Hi all,
By default, on the cisco switch, the VLAN number 1 is by default created.
Do you think that it can be recommanded do not use this vlan for the hosts ?
So, do you think that this VLAN can be used for administratif checks...
So, do you think that is better to create a new vlan for normal use ?
Thanks a lot
Best Regards Rahan
I recommened using another vlan for your hosts, this will keep traffic that has to traverse vlan 1 from mixing with user traffic and also improves security to a certain extent.
I usually create a vlan for my management traffic (snmp, telnet etc) and other vlans for my user traffic.
However be aware that you'll always see vlan1. I don't think it can be pruned.
I recommened using another vlan for your hosts, this will keep traffic that has to traverse vlan 1 from mixing with user traffic and also improves security to a certain extent.
I usually create a vlan for my management traffic (snmp, telnet etc) and other vlans for my user traffic.
However be aware that you'll always see vlan1. I don't think it can be pruned.
ThankYou Genki for your answer.
Does VLAN 1 has the same characteristics of other VLAN created for users ?
For exemple, the following VLAN are special : 1002 fddi-default 1003 token-ring-default 1004 fddinet-default 1005 trnet-default
I am using one vlan (vlan-1) and all hosts are connected to this vlan. I need to know if i increase performance when i use a new vlan. if my vlan is more secure by using a new vlan... etc
I suspect that VLAN-1 is not exactly the same type of vlan created by user. It's juste a question to know.
More detail ? Thanks a lot
Best Regards Rahan
"genki" a écrit dans le message de news: snipped-for-privacy@h48g2000cwc.googlegroups.com...
Please learn how to quote correctly.
Sure.
No they are not.
Since _everything_ is in vlan1 on your switch, it doesn't matter at all.
It's the default vlan and therefore usually used for management purposes. However, it does not matter if you use vlan1 or vlan200 for your hosts, especially with your setup that is one broadcast domain.
Regards
Thanks a lot Nicolaj for confirmation.
Best Regards Rahan
This guy is rude.
Not true.
Don't listen to this guy, he's wrong. There is special traffic on VLAN1. It would be prudent for you to move you hosts onto another VLAN. This would improve security also.
Here is a cut+paste from Cisco.com.
Source:
The reason VLAN 1 became a special VLAN is that L2 devices needed to have a default VLAN to assign to their ports, including their management port(s). In addition to that, many L2 protocols such as CDP, PAgP, and VTP needed to be sent on a specific VLAN on trunk links. For all these purposes VLAN 1 was chosen.
As a consequence, VLAN 1 may sometimes end up unwisely spanning the entire network if not appropriately pruned and, if its diameter is large enough, the risk of instability can increase significantly. Besides the practice of using a potentially omnipresent VLAN for management purposes puts trusted devices to higher risk of security attacks from untrusted devices that by misconfiguration or pure accident gain access to VLAN 1 and try to exploit this unexpected security hole.
To redeem VLAN 1 from its bad reputation, a simple common-sense security principle can be used: as a generic security rule the network administrator should prune any VLAN, and in particular VLAN 1, from all the ports where that VLAN is not strictly needed.
Therefore, with regard to VLAN 1, the above rule simply translates into the recommendations to:
=B7Not use VLAN 1 for inband management traffic and pick a different, specially dedicated VLAN that keeps management traffic separate from user data and protocol traffic.
=B7Prune VLAN 1 from all the trunks and from all the access ports that don't require it (including not connected and shutdown ports).
Similarly, the above rule applied to the management VLAN reads:
=B7Don't configure the management VLAN on any trunk or access port that doesn't require it (including not connected and shutdown ports).
=B7For foolproof security, when feasible, prefer out-of-band management to inband management. (Refer to [3] for a more detailed description of a out-of-band management infrastructure.)
As a general design rule it is desirable to "prune" unnecessary traffic from particular VLANs. For example, it is often desirable to apply VLAN ACLs and/or IP filters to the traffic carried in the management VLAN to prevent all telnet connections and allow only SSH sessions. Or it may be desirable to apply QoS ACLs to rate limit the maximum amount of ping traffic allowed.
If VLANs other than VLAN 1 or the management VLAN represent a security concern, then automatic or manual pruning should be applied as well. In particular, configuring VTP in transparent or off mode and doing manual pruning of VLANs is commonly considered the most effective method to exert a more strict level of control over a VLAN-based network.
Done.
No that guy is right because Rahan should avoid to answer at the top of the message.
Alex.
Ooops... whatever..
Such a rulebreaker.
:-)
AM wrote:
This guy is rude.
Not true.
Don't listen to this guy, he's wrong. There is special traffic on VLAN1. It would be prudent for you to move you hosts onto another VLAN. This would improve security also.
Here is a cut+paste from Cisco.com.
Source:
The reason VLAN 1 became a special VLAN is that L2 devices needed to have a default VLAN to assign to their ports, including their management port(s). In addition to that, many L2 protocols such as CDP, PAgP, and VTP needed to be sent on a specific VLAN on trunk links. For all these purposes VLAN 1 was chosen.
As a consequence, VLAN 1 may sometimes end up unwisely spanning the entire network if not appropriately pruned and, if its diameter is large enough, the risk of instability can increase significantly. Besides the practice of using a potentially omnipresent VLAN for management purposes puts trusted devices to higher risk of security attacks from untrusted devices that by misconfiguration or pure accident gain access to VLAN 1 and try to exploit this unexpected security hole.
To redeem VLAN 1 from its bad reputation, a simple common-sense security principle can be used: as a generic security rule the network administrator should prune any VLAN, and in particular VLAN 1, from all the ports where that VLAN is not strictly needed.
Therefore, with regard to VLAN 1, the above rule simply translates into the recommendations to:
·Not use VLAN 1 for inband management traffic and pick a different, specially dedicated VLAN that keeps management traffic separate from user data and protocol traffic. ·Prune VLAN 1 from all the trunks and from all the access ports that don't require it (including not connected and shutdown ports).Similarly, the above rule applied to the management VLAN reads:
·Don't configure the management VLAN on any trunk or access port that doesn't require it (including not connected and shutdown ports). ·For foolproof security, when feasible, prefer out-of-band management to inband management. (Refer to [3] for a more detailed description of a out-of-band management infrastructure.)As a general design rule it is desirable to "prune" unnecessary traffic from particular VLANs. For example, it is often desirable to apply VLAN ACLs and/or IP filters to the traffic carried in the management VLAN to prevent all telnet connections and allow only SSH sessions. Or it may be desirable to apply QoS ACLs to rate limit the maximum amount of ping traffic allowed.
If VLANs other than VLAN 1 or the management VLAN represent a security concern, then automatic or manual pruning should be applied as well. In particular, configuring VTP in transparent or off mode and doing manual pruning of VLANs is commonly considered the most effective method to exert a more strict level of control over a VLAN-based network.
Done.
Very very interesting !!! i can understand now why i can see a lot of packet comming from all ways...
i will print a cisco documentation !!! Thank You very much !!!
Best Regards Rahan
sorry if i am rude !!!!!!
do you want me to add my message at the top or at the end of the answers ?
Thanks Rahan
You should post on the bottom, posting on the top screws up some newsreaders.
ok thanks.
Yes, VLAN 1 is a "special" VLAN, but (there is always a but!!!) if you have a very small layer 2 network than it doesn't really matter. At our small locations that have only a single user VLAN we use VLAN1 as the user VLAN because it is easier to maintain and simpler to support. The only time that not using VLAN 1 is important is if you have many VLANs defined on multiple switches.
Scott
Yes
Depends on what you want to do. If you need just one broadcast domain, then use that.
No more than anything else.
As I said it depends on what you want from it.
In general and for a variety of reasons, it is best to avoid the use of VLAN1 for user VLANS
"Anonymous" a écrit dans le message de news:LvydnYVaYYEBi0nZnZ2dnUVZ snipped-for-privacy@comcast.com...
Thank You Scott.
i have a small network (2 servers and 10 clients) but i have very a lot of traffic.
i will create a new vlan and i will never use vlan 1 !
Best Regards Rahan
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.