[c-nsp] Fwd: VLAN 1 through routed ports
Engelhard Labiro
engel.labiro at gmail.com
Fri Jan 9 05:33:09 EST 2009
On Fri, Jan 9, 2009 at 2:22 AM, Justin Shore <justin at justinshore.com> wrote:
> And by all means DO NOT USE VLAN 1. That's what bit me in the ass last
> night. An unconfigured 7600 LAN port with switchport, mode access and no
> access vlan defined was a piece in the puzzle of the cluster that was my
> evening last night. VLAN 1 is evil and anyone that uses it intentionally is
> a fool.
agreed. ours always shutdown vlan 1 and define other vlan as native in
trunk ports.
this we can sure that "user" traffic is not using vlan 1.
> On a related side note, can VLAN 1 be disabled? If the state is set to
> suspended or the vlan is 'shutdown' in vlan sub-config mode, would that
> actually shutdown VLAN 1?
If you shutdown vlan 1, the "control" traffic is still tagged with
vlan 1, eg CDP, VTP.
But your "user" traffic will not tagged with vlan 1 if you defined
other vlan as native
>If a default config access-mode switchport in
> VLAN by default receives a packet, does it drop it?
I believe "control" traffic (CDP, VTP) will not be dropped from the port.
> I'm looking for ways to
> prevent what happened last night and since I can't remove VLAN 1 from the
> trunk ports in question I'd like to figure out how to disable the VLAN. The
> other option would be to change the VLAN used by default for the access VLAN
> when one isn't configured on a port. Is there a config option for that?
I think best practice is an "access" port must belong to a vlan other
than default (vlan 1 in cisco). This is simple with command "interface
range" and "switchport access vlan XXX".
HTH
Engel
More information about the cisco-nsp
mailing list