cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
931
Views
0
Helpful
3
Replies

Native Vlan Best Practices

volume51
Level 1
Level 1

So I know it is best practice to create a dummy vlan that you apply as your Native Vlan on trunk ports so it is no 1 by default. But I have a couple of further questions:

1. Since Vlan 1 is used for a lot of L2 protocols from my understanding do you need to allow it on the trunk port after switching the native vlan to say 999. 

2. Do you still allow that dummy Vlan on the trunk port or do you not include it in the allow list and then just set it as the native vlan with the command

3 Replies 3

Hi

 Vlan1 is not a requirement. Once you designate vlan 999 as native, you can remove vlan 1 for good.  What certain protocols look for is untagged traffic and not for Vlan ID, so, dont matter if vlan 1 or 999.

  If you defined vlan 999 as native and put on the trunk you dont need to allow it on the trunk. The allowed Vlan is used to tagged traffic, which is not the case for native vlan.

lplplplplplp.png
this simple topology for explain some point about the VLAN1 
we have SW and by default 
mgmt VLAN = port VLAN = native VLAN = VLAN1 
NOW 
-native VLAN must change to any vlan except the VLAN1 so we add dummy VLANx and config native VLAN = VLANx

-port VLAN any unused port must assign to any vlan except the VLAN1 so we add dummy VLANy and config port VLAN = VLANy 

-mgmt VLAN keep it as default VLAN1

why we not use same vlan as native vlan and unused port? to secure the SW from vlan hopping attack 

even if we dont allow VLAN1 in trunk the DTP still use VLAN1 in trunk. 

NOTE:-  VLAN1 = native VLAN in lab

Screenshot (776).png

Review Cisco Networking for a $25 gift card