What concerns would you have when removing VLAN 1 entirely from a Meraki MS/MX/MR network and dropping untagged traffic across all interconnections (trunks)?
I know there are some requirements to keep VLAN 1 as native VLAN in a mixed Meraki/Catalyst/Nexus environment, so this question focuses on Meraki hardware only for discussion sake.
To meet network security best practices I often wonder, why not remove VLAN 1 from the MX, tag all the subnets across the MX LAN ports to MS switching and configure all the trunks to drop untagged traffic.
I don't see any issue but have heard sometime dropping untagged traffic could cause problems, I just haven't seen these problems myself.
Thoughts? Opinions?
Where did you hear that statement? I needed to drop in some specific cases and never had any issues.
Which statement? Assuming the statement about keeping VLAN 1 - The link RaphaelL shared is it.
I have seen issues in the field with this though - a lot of issues in mixed vendor environments due to STP where there are rapid STP Per Vlan instances of spanning tree running.
""I don't see any issue but have heard sometime dropping untagged traffic could cause problems""
despite what the documentation says I can't see this as a problem, but ok.
If you set a VLAN as native and don't include it in the trunk and do the same on a Cisco Catalyst switch at the other end, then the link will not pass the traffic in the native VLAN, I can confirm this from experience...
the stp is using a native vlan. So as long you make sure you never have a loop (by the network admin/user error), and dont want/use redundancy based on stp blocking on your network, it should work.
>What concerns would you have when removing VLAN 1 entirely from a Meraki MS/MX/MR network and dropping untagged traffic across all interconnections (trunks)?
This will prevent spanning tree packets from being forwarded and may result in an incorrect spanning tree being formed.