that data traffic heading out go across Native Vlan 1?

0 Helpful

Go to solution
j.arthur
Level 1
Level 1
In response to j.arthur

‎04-01-2003 05:39 PM

Addendum:

My assumption is that all traffic is crossing over Vlan 1, assuming I’m right, is the number 2 option the right option when you have several 6500’s daisy chained together and trunking over Vlan 1 with approximately 5000 users, and growing. Along with Video conferencing and Voice over IP that will be implemented.

I guess my question is more about performance.

Example: if I have three 6500’s daisy chained together with Gig Fiber, can I create multiple Native Vlans for trunking between the 6500’s for better performance or will it be the same result as having it go over Vlan 1?

0 Helpful

Go to solution
milan.kulik
Level 10
Level 10
In response to j.arthur

‎04-01-2003 10:44 PM

Hi,

to your question:

No, by default all traffic doesn't cross Vlan1. If you configure trunk between switches each VLAN traffic goes tagged per VLAN on the trunk. I.e. if you put your users to VLAN2, 3 and 4 and leave VLAN1 as a management one user traffic goes on VLAN2-4 and the only management traffic goes on VLAN1 on the trunk.

To your Example:

Native VLAN setting is always local. So if you daise chain switches S1-S2-S3 you can define VLAN1 as native on the trunk between S1 and S2 and VLAN4 as native on the trunk between S2 and S3. But it will not improve the performace - all the traffic stlill goes on the same physical trunk and if you are sending a video conference in VLAN4 it goes on VLAN4 from S3 to S2 and still on VLAN4 from S2 to S1 without any relation to native VLAN settings.

I hope that I eplained the proble a little.

You can read http://www.cisco.com/warp/public/473/27.pdf for details.

Regards,

Milan

0 Helpful

Go to solution
j.arthur
Level 1
Level 1
In response to milan.kulik

‎04-02-2003 02:31 PM

So if I want to improve perfomace over the same pipe, thats when you enable QOS?

J

0 Helpful

Go to solution
milan.kulik
Level 10
Level 10
In response to j.arthur

‎04-03-2003 12:58 AM

Yes.

Another possibility (in LAN enviroment especially) is to increase bandwith - FastEtherChannel or GigabitEtherChannel.

Regards,

Milan

0 Helpful
Customers Also Viewed These Support Documents