[nsp] Securing Cisco Layer2 (esp. VTP & VLAN 1)

Pete Kruckenberg pete at kruckenberg.com
Wed Aug 27 19:01:20 EDT 2003

I'm implementing a fairly large public Ethernet WAN/MAN
network, using primarily Cisco L2/L3 switches (6500, 4500,
3750, 3550). I'm finding out the hard way that VTP and VLAN
1, while they are friends to the Cisco enterprise network
engineer, they are becoming a nightmare for me.

My basic question: what are best practices for securing VTP
and VLAN 1 in a Cisco Layer2 network (ie no Layer3
boundaries), so individual organizations connected to that
network don't end up configuring each other's networks?

Right now, I am blocking VLAN1 on the dot1Q trunks between
my switches and customer switches, both on my side and the
CPE side. I am configuring VTP to transparent mode on the
customer switch and setting the VTP domain to some random
name. This all so VTP can only be enabled with multiple,
deliberate configuration changes. Is this a good solution?  
What else should I be doing, or what shouldn't I be doing?

A specific concern: can I safely block VLAN1 between Cisco
switches without breaking things (esp my ability to manage
the switches in-band)? What about changing the native VLAN
(especially to get rid of those pesky syslog messages), is
that a good idea and would it help solve these problems?

Any good resources on CCO or elsewhere that I should read?

Thanks for your help and insight.

More information about the cisco-nsp mailing list