Native Vlan Best Practices

cglines · ‎06-09-2023

So I know it is best practice to create a dummy vlan that you apply as your Native Vlan on trunk ports so it is no 1 by default. But I have a couple of further questions:

1. Since Vlan 1 is used for a lot of L2 protocols from my understanding do you need to allow it on the trunk port after switching the native vlan to say 999.

2. Do you still allow that dummy Vlan on the trunk port or do you not include it in the allow list and then just set it as the native vlan with the command

Flavio Miranda · ‎06-09-2023

Hi

Vlan1 is not a requirement. Once you designate vlan 999 as native, you can remove vlan 1 for good. What certain protocols look for is untagged traffic and not for Vlan ID, so, dont matter if vlan 1 or 999.

If you defined vlan 999 as native and put on the trunk you dont need to allow it on the trunk. The allowed Vlan is used to tagged traffic, which is not the case for native vlan.

MHM Cisco World · ‎06-09-2023

this simple topology for explain some point about the VLAN1
we have SW and by default
mgmt VLAN = port VLAN = native VLAN = VLAN1
NOW
-native VLAN must change to any vlan except the VLAN1 so we add dummy VLANx and config native VLAN = VLANx

-port VLAN any unused port must assign to any vlan except the VLAN1 so we add dummy VLANy and config port VLAN = VLANy

-mgmt VLAN keep it as default VLAN1

why we not use same vlan as native vlan and unused port? to secure the SW from vlan hopping attack

MHM Cisco World · ‎06-09-2023

even if we dont allow VLAN1 in trunk the DTP still use VLAN1 in trunk.

NOTE:- VLAN1 = native VLAN in lab