[c-nsp] Fwd: VLAN 1 through routed ports
Higham, Josh
jhigham at epri.com
Fri Jan 9 12:33:49 EST 2009
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
> Engelhard Labiro
>
> On Fri, Jan 9, 2009 at 2:22 AM, Justin Shore
> <justin at justinshore.com> wrote:
>
> > And by all means DO NOT USE VLAN 1. That's what bit me in
> the ass last
> > night. An unconfigured 7600 LAN port with switchport, mode
> access and no
> > access vlan defined was a piece in the puzzle of the
> cluster that was my
> > evening last night. VLAN 1 is evil and anyone that uses it
> intentionally is
> > a fool.
>
> agreed. ours always shutdown vlan 1 and define other vlan as native in
> trunk ports.
> this we can sure that "user" traffic is not using vlan 1.
[...]
> If you shutdown vlan 1, the "control" traffic is still tagged with
> vlan 1, eg CDP, VTP.
> But your "user" traffic will not tagged with vlan 1 if you defined
> other vlan as native
Either I'm misunderstanding what you are saying, or this is incorrect.
The native VLAN identifier just dictates what frames are tagged, it
doesn't control whether they are sent. So if the native vlan is 999,
with a default config port is in vlan 1, if the port receives traffic it
will still be sent over the trunk, but tagged with vlan 1 (rather than
untagged if vlan 1 was native).
Changing the native VLAN would not have prevented the problem that
Justin is describing. The only solution to that is making sure that
vlan 1 isn't used in production, so even if frames are generated there
is no destination.
Shutting down the vlan 1 SVI will make sure that no traffic from VLAN 1
is routed, which is a way of enforcing the policy restriction described
above.
Thanks,
Josh
More information about the cisco-nsp
mailing list