3500XL: Disable/Block VLAN 1 on an uplink port

Discussion in 'Cisco' started by Patrick Cervicek, Jul 24, 2007.

  1. Ich want to disable VLAN 1 on an uplink port of an 3500XL Switch with
    12.0(5)WC17.
    Unfortunately it doesn't work.

    rhsw#conf t
    Enter configuration commands, one per line. End with CNTL/Z.
    rhsw(config)#interface f0/48
    rhsw(config-if)#switchport trunk allowed vlan 55
    rhsw(config-if)#^Z
    rhsw#show running-config interface f0/48
    Building configuration...

    Current configuration:
    !
    interface FastEthernet0/48
    description frei
    shutdown
    switchport trunk allowed vlan 1,55,1002-1005
    switchport mode trunk
    spanning-tree portfast
    end

    Are there other way to filter VLAN 1?
     
    Patrick Cervicek, Jul 24, 2007
    #1
    1. Advertisements

  2. VLANs 1, and 1002-1005 are special VLANs, which carry all "vital technical
    information". VLAN1 should ALWAYS exist, since Spanning Tree, CDP? VTP, and
    other protocols use it to communicate between switches. In newer switches
    you may "disable" it in the config, it may be not shown up in the commands,
    but when you actually sniff the traffic, you see it there.

    From the security standpoint... If you don't have corresponding IP address,
    then what to worry about?

    Good luck,

    Mike
    CCNP, CCDP, CCSP, Cisco Voice, MCSE W2K, MCSE+I, Security+, etc.
    CCIE R&S (in progress), CCIE Voice (in progress)
     
    headsetadapter.com, Jul 24, 2007
    #2
    1. Advertisements

  3. Patrick Cervicek

    Arthur Brain Guest

    How's this for a theory:

    Create a trunk between two switches.
    Put the "native VLAN 1" on the network side, but "native VLAN 2" on
    the outside. (VLAN mis-match)

    You can then prune VLAN 2 on trunks past the far end, thus stopping
    VLAN 1 from going any further.
     
    Arthur Brain, Jul 24, 2007
    #3
  4. .... but are you shure you can connect to an Backbone IP in Vlan1 when
    it's "disabled"?
    The Interfaces of our Backbone are in vlan1. It ist dangerous in 2 scenarios

    * We have VoIP Phones with a PC connected to it. We use 2 Vlans for
    that, but we do not want to risk that smart users could connect to our
    backbone via Vlan1

    * We are using Accesspoint with a multi-ssid feature - each SSID is
    using an own vlan. We do not need/want Vlan 1 here
     
    Patrick Cervicek, Jul 24, 2007
    #4
  5. Patrick Cervicek

    Chris Marva Guest

    vlan 1, as well as 1002-1005 cannot be pruned on the 2900xl/3500xl series.

    c
     
    Chris Marva, Jul 24, 2007
    #5

  6. Its best to get off VLAN 1 and don't use it due to its use in Cisco gear.
    You'll run into so many oddities as you try, best to make a clean
    break totally away from it. You'll be glad in the end.
     
    Doug McIntyre, Jul 24, 2007
    #6
  7. Patrick,

    From the best practices, there should be no IP interface for VLAN1.

    Good luck,

    Mike
    CCNP, CCDP, CCSP, Cisco Voice, MCSE W2K, MCSE+I, Security+, etc.
    CCIE R&S (in progress), CCIE Voice (in progress)
     
    headsetadapter.com, Jul 25, 2007
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.