Thanks Ankur,

even if VLAN 1 not allowed on trunk, if I place 2 PC's in vlan 1 and ping across trunk it works !!!

This means campus wide vlan 1 against the best practises !!

This is not very clear. I will look at minimisation feature. However, what are the effects of just switching the vlan 1 off ?

Regards,

Steve

Hi Steve,

As you said vlan 1 is not allowed on the trunk and you place pc 1 on switch 1 on vlan 1 and pc2 on switch 2 on vlan 1, they can ping? They should not and if they are pinging something fishy happeneing which need to be tracked.

Once vlan 1 is removed from trunk no user traffic including STP should pass the trunk and only management/control traffic will pass on vlan 1.

Regards,

Ankur

*Pls rate all helpfull post

Thanks again ankur.

So if I remove vlan 1 from teh trunk, cdp, vtp etc will still go down vlan 1? When Vlan 1 removed these featires still work so answer must be yes.

I can conform that with vlan 1 not allowed on trunk then STP does not go down trunk either and all vlan 1 switches think they are the root bridge.

However, this still leaves us wit vlan 1 spanning the campus yes?

Thanks Ankur,

Thats answered those questions.

As far as native vlan concerned, I have found as long as it matches both ends the not problems. Even if the vlan does not exist.

Why is teh native vlan so important and why do the best practises say change from teh default? I am thinking make native strange vlan and not routable.

Thanks again Ankur you are a star !!

Steve

Hi Steve,

Thanks for rating my post and your positive comments.

I am not sure if you have already read this link but incase not this has lot of points about vlan security and may be your question about native vlan will be answered

http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml#

If not then we can discuss on same forum.

Regards,

Ankur

Let me tell you a cautionary tale. Be very cautious about removing the native VLAN from a trunk. In some switches, if you remove the native VLAN from the trunk, then VLAN 1 BPDUs are not passed. That's fine if your native VLAN is 1 - the trunk does not pass VLAN BPDUs, but it does not pass VLAN 1 traffic either. Great.

But suppose you had decided to have a totally unused gash VLAN just to act as native for the trunks - in other words tag everything. You remove VLAN 42 from an access switch uplink trunk and you think you are OK. You remove VLAN 42 from the other uplink, and suddenly your network goes into meltdown. What has happened is that in removing VLAN 42 from the trunks, the trunks are no longer passing VLAN 1 BPDUs, but they are still passing VLAN 1 traffic. Result: meltdown.

Cisco eventually fixed this bug in IOS versions, but they never fixed it in CatOS.

Kevin Dorrell

Luxembourg

Kevin,

You saying that teh native vlans actually carries the BPDUs?

I don't know technically whether to say "The native VLAN carries the BPDUs (for VLAN 1)", or "BPDUs for VLAN 1 are untagged".

I have not done a snoop to find out, when your native VLAN is, say, 42, whether VLAN 1 BPDUs are tagged, but I suspect they are not. I admit I never have been clear about this. I must get busy with a sniffer some time.

But I do know from bitter experience that in CatOS, if you clear the native VLAN from a trunk, then VLAN 1 BPDUs are no longer passed.

Perhaps the best person to answer this would be Francois Tallet. I believe there is also a document that answers these questions.

Kevin Dorrell

Luxembourg

Hi Steve,

Yes Native vlan does carries BPDUs but only for native vlan itself and that too untagg.

There are some variations about how BPDUs are sent when vlan 1 is native vlan and when vlan 1 is not a native vlan.

http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00801d11a0.shtml#topic1

HTH

Ankur

*Pls rate all helpfull post