[c-nsp] VLANs,Trunking and VLAN 1

Vincent De Keyzer vincent at dekeyzer.net
Wed Oct 25 09:07:27 EDT 2006


Mark,

> 1.	VLAN1 can be disabled from a trunk port via the CLI, but it is
> never 'really' disabled. It is used by CDP, VTP etc in the background.

That's my feeling too.

> 2.	You should always explicitly tag the native vlan of a switch to
> avoid possible confusion. This means that any port not specifically
> assigned to a vlan(s) will be tagged with this native vlan tag.

Native VLAN is IMHO a per-port concept, rather than a per-switch. AFAIU,
native VLAN on a trunk means two things.
* do not tag frames of this VLAN when going out on the trunk
* consider untagged incoming frames as belonging to this VLAN

> 3.	Keep user traffic and management traffic away from VLAN 1, since
> it has performance/stability implications for STP, for example.

Yes, keep away from VLAN1 as much as you can.

> What are the best practices for VLAN 1, the native VLAN, user and
> management VLAN's? I have read a lot of the doc on CCO regarding this
> but find this a little confusing.

What we do is
* VLAN1: stay away as much as possible
* native VLAN: do no really bother, native VLAN1 is fine
* user VLAN: what do you mean by that?
* management VLAN: we use 5 or 10 depending on the network, but any other
value should be fine too

What you might want to use is a "jail" VLAN where you put all ports that are
not in use: in this way, rogue connections or misconfigured ports won't harm
more than the jail VLAN.

YMMV.

Vincent




More information about the cisco-nsp mailing list