Pruning VLAN 1 and Changing Native VLAN questions

CiscoPurpleBelt · ‎03-27-2020

1. If you have trunks to servers, is it really still good idea or useful to change the Native vlan on that trunk link to those servers and if so, the server side must configure the same Native vlan correct or no?

2. Also, you should be using a different Native VLAN for different trunk links between your switches and servers if applicable, to not defeat the purpose of changing Native VLAN correct?

3. To remove VLAN 1 from the trunk link in addition to changing the native vlan, should you do that "remove" command? I remember reading or seeing somewhere there was somethign in addition that had to be done I can't remember what else it was.

Richard Burts · ‎03-27-2020

1) If you change the native vlan on one side of the trunk you should certainly also change the native vlan on the other end of the trunk.

2) I am not sure where you got the idea that the native vlan should be different on each trunk. You can certainly do that if you want. And if different trunks are carrying different sets of vlans you may wind up with different native vlan on each trunk. But I do not see any need to work at making each native vlan different. As I understand the logic about this: by default the native vlan is vlan 1. Some of the advice is to let vlan 1 be unused ports, etc but to make all configured user traffic use specified vlans. Therefor is someone were to get access to your network and plug in a device they still would not be able to access your devices. So if we are trying to avoid having any configured traffic avoid vlan 1 then the native vlan should be something different from 1.

3) I believe that there are some system messages that use vlan 1. So I would not necessarily try to remove it from the trunks.

HTH

Rick

Cristian Matei · ‎03-27-2020

Hi,

Some things to know before answering your questions:

1. The native VLAN is relevant on trunk links, and the best security approach you can take is to use a dedicated VLAN for this scope, so a VLAN where no devices are attached. By doing so, you also usually remove the native VLAN from trunk links, as a good/secure practice.

2. The native VLAN can be different for each trunk link, but you don't achieve anything extra by doing this, you just overcomplicate your overall configuration and increase the risk of ending up with native VLAN mismatch between switches, and you end up in breaking the VLAN on that trunk link due to STP.

3. The native VLAN has to match on both sides of a trunk link between switches, otherwise STP will block those ports. STP does not converge, no data traffic can be sent across the trunk link.

Your questions:

1. See my recommendation above, just keep one VLAN as your native VLAN, across your entire layer2 domain. If the native VLAN is not used, you don't really care if the server side native VLAN matches or not.

2. See my recommendation above, keep one VLAN as your native VLAN.

3. You can remove any VLAN, including the native VLAN from the trunk link in two ways: either you say "switchport trunk allowed vlan remove x", where "x" is your native VLAN, either you say "switchport trunk allowed vlan a,b,c,d" and you don't include "x", where "x" is your native VLAN.

Regards,

Cristian Matei.