Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
673
Views
0
Helpful
5
Replies

Native VLAN confusion

Go to solution
Jason Fraioli
Level 3
Level 3

‎03-05-2008 10:53 AM - edited ‎03-05-2019 09:34 PM

I've been reading the Cisco VLAN1 security white paper -> http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml#wp39009 , and wanted to make sure I am on the right track as I translate Cisco's best practices into an actual config.

Cisco says to;

1.) Not use VLAN 1 for inband management traffic...

2.) Prune VLAN 1 from all the trunks and from all the access ports that don't require it...

3.) Don't configure the management VLAN on any trunk or access port that doesn't require it.

Has the config listed below accomplished those goals?

!spanning-tree mode rapid-pvst

!spanning-tree portfast default

!spanning-tree portfast bpduguard default

!interface Vlan10

! description management_vlan

! ip address 1.1.1.1 255.255.255.0

!interface Vlan1

! no ip address

! shutdown

!interface range FastEthernet1/0/1 - 48

! switchport access vlan 2

! switchport mode access

!

!interface range GigabitEthernet1/0/1 - 4

! switchport trunk encapsulation dot1q

! switchport trunk native vlan 10

! switchport trunk allowed vlan 2-4094

! switchport mode trunk

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Jason Fraioli

‎03-05-2008 11:28 AM

Jason

Because they serve 2 totally different purposes.

The management vlan is to allow you to manage the switches remotely. No user ports should be placed in this vlan but this vlan still needs a layer 3 interface if you are going to manage the switches from a remote subnet.

The native vlan is simply the vlan on a trunk link for which packets are not tagged. It is there to provide compatability for 802.1q to non tag aware switches. It does not need a layer 3 SVI because it does not need to route anywhere.

HTH

Jon

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Edison Ortiz
Hall of Fame
Hall of Fame

‎03-05-2008 11:07 AM

wanted to make sure I am on the right track

You are..

__

Edison.

0 Helpful

Go to solution
Istvan_Rabai
Level 7
Level 7

‎03-05-2008 11:19 AM

Hi Jason,

As far as points 1. and 2. concerned, yes it has accomplished those goals.

For point 3.:

It accomplishes the goal if it follows out of your configurations and topology that all your trunks on Gig1/0/1 - 4 need to carry the management traffic for vlan10. For example, these 4 trunks may be used in an etherchannel.

Cheers:

Istvan

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎03-05-2008 11:19 AM

Hi Jason

Only thing i would add is that you probably want to make the native vlan a different vlan than your management vlan and do not create a L3 interface for your native vlan and don't assign any access ports into it.

Jon

0 Helpful

Go to solution
Jason Fraioli
Level 3
Level 3
In response to Jon Marshall

‎03-05-2008 11:24 AM

Jon, Now I'm really confused. What is the rationale to splitting the two up?

Istvan, I understand your point.

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Jason Fraioli

‎03-05-2008 11:28 AM

Jason

Because they serve 2 totally different purposes.

The management vlan is to allow you to manage the switches remotely. No user ports should be placed in this vlan but this vlan still needs a layer 3 interface if you are going to manage the switches from a remote subnet.

The native vlan is simply the vlan on a trunk link for which packets are not tagged. It is there to provide compatability for 802.1q to non tag aware switches. It does not need a layer 3 SVI because it does not need to route anywhere.

HTH

Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card