In article , Andy wrote: :Hi, what is the recommendations for both Native vlan, and management :vlan? :I know that user traffic should be seperated from management traffic, :and its better to use out-of-band management. :But do we keep Vlan 1 the native vlan? and any other recommendation you :think its important to know. Thank you!!
If an untagged packet somehow manages to get injected to a port (accident, misadventure, hacking, vlan hopping, remote machine isn't configured properly) then you probably don't want that packet to be treated as if it were legitimately generated by the remote device -- so you want the native vlan to be one that the remote device never uses for legitimate traffic.
Some devices, don't handle per-vlan spanning tree and only generate spanning tree on vlan 1. Some only generate some of the layer 2 link- layer protocols on vlan 1. Some devices only accept management traffic on vlan 1.
Some devices drop traffic into VLAN 1 if they can't figure out what else to do with it (e.g., an appletalk packet comes along and your vlans are 802.2 based).
So... it depends ;-)
My -personal- preference is to make the native vlan a vlan that is otherwise unused, and which is not being trunked to that port, thus achieving the -effect- of "filter all untagged packets" even on devices that don't offer that configuration option.