Hi Bob, I would go for option 2. The vlan name might be used to explain wht the vlan is... FW-blahblah or DMZ-blahblah in you examples...
Should you go for option 1, I would definitely keep the interface shut to avoid unnecessary L2 broadcast/multicast hit the CPU. Regards, Christophe On 25 Nov 2011, at 21:28, Bob McCouch wrote: > Hi Experts, > > I know this mailing list is for IPExpert materials discussions but I'm > going to abuse it just a touch to get some best practice input from a > collection of seasoned engineers. I am always on the fence about how to > treat unrouted L2 VLANs that exist on an L3 switch, like a guest network > that is being piped up to a firewall or a (gasp) DMZ that is running as a > VLAN on the internal network, or just a voice VLAN that is gatewayed by > another device. Here are the two positions I float between: > > 1) Create the SVI (interface VlanX), no ip address, shutdown, put a > description that warns not to activate the SVI. > 2) Ignore it at L3 completely and don't even instantiate the SVI. > > The argument for #1 goes that by creating the interface put purposely > shutting it and adding description, you're hopefully less likely to have > someone else accidentally enable routing on that interface one day thinking > they're taking care of something that got missed. Actively document the > designed behavior rather than just leave a questionable absence of > configuration. The argument for #2 says completely ignore this VLAN and > don't even let the routing engine "listen" in any fashion to it. > > Anyone know of any actual security/architecture best practices on this, or > is there a common opinion on this? > > Thanks! > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > > To Unsubscribe from this list please visit the following link and follow the > directions to unsubscribe. http://onlinestudylist.com/mailman/listinfo/ccie_rs _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com http://onlinestudylist.com/mailman/listinfo/ccie_rs
