On Fri, Jan 9, 2009 at 2:22 AM, Justin Shore <jus...@justinshore.com> wrote:
> And by all means DO NOT USE VLAN 1. That's what bit me in the ass last > night. An unconfigured 7600 LAN port with switchport, mode access and no > access vlan defined was a piece in the puzzle of the cluster that was my > evening last night. VLAN 1 is evil and anyone that uses it intentionally is > a fool. agreed. ours always shutdown vlan 1 and define other vlan as native in trunk ports. this we can sure that "user" traffic is not using vlan 1. > On a related side note, can VLAN 1 be disabled? If the state is set to > suspended or the vlan is 'shutdown' in vlan sub-config mode, would that > actually shutdown VLAN 1? If you shutdown vlan 1, the "control" traffic is still tagged with vlan 1, eg CDP, VTP. But your "user" traffic will not tagged with vlan 1 if you defined other vlan as native >If a default config access-mode switchport in > VLAN by default receives a packet, does it drop it? I believe "control" traffic (CDP, VTP) will not be dropped from the port. > I'm looking for ways to > prevent what happened last night and since I can't remove VLAN 1 from the > trunk ports in question I'd like to figure out how to disable the VLAN. The > other option would be to change the VLAN used by default for the access VLAN > when one isn't configured on a port. Is there a config option for that? I think best practice is an "access" port must belong to a vlan other than default (vlan 1 in cisco). This is simple with command "interface range" and "switchport access vlan XXX". HTH Engel _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/