[c-nsp] Fwd: VLAN 1 through routed ports

Justin Shore justin at justinshore.com
Sun Jan 11 11:37:57 EST 2009 

Higham, Josh wrote:
> Either I'm misunderstanding what you are saying, or this is incorrect.
> 
> The native VLAN identifier just dictates what frames are tagged, it
> doesn't control whether they are sent.  So if the native vlan is 999,
> with a default config port is in vlan 1, if the port receives traffic it
> will still be sent over the trunk, but tagged with vlan 1 (rather than
> untagged if vlan 1 was native).
> 
> Changing the native VLAN would not have prevented the problem that
> Justin is describing.  The only solution to that is making sure that
> vlan 1 isn't used in production, so even if frames are generated there
> is no destination.

I think Engel may have mis-read my email and thought I was on a trunk 
port in which case what he wrote would have been correct.  In my case 
though I was on an access port.  Most of that port's config had been 
wiped clean leaving only switchport and mode access.  I could avoid the 
issue in the future (assuming that the VPN SPA's broken default config 
can't be fixed) by assigning all my unused access ints to a dummy VLAN. 
  That would get them out of VLAN 1 and avoid the problem.  I usually 
have all unused ints shutdown when not in use but in this case it was an 
int I'd previously used for testing and instead wiped the int config 
clean but left it up.

> Shutting down the vlan 1 SVI will make sure that no traffic from VLAN 1
> is routed, which is a way of enforcing the policy restriction described
> above.

I always shut the VLAN 1 SVI on devices that have it by default 
(switches for example) and never create it on those that don't.  I'm 
curious though about shutting down the L2 VLAN though.  That would prove 
to be helpful.  Another helpful thing would be if Cisco would not put an 
access port into admin up state if an access VLAN hasn't been explicitly 
defined.  If a VLAN hasn't been manually defined then IMHO the 
interface's config is incomplete and should not be allowed up.  Another 
option would be if Cisco would add the ability to define the default 
VLAN used on all ports that don't have an explicit access VLAN defined. 
  That would be helpful as well.

Justin

More information about the cisco-nsp mailing list