Meraki

Community

How safe to use VLAN 1 if it's not spannning or any device on it

SahadSalmiT
Getting noticed
‎Apr 22 2023 10:56 AM
‎Apr 22 2023 10:56 AM

How safe to use VLAN 1 if it's not spannning or any device on it

Hi Guys, 

 

 I have a question about the best practice around not using VLAN 1. I have VLAN 1 untagged in all trunks between MX and switches with the following. 

* Do not have any devices.

* Don't have any DHCP configured. 

* Don't have any VLAN interface created. 

* VLAN 1 is not spanning anywhere except in these trunk ports between MX and switches

* Don't have any management traffic (Have separate VLAN for that)

* None of the edge ports contain VLAN 1

 

 

 

I have run packet capture with this design then I run another one using VLAN 5 same scenario, since the untagged VLAN is untagged I couldn't see any difference from VLAN 1 to VLAN 5. 

 

 

 Should I worry about anything related to security here? , Let me know if I am missing anything. 

0 Kudos
12 Replies 12
alemabrahao
Kind of a big deal
Kind of a big deal
‎Apr 22 2023 11:31 AM
‎Apr 22 2023 11:31 AM

Not using VLAN1 is just a good practice recommendation as it is the default VLAN of any switch, but it does not mean that it cannot be used or that network security is at risk. Security goes much further than a simple VLAN.

 

If possible, avoid using it, but if you do, that's fine, it's not the end of the world.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
SahadSalmiT
Getting noticed
‎Apr 22 2023 1:05 PM
‎Apr 22 2023 1:05 PM

@alemabrahao Thanks for your reply, do you know any list of security problems that might occur if I used VLAN 1? I am just curious to know the wisdom behind it. 

0 Kudos
In response to SahadSalmiT
alemabrahao
Kind of a big deal
Kind of a big deal
‎Apr 22 2023 2:13 PM
‎Apr 22 2023 2:13 PM

Unfortunately not, but you can Google it and analyze by your self.

 

https://www.oreilly.com/library/view/cisco-lan-switching/1587050897/1587050897_ch04lev1sec8.html#:~:....

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Brash
Kind of a big deal
Kind of a big deal
‎Apr 22 2023 3:00 PM
‎Apr 22 2023 3:00 PM

The main reasons vlan 1 is considered a potential security risk is because it is the default vlan on switches.

This means that if you have any enabled and unconfigured ports on a switch, someone can plug in with immediate access to vlan 1.

Additionally vlan 1 is used to exchange control plane data for some protocols (especially legacy protocols) as it was guaranteed to exist on every switch.

Placing user traffic on this vlan introduces additional variables that could impact the control plane traffic.

In response to Brash
SahadSalmiT
Getting noticed
‎Apr 22 2023 4:16 PM
‎Apr 22 2023 4:16 PM

Thanks, @Brash , if it's still vulnerable to the scenario in question? 

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 23 2023 1:01 PM
‎Apr 23 2023 1:01 PM

I wouldn't worry about it.  In Meraki land, spanning tree protocols only use the untagged VLAN.  They need that to flow to let spanning tree form properly.

0 Kudos
Domntr05
Here to help
‎Jan 5 2024 5:18 AM
‎Jan 5 2024 5:18 AM

Guys, Meraki best practice lists that VLAN 1 should be allowed on a trunk between a Catalyst and MS Meraki switch. Please see picture below.

 

However, Cisco best practice recommends to remove VLAN 1 from trunks. I have it removed and it seemed to work fine. So, what are your recommendations?

 

Thank you in advance,

 

Domntr05_0-1704459906372.png

 

 

 

0 Kudos
In response to Domntr05
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jan 5 2024 11:59 AM
‎Jan 5 2024 11:59 AM

I disagree, I prefer to avoid VLAN 1 whenever possible.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to Domntr05
Brash
Kind of a big deal
Kind of a big deal
‎Jan 5 2024 12:07 PM
‎Jan 5 2024 12:07 PM

Meraki switches use VLAN 1 to send and receive BPDU's for STP.

If you block VLAN 1 on the link between the Catalyst and Meraki switches, they won't see each other in the STP topology.

0 Kudos
In response to Brash
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jan 5 2024 12:08 PM
‎Jan 5 2024 12:08 PM

You can simply change the default VLAN.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Domntr05
Here to help
‎Jan 5 2024 12:12 PM
‎Jan 5 2024 12:12 PM

You meant to create a Management vlan and use it as Native and listed in allowed?

0 Kudos
Domntr05
Here to help
‎Jan 5 2024 12:04 PM
‎Jan 5 2024 12:04 PM

That's what I thought. Thks

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.