[nsp] Securing Cisco Layer2 (esp. VTP & VLAN 1)

[sthaug at nethelp.no]

> I'm implementing a fairly large public Ethernet WAN/MAN
> network, using primarily Cisco L2/L3 switches (6500, 4500,
> 3750, 3550). I'm finding out the hard way that VTP and VLAN
> 1, while they are friends to the Cisco enterprise network
> engineer, they are becoming a nightmare for me.
> 
> My basic question: what are best practices for securing VTP
> and VLAN 1 in a Cisco Layer2 network (ie no Layer3
> boundaries), so individual organizations connected to that
> network don't end up configuring each other's networks?

Never, ever, use VLAN 1 for customer traffic or for your own traffic -
simply leave it alone, unused.

I would recommend not using VTP at all. We've had considerably fewer
problems after we configured all our switches to VTP transparent.  VTP
is simply too large a risk (a problem on the VTP server can f*ck up your
whole network completely.

Use "allowed vlan" on your trunks - reduce the size of each VLAN as
much as possible.

Use "vlan dot1q tag native" to get rid of any possible problem with
trunks having a mix of tagged and untagged traffic.

For your customers, you need to decide whether you're only moving "data
plane" traffic for them (e.g. Ethernet frames with IP in them), or if
you're also moving "control plane" traffic such as STP, CDP and VTP. It
is considerably harder to come up with a good architecture if you also
need to move "control plane" traffic for your customers. Consider the
use of Layer 2 protocol tunneling if your customers need STP, CDP and
VTP (but keep in mind that this uses the switch CPU and is not performed
in hardware).

Steinar Haug, Nethelp consulting, sthaug at nethelp.no