3500XL: Disable/Block VLAN 1 on an uplink port

Ich want to disable VLAN 1 on an uplink port of an 3500XL Switch with

12.0(5)WC17. Unfortunately it doesn't work.

rhsw#conf t Enter configuration commands, one per line. End with CNTL/Z. rhsw(config)#interface f0/48 rhsw(config-if)#switchport trunk allowed vlan 55 rhsw(config-if)#^Z rhsw#show running-config interface f0/48 Building configuration...

Current configuration: ! interface FastEthernet0/48 description frei shutdown switchport trunk allowed vlan 1,55,1002-1005 switchport mode trunk spanning-tree portfast end

Are there other way to filter VLAN 1?

Reply to
Patrick Cervicek
Loading thread data ...

VLANs 1, and 1002-1005 are special VLANs, which carry all "vital technical information". VLAN1 should ALWAYS exist, since Spanning Tree, CDP? VTP, and other protocols use it to communicate between switches. In newer switches you may "disable" it in the config, it may be not shown up in the commands, but when you actually sniff the traffic, you see it there.

From the security standpoint... If you don't have corresponding IP address, then what to worry about?

Good luck,

Mike CCNP, CCDP, CCSP, Cisco Voice, MCSE W2K, MCSE+I, Security+, etc. CCIE R&S (in progress), CCIE Voice (in progress)

------ Headset Adapters for Cisco IP Phones

formatting link
formatting link

"Patrick Cervicek" wrote in message news:f84j09$nck$ snipped-for-privacy@news.belwue.de...

Reply to
headsetadapter.com

How's this for a theory:

Create a trunk between two switches. Put the "native VLAN 1" on the network side, but "native VLAN 2" on the outside. (VLAN mis-match)

You can then prune VLAN 2 on trunks past the far end, thus stopping VLAN 1 from going any further.

Reply to
Arthur Brain

headsetadapter.com schrieb:

... but are you shure you can connect to an Backbone IP in Vlan1 when it's "disabled"?

The Interfaces of our Backbone are in vlan1. It ist dangerous in 2 scenarios

  • We have VoIP Phones with a PC connected to it. We use 2 Vlans for that, but we do not want to risk that smart users could connect to our backbone via Vlan1
  • We are using Accesspoint with a multi-ssid feature - each SSID is using an own vlan. We do not need/want Vlan 1 here
Reply to
Patrick Cervicek

Patrick Cervicek wrote in news:f84j09$nck$ snipped-for-privacy@news.belwue.de:

vlan 1, as well as 1002-1005 cannot be pruned on the 2900xl/3500xl series.

c
Reply to
Chris Marva

Its best to get off VLAN 1 and don't use it due to its use in Cisco gear. You'll run into so many oddities as you try, best to make a clean break totally away from it. You'll be glad in the end.

Reply to
Doug McIntyre

Patrick,

From the best practices, there should be no IP interface for VLAN1.

Good luck,

Mike CCNP, CCDP, CCSP, Cisco Voice, MCSE W2K, MCSE+I, Security+, etc. CCIE R&S (in progress), CCIE Voice (in progress)

------ Headset Adapters for Cisco IP Phones

formatting link
formatting link

"Patrick Cervicek" wrote in message news:f84nmg$pim$ snipped-for-privacy@news.belwue.de...

Reply to
headsetadapter.com

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.