VLAN1 with VACL

Markus1337 · ‎05-26-2025

Hello geeks,

We would like to add Vlan access lists (VACL) as a additional security boundary. We decided to bind VACLs to all unassigned VLANs and VLAN1. All traffic should be blocked. Acutally this means we use a MAC access list, an IP access list and an IPv6 access list which matches all traffic. This traffic is then dropped by the VACL action. So far so good and working!

But there is a problem.

Imagine this setup:

Now we add the VACL to VLAN1 on both switches.

The Problem occurs when the trunk port is restarted. It is shown as "not connected". If we set the port to trunk, there is something missing to reenable the trunk port after a shutdown. If we unbind the VACL the trunk port is immediatly online again. Even worse, when we add the VACL there is no problem and everything is working as expected.

I read some other posts from this forum which indicates that the VLAN1 is always used by cisco for some control traffic: https://learningnetwork.cisco.com/s/question/0D53i00000Kt716CAB/control-traffic-and-vlan-1
And that even if it is especially pruned.

The manual for IOS-XE 17.17 is telling the same story: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9400/software/release/17-17/configuration_guide/vxlan/b_1717_vlan_9400_cg/configuring_vlan_trunks.html#concept_csp_ghc_3gb

"When you remove VLAN 1 from a trunk port, the interface continues to send and receive management traffic, for example, Cisco Discovery Protocol (CDP), Port Aggregation Protocol (PAgP), Link Aggregation Control Protocol (LACP), DTP, and VTP in VLAN 1. "

But we dont use this protocols. As described we do not use negotiation for trunks. And there is no Etherchannel.

So we dont want to use any specific "management traffic" on VLAN1.

First of all i find the definiton of "management traffic" misleading as it is traffic which is beeing processed by the control plane. Nevertheless is will stick with ciscos definition for my questions below.

1. Which bridge protocol data unit (BPDU), are blocked by a VACL on VLAN1 to enable a trunk port ?

2. Is there a full list for "management traffic" which will always be sent with a VLAN1 tag, given the configurations in the setup above?

3. Is there a way to redirect "management traffic" to another VLAN, like the native one, to make it untagged?

Additional i would like to ask you about the general approach.

4. Do you think it is worth to add a VACL to unassigned VLANs and VLAN1 to block any traffic, like a defense in depth strategy?

Best regards,
Markus

paul driver · ‎05-27-2025

Hello
If the vlans are not allowed over the trunk then no traffic will be switched over it, and negating vlan off the trunk and assigning a non vlan 1 native vlan is recommended , you could even shut down the new native vlan as extra security.

When you say unassigned vlans do you mean vlans not being used- if so then why not just remove them?

As for DTP/CDPLACP etc..., you can just simply turn then off

DTP = switchport mode access or switchport nonnegotiate (trunk)
CDP = no cdp run (global)
LLDP = no llpp run (global)
LACP = static port-channel (although lacp IS recommended if you was to have a ethterchannel)

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Markus1337 · ‎05-27-2025

Hello Paul,

thank you for your quick answer.

@paul driver wrote:
If the vlans are not allowed over the trunk then no traffic will be switched over it, and negating vlan off the trunk and assigning a non vlan 1 native vlan is recommended , you could even shut down the new native vlan as extra security.

So yes, we do not use the native VLAN 99 for anything. It is shutdown. And yes, VLAN1 is pruned and therefore no user data will be and is switched over VLAN1.

@paul driver wrote:
When you say unassigned vlans do you mean vlans not being used- if so then why not just remove them?

We use the unassigned VLANs for ports which are not used. First set the unused ports to shutdown and second put them in an unassigned vlan.

@paul driver wrote:
As for DTP/CDPLACP etc..., you can just simply turn then off
DTP = switchport mode access or switchport nonnegotiate (trunk)
CDP = no cdp run (global)
LLDP = no llpp run (global)
LACP = static port-channel (although lacp IS recommended if you was to have a ethterchannel)

Thats what we do, of course.

So acutally as you said there should not be any VLAN1 traffic. So why is there a trunk problem when we bind a VACL on VLAN1 blocking all traffic ? Which traffic is tagged as VLAN1 even if everthing is configured to NOT use VLAN1?

Maybe it is the negotiation for speed and duplex? Or maybe some STP magic?