Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2690
Views
15
Helpful
3
Replies

Dedicated VLAN ID's on trunk ports

Go to solution
Kevin Melton
Level 2
Level 2

‎10-13-2005 07:33 PM - edited ‎03-03-2019 12:24 AM

I was reading the SAFE:Security Blueprint for Enterprise Networks. This document addresses in its "Switches are targets" section on Page 6 that "Always use a dedicated VLAN ID for all trunk ports"...

I am trying to understand this concept fully.

If I consider my trunk ports, most are physical fiber "links" that interconnect the switches. Some trunk links connect Distribution L to Access L; some Distribution to Core.

Where do I put the VLAN ID on thes?? Should I translate this to mean that on Gig0/0 on SW.1 i place this interface in VLAN 23 and on the switch on the other end of the link I also place the Gig0/0 in VLAN 23 as well??

Also I am not sure why this helps secure the switch. Can someone pls assist. I am grateful.

1 person had this problem
Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
thisisshanky
Level 11
Level 11

‎10-13-2005 07:58 PM

I am not exactly sure what they mean by a dedicated vlan ID for a trunk port.I really dont think, it means dividing the trunk port into subinterfaces and putting them in individual vlans. That would kill the purpose of a trunk port.

On trunk ports you generally leave all vlans to be trunked. If you have three vlans (say) in your network you dont need all 1000+ vlans to be trunked between switches. Instead trunk only the required vlans say 10,20,30 and deny all other vlans if they dont exist in your network. This will prevent somebody to propagate traffic from a rogue vlan into the rest of the network.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

View solution in original post

3 Replies 3

Go to solution
thisisshanky
Level 11
Level 11

‎10-13-2005 07:58 PM

I am not exactly sure what they mean by a dedicated vlan ID for a trunk port.I really dont think, it means dividing the trunk port into subinterfaces and putting them in individual vlans. That would kill the purpose of a trunk port.

On trunk ports you generally leave all vlans to be trunked. If you have three vlans (say) in your network you dont need all 1000+ vlans to be trunked between switches. Instead trunk only the required vlans say 10,20,30 and deny all other vlans if they dont exist in your network. This will prevent somebody to propagate traffic from a rogue vlan into the rest of the network.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

Go to solution
Kevin Melton
Level 2
Level 2
In response to thisisshanky

‎10-13-2005 08:34 PM

Yeah, that's it!! What a great answer... I even remember it now. From BCSN.. VLAN pruning... Well I gotta get to work. This will be fun.

It is an interesting statement from the SAFE Blueprint. If anything I will know the answer for the SAFE exam.

Thanks Shanky

0 Helpful

Go to solution
amit-singh
Level 8
Level 8
In response to Kevin Melton

‎10-13-2005 10:35 PM

Hi,

This is not actually the VLAN pruning.This is just specifically allowing some vlans on the trunk ports and removing other unwanted vlans.

Prunning works in a diff way and it will save the bandwidth on the trunk links by prunning the unwanted broadcast on the trunks for a particular vlan if no host is active on that vlan on a particular switch. I.e If you dont have any active host on a vlan on a particular switch and if there is a broadcast on that vlan which will come over the trunk so if no host is active that broadcast is prunned on the trunk where no host is active on the switch.

HTH,

-amit singh

Customers Also Viewed These Support Documents