How safe to use VLAN 1 if it's not spannning or any device on it

SahadSalmiT
Getting noticed

How safe to use VLAN 1 if it's not spannning or any device on it

Hi Guys, 

 

 I have a question about the best practice around not using VLAN 1. I have VLAN 1 untagged in all trunks between MX and switches with the following. 

* Do not have any devices.

* Don't have any DHCP configured. 

* Don't have any VLAN interface created. 

* VLAN 1 is not spanning anywhere except in these trunk ports between MX and switches

* Don't have any management traffic (Have separate VLAN for that)

* None of the edge ports contain VLAN 1

 

 

 

I have run packet capture with this design then I run another one using VLAN 5 same scenario, since the untagged VLAN is untagged I couldn't see any difference from VLAN 1 to VLAN 5. 

 

 

 Should I worry about anything related to security here? , Let me know if I am missing anything. 

12 REPLIES 12
alemabrahao
Kind of a big deal
Kind of a big deal

Not using VLAN1 is just a good practice recommendation as it is the default VLAN of any switch, but it does not mean that it cannot be used or that network security is at risk. Security goes much further than a simple VLAN.

 

If possible, avoid using it, but if you do, that's fine, it's not the end of the world.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

@alemabrahao Thanks for your reply, do you know any list of security problems that might occur if I used VLAN 1? I am just curious to know the wisdom behind it. 

Unfortunately not, but you can Google it and analyze by your self.

 

https://www.oreilly.com/library/view/cisco-lan-switching/1587050897/1587050897_ch04lev1sec8.html#:~:....

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Brash
Kind of a big deal
Kind of a big deal

The main reasons vlan 1 is considered a potential security risk is because it is the default vlan on switches.

This means that if you have any enabled and unconfigured ports on a switch, someone can plug in with immediate access to vlan 1.

Additionally vlan 1 is used to exchange control plane data for some protocols (especially legacy protocols) as it was guaranteed to exist on every switch.

Placing user traffic on this vlan introduces additional variables that could impact the control plane traffic.

Thanks, @Brash , if it's still vulnerable to the scenario in question? 

PhilipDAth
Kind of a big deal
Kind of a big deal

I wouldn't worry about it.  In Meraki land, spanning tree protocols only use the untagged VLAN.  They need that to flow to let spanning tree form properly.

Domntr05
Here to help

Guys, Meraki best practice lists that VLAN 1 should be allowed on a trunk between a Catalyst and MS Meraki switch. Please see picture below.

 

However, Cisco best practice recommends to remove VLAN 1 from trunks. I have it removed and it seemed to work fine. So, what are your recommendations?

 

Thank you in advance,

 

Domntr05_0-1704459906372.png

 

 

 

I disagree, I prefer to avoid VLAN 1 whenever possible.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Brash
Kind of a big deal
Kind of a big deal

Meraki switches use VLAN 1 to send and receive BPDU's for STP.

If you block VLAN 1 on the link between the Catalyst and Meraki switches, they won't see each other in the STP topology.

alemabrahao
Kind of a big deal
Kind of a big deal

You can simply change the default VLAN.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

You meant to create a Management vlan and use it as Native and listed in allowed?

Domntr05
Here to help

That's what I thought. Thks

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.