[c-nsp] Fwd: VLAN 1 through routed ports

Engelhard Labiro engel.labiro at gmail.com
Fri Jan 9 05:33:09 EST 2009


On Fri, Jan 9, 2009 at 2:22 AM, Justin Shore <justin at justinshore.com> wrote:

> And by all means DO NOT USE VLAN 1.  That's what bit me in the ass last
> night.  An unconfigured 7600 LAN port with switchport, mode access and no
> access vlan defined was a piece in the puzzle of the cluster that was my
> evening last night.  VLAN 1 is evil and anyone that uses it intentionally is
> a fool.

agreed. ours always shutdown vlan 1 and define other vlan as native in
trunk ports.
this we can sure that "user" traffic is not using vlan 1.

> On a related side note, can VLAN 1 be disabled?  If the state is set to
> suspended or the vlan is 'shutdown' in vlan sub-config mode, would that
> actually shutdown VLAN 1?

If you shutdown vlan 1, the "control" traffic is still tagged with
vlan 1, eg CDP, VTP.
But your "user" traffic will not tagged with vlan 1 if you defined
other vlan as native

>If a default config access-mode switchport in
> VLAN by default receives a packet, does it drop it?

I believe "control" traffic (CDP, VTP) will not be dropped from the port.

> I'm looking for ways to
> prevent what happened last night and since I can't remove VLAN 1 from the
> trunk ports in question I'd like to figure out how to disable the VLAN.  The
> other option would be to change the VLAN used by default for the access VLAN
> when one isn't configured on a port.  Is there a config option for that?

I think best practice is  an "access" port must belong to a vlan other
than default (vlan 1 in cisco). This is simple with command "interface
range" and "switchport access vlan XXX".

HTH
Engel


More information about the cisco-nsp mailing list