topic Re: How safe to use VLAN 1 if it's not spannning or any device on it in Cloud Networking Platform

How safe to use VLAN 1 if it's not spannning or any device on it

SahadSalmiT — Sat, 22 Apr 2023 17:56:18 GMT

Hi Guys,

I have a question about the best practice around not using VLAN 1. I have VLAN 1 untagged in all trunks between MX and switches with the following.

* Do not have any devices.

* Don't have any DHCP configured.

* Don't have any VLAN interface created.

* VLAN 1 is not spanning anywhere except in these trunk ports between MX and switches

* Don't have any management traffic (Have separate VLAN for that)

* None of the edge ports contain VLAN 1

I have run packet capture with this design then I run another one using VLAN 5 same scenario, since the untagged VLAN is untagged I couldn't see any difference from VLAN 1 to VLAN 5.

Should I worry about anything related to security here? , Let me know if I am missing anything.

Re: How safe to use VLAN 1 if it's not spannning or any device on it

aleabrahao — Sat, 22 Apr 2023 18:31:10 GMT

Not using VLAN1 is just a good practice recommendation as it is the default VLAN of any switch, but it does not mean that it cannot be used or that network security is at risk. Security goes much further than a simple VLAN.

If possible, avoid using it, but if you do, that's fine, it's not the end of the world.

Re: How safe to use VLAN 1 if it's not spannning or any device on it

SahadSalmiT — Sat, 22 Apr 2023 20:05:16 GMT

@alessandrodematos Thanks for your reply, do you know any list of security problems that might occur if I used VLAN 1? I am just curious to know the wisdom behind it.

Re: How safe to use VLAN 1 if it's not spannning or any device on it

aleabrahao — Sat, 22 Apr 2023 21:13:58 GMT

Unfortunately not, but you can Google it and analyze by your self.

https://www.oreilly.com/library/view/cisco-lan-switching/1587050897/1587050897_ch04lev1sec8.html#:~:text=VLAN%201%20contains%20control%20plane,(NMP)%20of%20the%20supervisor.

Re: How safe to use VLAN 1 if it's not spannning or any device on it

Brash — Sat, 22 Apr 2023 22:00:36 GMT

The main reasons vlan 1 is considered a potential security risk is because it is the default vlan on switches.

This means that if you have any enabled and unconfigured ports on a switch, someone can plug in with immediate access to vlan 1.

Additionally vlan 1 is used to exchange control plane data for some protocols (especially legacy protocols) as it was guaranteed to exist on every switch.

Placing user traffic on this vlan introduces additional variables that could impact the control plane traffic.

Re: How safe to use VLAN 1 if it's not spannning or any device on it

SahadSalmiT — Sat, 22 Apr 2023 23:16:59 GMT

Thanks, @Brash , if it's still vulnerable to the scenario in question?

Re: How safe to use VLAN 1 if it's not spannning or any device on it

Philip D'Ath — Sun, 23 Apr 2023 20:01:14 GMT

I wouldn't worry about it. In Meraki land, spanning tree protocols only use the untagged VLAN. They need that to flow to let spanning tree form properly.

Re: How safe to use VLAN 1 if it's not spannning or any device on it

Domntr05 — Fri, 05 Jan 2024 13:18:03 GMT

Guys, Meraki best practice lists that VLAN 1 should be allowed on a trunk between a Catalyst and MS Meraki switch. Please see picture below.

However, Cisco best practice recommends to remove VLAN 1 from trunks. I have it removed and it seemed to work fine. So, what are your recommendations?

Thank you in advance,

Re: How safe to use VLAN 1 if it's not spannning or any device on it

aleabrahao — Fri, 05 Jan 2024 19:59:51 GMT

I disagree, I prefer to avoid VLAN 1 whenever possible.

Re: How safe to use VLAN 1 if it's not spannning or any device on it

Domntr05 — Fri, 05 Jan 2024 20:04:32 GMT

That's what I thought. Thks

Re: How safe to use VLAN 1 if it's not spannning or any device on it

Brash — Fri, 05 Jan 2024 20:07:14 GMT

Meraki switches use VLAN 1 to send and receive BPDU's for STP.

If you block VLAN 1 on the link between the Catalyst and Meraki switches, they won't see each other in the STP topology.

Re: How safe to use VLAN 1 if it's not spannning or any device on it

aleabrahao — Fri, 05 Jan 2024 20:08:53 GMT

You can simply change the default VLAN.

Re: How safe to use VLAN 1 if it's not spannning or any device on it

Domntr05 — Fri, 05 Jan 2024 20:12:55 GMT

You meant to create a Management vlan and use it as Native and listed in allowed?