vlan best practice

monodactylus · ‎02-01-2010

Hello,

Just a quick question on what people feel is the best practice for vlan'ing. Specifically, I've read some documenation that indicates untagged ports shouldn't be used with vlan 1. Which seems self explanatory. Does the same practice apply to all vlan's? i.e. if your network cards support vlan tagging on them, and you only expect the device on that port to be part of one vlan, why wouldn't you have your access ports tagged instead of untagged? So that no untagged ports would ever be used?

Thanks,
Will

Jon Marshall · ‎02-01-2010

monodactylus wrote:

Hello,

Just a quick question on what people feel is the best practice for vlan'ing. Specifically, I've read some documenation that indicates untagged ports shouldn't be used with vlan 1. Which seems self explanatory. Does the same practice apply to all vlan's? i.e. if your network cards support vlan tagging on them, and you only expect the device on that port to be part of one vlan, why wouldn't you have your access ports tagged instead of untagged? So that no untagged ports would ever be used?

Thanks,
Will

Will

Vlan tagging only applies to trunk ports. If you have a device that is only in one vlan then for it to tag it's packets you would have to configure the NIC to run 802.1q and setup the switchport as a trunk. This wouldn't really make any sense. And by definition they would no longer be access ports ie. every port in your network would be a trunk.

The recommendation for vlan 1 is more to do with it being the default vlan for just about everything and hence because it has so many uses it is too easy to abuse it.

Jon

lamav · ‎02-01-2010

Just to add a bit to Jon's post, the Cisco best practice with regard to VLAN 1 is to leave it reserved for layer 2 control plane traffic -- VTP, CDP, PAgP, STP -- and keep user traffic off of it.