How safe to use VLAN 1 if it's not spannning or any device on it

Getting noticed

How safe to use VLAN 1 if it's not spannning or any device on it

Hi Guys, 


 I have a question about the best practice around not using VLAN 1. I have VLAN 1 untagged in all trunks between MX and switches with the following. 

* Do not have any devices.

* Don't have any DHCP configured. 

* Don't have any VLAN interface created. 

* VLAN 1 is not spanning anywhere except in these trunk ports between MX and switches

* Don't have any management traffic (Have separate VLAN for that)

* None of the edge ports contain VLAN 1




I have run packet capture with this design then I run another one using VLAN 5 same scenario, since the untagged VLAN is untagged I couldn't see any difference from VLAN 1 to VLAN 5. 



 Should I worry about anything related to security here? , Let me know if I am missing anything. 

Kind of a big deal
Kind of a big deal

Not using VLAN1 is just a good practice recommendation as it is the default VLAN of any switch, but it does not mean that it cannot be used or that network security is at risk. Security goes much further than a simple VLAN.


If possible, avoid using it, but if you do, that's fine, it's not the end of the world.

@alemabrahao Thanks for your reply, do you know any list of security problems that might occur if I used VLAN 1? I am just curious to know the wisdom behind it. 

Unfortunately not, but you can Google it and analyze by your self.

Kind of a big deal
Kind of a big deal

The main reasons vlan 1 is considered a potential security risk is because it is the default vlan on switches.

This means that if you have any enabled and unconfigured ports on a switch, someone can plug in with immediate access to vlan 1.

Additionally vlan 1 is used to exchange control plane data for some protocols (especially legacy protocols) as it was guaranteed to exist on every switch.

Placing user traffic on this vlan introduces additional variables that could impact the control plane traffic.

Thanks, @Brash , if it's still vulnerable to the scenario in question? 

Kind of a big deal
Kind of a big deal

I wouldn't worry about it.  In Meraki land, spanning tree protocols only use the untagged VLAN.  They need that to flow to let spanning tree form properly.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Community News