I am working on hardening an L3 switch and had a few questions...
As part of the hardening guide they want you to make sure nothing is assigned to the default VLAN(1) and even want you to shut it down.
They also do not want VLAN 1 being use for in-band management
They do not want the native VLAN assigned to the default VLAN (1)
No access ports should be on the native VLAN
Here is what I propose to do to make that happen.
I've created another VLAN(2) and will move all of the items currently in VLAN1 to VLAN2 and give VLAN2 the old IP of VLAN1. I will then shut down VLAN 1.
I've created a management VLAN (55) that will be used for in-band management of this switch
I will assign the management VLAN (55) to be the native VLAN
I am a little concerned about connectivity between the items that I am moving to VLAN 2, but as long as they are all in VLAN 2 then they will be tagged accordingly right? This switch connects to our firewall with a trunk port.
That is correct. Whatever device you have currently in vlan 1, move them to vlan 2 and they should work just fine. You are also using vlan 55 for management which should work fine.
Also, as part of good practice, it is recommended to park unused access ports in a separate vlan and not leave them in vlan 1.
That is correct. Whatever device you have currently in vlan 1, move them to vlan 2 and they should work just fine. You are also using vlan 55 for management which should work fine.
Also, as part of good practice, it is recommended to park unused access ports in a separate vlan and not leave them in vlan 1.
Great! Thanks for the info. I have another vlan for disabled ports and have all the interfaces shut down.
Sent from Cisco Technical Support Android App
Getting Started
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:
.jpg "Hall of Fame Master"){kind=icon}
