[nsp] Securing Cisco Layer2 (esp. VTP & VLAN 1)

Sean Mathias seanm at prosolve.com
Wed Aug 27 20:46:33 EDT 2003

In 7.2 and later CatOS (maybe even earlier releases), set vtp off.  As
for VLAN1, don't use it.  You do not have to put the console port (sc0)
in VLAN1, simply remap it to another 'secure' vlan.

Bear in mind that there is really nothing special about VLAN1,
especially if there are no ports assigned to it.


-----Original Message-----
From: Pete Kruckenberg [mailto:pete at kruckenberg.com] 
Sent: Wednesday, August 27, 2003 5:01 PM
To: cisco-nsp at puck.nether.net
Subject: [nsp] Securing Cisco Layer2 (esp. VTP & VLAN 1)

I'm implementing a fairly large public Ethernet WAN/MAN network, using
primarily Cisco L2/L3 switches (6500, 4500, 3750, 3550). I'm finding out
the hard way that VTP and VLAN 1, while they are friends to the Cisco
enterprise network engineer, they are becoming a nightmare for me.

My basic question: what are best practices for securing VTP
and VLAN 1 in a Cisco Layer2 network (ie no Layer3
boundaries), so individual organizations connected to that network don't
end up configuring each other's networks?

Right now, I am blocking VLAN1 on the dot1Q trunks between
my switches and customer switches, both on my side and the
CPE side. I am configuring VTP to transparent mode on the customer
switch and setting the VTP domain to some random name. This all so VTP
can only be enabled with multiple, deliberate configuration changes. Is
this a good solution?  
What else should I be doing, or what shouldn't I be doing?

A specific concern: can I safely block VLAN1 between Cisco switches
without breaking things (esp my ability to manage the switches in-band)?
What about changing the native VLAN (especially to get rid of those
pesky syslog messages), is that a good idea and would it help solve
these problems?

Any good resources on CCO or elsewhere that I should read?

Thanks for your help and insight.

cisco-nsp mailing list  cisco-nsp at puck.nether.net
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list