Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

vlan 1


I was just going thru a documentation abt disabling vlan 1 on trunks,I came across the following lines...

"On the Catalyst enterprise LAN switches, VLAN 1 is enabled by default to allow control protocols to transmit and receive packets across the network topology. However, when VLAN 1 is enabled on trunk links in a large complex network topology, the impact of broadcast storms increases. Because spanning tree applies to the entire network topology, the possibility of spanning tree loops also increases when VLAN 1 is enabled on all trunk links. To prevent this situation, you can disable VLAN 1 on trunk interfaces.

When you disable VLAN 1 on a trunk interface, no user traffic is transmitted or received across that trunk interface, but the supervisor engine will continue to transmit and receive packets from control protocols such as Cisco Discovery Protocol (CDP), VLAN Trunking Protocol (VTP), Port Aggregation Protocol (PAgP), Dynamic Trunking Protocol (DTP), and so forth"

My doubts are..

1) How can enabling vlan 1 on trunks increase the possibility of spanning tree loops...?

2) I have read that VTP,CDP etc is using VLAN 1 for its propogation,and how will the supervisor engine receive the VTP,cdp if vlan 1 is disabled on the trunk..?

Thanks in advance..


Re: vlan 1

A1. They say this simply because VLAN 1 is the defauilt VLAN, and therefore gets everywhere. It is therefore the most likely one to suffer from broadcast storms. I don't think VLAN 1 is inherently any more suceptible to instability than the others, except that it is the default. Perhaps someone else can put me right on this?

A2. An exception is made for the link control protocols such as CDP, VTP, etc. They only have significance on the link ,from switch-to-switch, and are not forwarded by the switch in the conventional sense. They are not subject to Spanning Tree issues because they never get as far as the switch's internal bridge ports. (Maybe VTP transparent is an exception to this, or maybe it is not so transparent as it looks.)

It has always seemed strange to me that these protocols are tied ro VLAN, even if the native VLAN of the trunk is something else. That presumably means that they can be tagged as VLAN 1, which seems a bit strange for protocols whose significance is confined to a link. I would have expected at least CDP to be untagged, i.e. on the native VLAN, as that is the one that is supposed to detect native-VLAN mismatches.

Kevin Dorrell


Re: vlan 1

Hi Kevin,

read this article, it's an excellent explanation:

I wouldn't recommend disabling VLAN1 from trunks.

It could bring STP trouble in a case of multivendor L2 network (see Common STP in the article).

I'd recommend just use another VLAN as management one and also another VLAN as a native VLAN on trunks.

On the other hand: If you leave everything default (VLAN1 as management VLAN ad trunk native VLAN), your network remains plug-and-play and you have less work when commecting a new switch.

The "paranoid" (most secure, less comfortable) configuration is:

1) Configure VLANx for network device management (use ACLs to limit access to it).

2) Configure VLANy as native on trunks. Use it only for this purpose, don't put any users to it (VLAN-hopping attack possibility).

3) Leave VLAN1 enabled on trunks, but don't put users to it. This way it would be used for control plane protocols (VTP, CDP, etc.) only.



New Member

Re: vlan 1


ans 1 : i dont thin that enabling vlan1 creates a loop.

ans2 : if ur diabling vlan1 then u have to make some other vlan as the managment vlan. coz when switch genrate any frame that frame belongs to which if ur using dot.1q encap on trunk links . native vlan of switch must match... this is the only reason . hope this helps u .

New Member

Re: vlan 1


i am sorry . forget to tell u that by default on sup eng pvst in enabled.