[c-nsp] STP, native VLAN and trunks
Michael K. Smith - Adhost
mksmith at adhost.com
Tue Dec 13 14:31:21 EST 2005
I was talking to a security geek (tm) that recommended using a separate
and distinct VLAN that is not VLAN 1 for your native VLAN on all trunk
interfaces, and then not using that VLAN for anything else. This is in
addition to changing the management interface on every device to yet
another VLAN, not VLAN 1 and not the native VLAN on the trunk
interfaces.
With all of that in place, you can safely block all communications on
VLAN 1 using VLAN allow lists on all interfaces. This has a certain
sense of comfort to it, given the propensity of people to leave default
configurations in place with VLAN 1, VTP Domain Catalyst, No Password.
Mike
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of McLean Pickett
Sent: Tuesday, December 13, 2005 10:35 AM
To: Christian Zeng; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] STP, native VLAN and trunks
You need to layer 2 port in the VLAN before a STP instance is created. I
don't believe the presence of a VLAN on a trunk alone with create a STP
instance.
The native vlan on a trunk port should be allowed on trunk for CDP and
other protocols to function. Typically native vlan's are left as vlan 1
which is not used anywhere else. In recent versions of code Cisco has
introduced features that mitigate the risk of having vlan 1 trunked all
over your layer 2 network.
Native VLAN's need to be the same on both ends and they need to be
allowed over the trunk. Production VLAN's should not be used as the
native vlan on a trunk.
STP re-calcs on the native VLAN should not interrupt traffic on the
production VLAN's. However, if you are not allowing the native VLAN on a
802.1q trunk your results may vary since the BDPU's for the native VLAN
are not being passed.
Also, you may want to take a second look at your layer 2 design. If you
can stack A and B and use redundant trunks from C to (A and B) and D to
(A and B). The CB and DB links should be blocking on the C and D ends
with the stack configured as the root bridge.
McLean
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Christian Zeng
Sent: Tuesday, December 13, 2005 1:12 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] STP, native VLAN and trunks
Hi,
today a quite interesting discussion developed here at work regarding
per-VLAN STP, native VLANs and trunking.
Given the following switch topology:
A------------B
| |
| |
| |
D------------C
each switch has .1q trunks to its neighbours configured. The native VLAN
used on all trunks is the same as well as some VLANs used for
production traffic.
The discussion was about using a different native VLAN ID at least at
one trunk because otherwise a STP topology change could harm trunk
operation and affecting the production VLANs, too, even if PVSTP runs
(blocked native VLAN = trunk failure?).
At the first look, I agreed to this. Digging deeper, more questions
arised and I'm not sure if the different native VLAN will make much
sense.
Why should the recalculation of STP for the native VLAN have any effect
on forwarding frames for any other VLAN over the trunks?
Another question is: When there is a VLAN defined as "native" for a
trunk, this VLAN is excluded from the list of allowed VLANs on that
trunk and it is not used at any other place in the switch, why is there
no STP instance created?
spanning-tree vlan 800,840 priority 8192
!
interface GigabitEthernet2/5
switchport trunk encapsulation dot1q
switchport trunk native vlan 840
switchport trunk allowed vlan 800
switchport mode trunk
#sh span vlan 840
Spanning tree instance(s) for vlan 840 does not exist.
Why should I include the native VLAN on the list of allowed VLANs?
Thanks,
Christian
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list