Online Expert Day - HPE Data Storage - Live Now
April 24/25 - Online Expert Day - HPE Data Storage - Live Now
Read more
Comware Based
cancel
Showing results for 
Search instead for 
Did you mean: 

vlan 1 on interconnect links between switchs

vincentmunier
Occasional Advisor

vlan 1 on interconnect links between switchs

Hi,

In the "Common practices for hardening HP comware based devices"  document, i read that it is better to delete vlan 1 from trunk links, but i also read that vlan 1 is used for many layer 2 protocols (especially for stp protocols). (see attached file)

 

So my question is: does i need to remove valn 1 from trunks links between my cores switchs (HP 10500) et distribution switches (HP5800)? What appens with spanning tree if i do that (i'm using mstp)? (undo trunk permit vlan 1)?

 

Thanks for your advices.

Vincent

4 REPLIES
paulgear
Esteemed Contributor

Re: vlan 1 on interconnect links between switchs

Hi Vincent,

A lot of hardening guides say to remove all references to VLAN 1. I'm not that convinced. As long as no access ports can reach VLAN 1, i haven't yet found any reason to remove it from trunks. Some non-HP switches won't even let you remove VLAN 1, so in order to maintain interoperability with them you need to keep it.
Regards,
Paul
Richard Brodie_1
Honored Contributor

Re: vlan 1 on interconnect links between switchs

There is a bit of mixture in that paragraph; having in-band management on a separate VLAN is good advice. Disabling VLAN 1 is a bit of a maybe; if you assigned every port on the network to VLAN 73 it wouldn't be any more secure. Some of the general comments about VLAN 1 - misleading, or just plain wrong as far as I can see.

 

For MSTP, I would think of it as operating at a lower level than the VLAN. MSTP packets always go untagged, even when there are no untagged VLANs on the link. In a factory default configuration that's a bit like being on VLAN 1 - but it isn't really.

 

Peter_Debruyne
Honored Contributor

Re: vlan 1 on interconnect links between switchs

Hi,

 

both comware and provision are quite well-behaved regarding control protocols and vlan 1. They consider vlan 1 as a user data vlan, so all the L2 control protocols will run, independent of the vlan 1 or any other untagged vlan on the port.

 

Most of these L2 control protocols (STP, 802.1x start, LLDP, LACP, etc) are using the 01:80:c2:xx:xx:xx mac range. So even when there is no untagged vlan (or vlan 1) configured on the port, when the switch receives an untagged packet with this destination mac on an interface, these packets are not forwarded by the ASIC, but picked up by the interface and delivered to the CPU (software) for processing.

 

This mechanism ensures no dependencies on vlan 1 or any other untagged vlan configuration, so you can safely get rid of vlan 1 (as long as you use some other vlan for management of course).

 

Hope this helps,Peter

manuel.bitzi
Trusted Contributor

Re: vlan 1 on interconnect links between switchs

Of course it is a philosophical question or a question of which book you read.

 

But I remove the VLAN 1 on each trunk link and only allow tagged vlans on comware, procurve and cisco switches since 8 years. I never run into troubles.

 

 

best regards

Manuel

H3CSE, MASE Network Infrastructure [2011], Switzerland