[c-nsp] VLANs,Trunking and VLAN 1
Joe Provo
jzp-cnsp at rsuc.gweep.net
Wed Oct 25 10:40:43 EDT 2006
On Wed, Oct 25, 2006 at 02:39:32PM +0100, Mark Tohill wrote:
[snip]
> Considering our network has only a small number of access switches,
> and we were to switch across a L2 Etherchannel in our distribution layer
> (multile vlans spanning several access switches), then letting VLAN1 do
> it's thing wouldn't be a problem?
As previously recommended, disable it (as much as possible) and explicitly
configure items away from it as part of your regular course of provisioning.
Then you have
- protection against any 'rogue' or incorrectly provisioned items
- detection of same. eg, any port or traffic on VLAN1 is out of spec
and considered suspect.
The removal of random folks today or in the future plugging things
into your infrastructure and 'just working' is essential in a service
provider enviornment. Especially if you don't discover it until
some time passes and you (or your successor) then need to tease apart
"what exists and someone has grown to depend upon" from what should
be for maintenance, management and security.
Cheers,
Joe
--
RSUC / GweepNet / Spunk / FnB / Usenix / SAGE
More information about the cisco-nsp
mailing list