Solved: Re: VLANs, etc.

Chris Pohlad-Thomas · ‎02-15-2013

I am working on hardening an L3 switch and had a few questions...

As part of the hardening guide they want you to make sure nothing is assigned to the default VLAN(1) and even want you to shut it down.
They also do not want VLAN 1 being use for in-band management
They do not want the native VLAN assigned to the default VLAN (1)
No access ports should be on the native VLAN

Here is what I propose to do to make that happen.

I've created another VLAN(2) and will move all of the items currently in VLAN1 to VLAN2 and give VLAN2 the old IP of VLAN1. I will then shut down VLAN 1.
I've created a management VLAN (55) that will be used for in-band management of this switch
I will assign the management VLAN (55) to be the native VLAN

I am a little concerned about connectivity between the items that I am moving to VLAN 2, but as long as they are all in VLAN 2 then they will be tagged accordingly right? This switch connects to our firewall with a trunk port.

Should this work?

Reza Sharifi · ‎02-15-2013

That is correct. Whatever device you have currently in vlan 1, move them to vlan 2 and they should work just fine. You are also using vlan 55 for management which should work fine.

Also, as part of good practice, it is recommended to park unused access ports in a separate vlan and not leave them in vlan 1.

HTH

View solution in original post

Chris Pohlad-Thomas · ‎02-15-2013

bump

Reza Sharifi · ‎02-15-2013

That is correct. Whatever device you have currently in vlan 1, move them to vlan 2 and they should work just fine. You are also using vlan 55 for management which should work fine.

Also, as part of good practice, it is recommended to park unused access ports in a separate vlan and not leave them in vlan 1.

HTH

Chris Pohlad-Thomas · ‎02-15-2013

Great! Thanks for the info. I have another vlan for disabled ports and have all the interfaces shut down.

Sent from Cisco Technical Support Android App