Cisco Support Community
Community Member

VLAN design question


I have a fairly simple network I have several vlans(geographically divided) routed at a L3 switch.

I am tring to redesign my vlans, but I am not really sure what the best practice is. If anybody has any tips, it will be greatly appreciated.

I also have a question where I disable vlan1, (currently I am using vlan1 for a group of users) and move them to a different vlan. I also plan to shut down the vlan1 because I keep hearing that vlan1 can be exploited for attacks. But then again, I also seem to remember reading my CCNA book saying that VLAN1 is used for sending administration info such as cdp/vtp. Does this mean that I wouldn't be able to use cdp/vtp once I shut down vlan1?




Re: VLAN design question

Best practice for VLANs is to keep each VLAN limited to no more than 200 end-stations. So each VLAN would effectively map to a Class C or /24 IP subnet. (This figure is from the Cisco Press book "Top-Down Network Design" by Priscilla Oppenheimer; page 103, Table 4-8: The Maximum Size of a Broadcast Domain. A VLAN is a broadcast domain.)

It's a good idea to get your users off VLAN 1, if you have several VLANs. If you have only one VLAN, then it doesn't really matter. (That's why all ports are shipped on VLAN 1 by default.)

I suppose VLAN 1 can be exploited for attacks, since that is the VLAN that Cisco uses to communicate VTP information on VLAN trunk ports, and is therefore the only VLAN not eligible for pruning off a VLAN trunk connection. (Actually, I would consider that a good working rule, it may not be 100% true anymore. I seem to remember reading somewhere that some newer Cisco switches, or maybe it was more recent versions of CatOS or Cisco IOS, would allow you to prune VLAN 1. But I haven't been keeping up with developments in that area.)

The big concern would be if you're in an environment where other companies or agents can patch their switches into your network trunk connections. You can secure against this by assigning a password with your VTP domain. Then, if foreign switch tries to listen in on your VTP advertisements or send some of its own using your VTP domain name, without the correct password it won't work.

Note: The VTP domain password must be applied to all switches in the domain, and it is not stored in the running-config.

And the management IP addresses of the Cisco switches are assigned to VLAN 1 by default, too. Which I guess could make them vulnerable to hacking. But that VLAN assignment can be changed.

If you do manage to eliminate VLAN 1 between switches (by not using trunks and tagging, but instead using multiple connections, one per access VLAN), you will lose the flexibility of configuration that comes with VTP.

CDP should work though, regardless; unless you disable it on a port-by-port basis.

Hope this helps.

CreatePlease to create content