MLS switches Mgmt using Lo0 Int. VLAN 1 shutdown

bghobadi2 · ‎10-01-2012

Hello,

I have a very large L3 switched network. The Lo0 is used for managing the switches, no mgmt. VLAN, in an OSPF routed network. Each switch has multiple VLANs.

The VLAN 1 is either 1) disable on some 2) it is in UP/DOWN state on some 3) UP/UP in some with not ports associated with it 4) UP/UP in some with non-connected ports.

VLAN 1 is the native VLAN on all connected ports, ether channels and otherwise. It is allowed on all connected interfaces.

I have to address a security audit for VLAN 1 vulnerability. My concerns are as following

•1. I cannot delete VLAN 1. Even if I SHUTDOWN the VLAN 1, all Cisco specific protocols such as CDP, VTP, etc will be communicated over VLAN 1 which is source of security risk. Am I correct on this point?
•2. The switches are managed via LO0 address, L3. L3 reachability requires L2 mechanism. If VLAN 1 is shutdown, then what would be the L2 mechanism for the Lo0 reachability?

How is it possible to manage a switch via Lo0 address while VLAN 1 is shutdown and no mgmt. VLAN?

•3. Most of the switches are in remote locations. I do not wish to cause any outage by disabling the VLAN 1. What is the best solution in this case?

Thanks a lot in advance.

Bo

Harish Balakrishnan · ‎10-01-2012

Hello Bo,

You have mentioned that you have an L3 switches in an ospf routed network. Are you isng Layer3 interfaces to make the ospf neighbors up or they are over SVI's. Since you do not have any host in Vlan 1 ,

1. Change the native Vlan on all the trunk to some vlan other than vlan1 ( then you can make Vlan1 shutdown if you need)

2. As i said, you can see on which vlan you have ospf neighborship and route your loopback through that

3. Other solution is to use a a dedicted vlan for management ( L2 and SVI on all switches) and another dedicated L2 vlan for trunk Native

Hope this helps

Regards

Please rate all helpful posts!