[c-nsp] VLANs,Trunking and VLAN 1

Mark Tohill Mark at u.tv
Wed Oct 25 09:39:32 EDT 2006 

Thanks for your reply Vincent, responses below >>:

> 1.	VLAN1 can be disabled from a trunk port via the CLI, but it is
> never 'really' disabled. It is used by CDP, VTP etc in the background.

That's my feeling too.

> 2.	You should always explicitly tag the native vlan of a switch to
> avoid possible confusion. This means that any port not specifically 
> assigned to a vlan(s) will be tagged with this native vlan tag.

Native VLAN is IMHO a per-port concept, rather than a per-switch. AFAIU,
native VLAN on a trunk means two things.
* do not tag frames of this VLAN when going out on the trunk
* consider untagged incoming frames as belonging to this VLAN

>> That makes sense (now :) )

> 3.	Keep user traffic and management traffic away from VLAN 1, since
> it has performance/stability implications for STP, for example.

Yes, keep away from VLAN1 as much as you can.

>> Considering our network has only a small number of access switches,
and we were to switch across a L2 Etherchannel in our distribution layer
(multile vlans spanning several access switches), then letting VLAN1 do
it's thing wouldn't be a problem?


> What are the best practices for VLAN 1, the native VLAN, user and 
> management VLAN's? I have read a lot of the doc on CCO regarding this 
> but find this a little confusing.

What we do is
* VLAN1: stay away as much as possible
* native VLAN: do no really bother, native VLAN1 is fine

>> But tag it anyway....for completeness?

* user VLAN: what do you mean by that?

>> Sorry, I meant user/data VLAN's.

* management VLAN: we use 5 or 10 depending on the network, but any
other value should be fine too

What you might want to use is a "jail" VLAN where you put all ports that
are not in use: in this way, rogue connections or misconfigured ports
won't harm more than the jail VLAN.

>> Ok.

YMMV.

Vincent 

-----Original Message-----
From: Vincent De Keyzer [mailto:vincent at dekeyzer.net] 
Sent: 25 October 2006 14:07
To: Mark Tohill
Cc: cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] VLANs,Trunking and VLAN 1

Mark,

> 1.	VLAN1 can be disabled from a trunk port via the CLI, but it is
> never 'really' disabled. It is used by CDP, VTP etc in the background.

That's my feeling too.

> 2.	You should always explicitly tag the native vlan of a switch to
> avoid possible confusion. This means that any port not specifically 
> assigned to a vlan(s) will be tagged with this native vlan tag.

Native VLAN is IMHO a per-port concept, rather than a per-switch. AFAIU,
native VLAN on a trunk means two things.
* do not tag frames of this VLAN when going out on the trunk
* consider untagged incoming frames as belonging to this VLAN

> 3.	Keep user traffic and management traffic away from VLAN 1, since
> it has performance/stability implications for STP, for example.

Yes, keep away from VLAN1 as much as you can.

> What are the best practices for VLAN 1, the native VLAN, user and 
> management VLAN's? I have read a lot of the doc on CCO regarding this 
> but find this a little confusing.

What we do is
* VLAN1: stay away as much as possible
* native VLAN: do no really bother, native VLAN1 is fine
* user VLAN: what do you mean by that?
* management VLAN: we use 5 or 10 depending on the network, but any
other value should be fine too

What you might want to use is a "jail" VLAN where you put all ports that
are not in use: in this way, rogue connections or misconfigured ports
won't harm more than the jail VLAN.

YMMV.

Vincent

More information about the cisco-nsp mailing list