HPE Community
Comware Based
1831600 Members
2708 Online
110027 Solutions
New Discussion

vlan 1 on interconnect links between switchs

 
vincentmunier
Occasional Advisor

‎06-06-2013 01:01 PM

‎06-06-2013 01:01 PM

vlan 1 on interconnect links between switchs

Hi,

In the "Common practices for hardening HP comware based devices"  document, i read that it is better to delete vlan 1 from trunk links, but i also read that vlan 1 is used for many layer 2 protocols (especially for stp protocols). (see attached file)

 

So my question is: does i need to remove valn 1 from trunks links between my cores switchs (HP 10500) et distribution switches (HP5800)? What appens with spanning tree if i do that (i'm using mstp)? (undo trunk permit vlan 1)?

 

Thanks for your advices.

Vincent

0 Kudos
4 REPLIES 4
paulgear
Esteemed Contributor

‎06-06-2013 03:04 PM

‎06-06-2013 03:04 PM

Re: vlan 1 on interconnect links between switchs

Hi Vincent,

A lot of hardening guides say to remove all references to VLAN 1. I'm not that convinced. As long as no access ports can reach VLAN 1, i haven't yet found any reason to remove it from trunks. Some non-HP switches won't even let you remove VLAN 1, so in order to maintain interoperability with them you need to keep it.
Regards,
Paul
0 Kudos
Richard Brodie_1
Honored Contributor

‎06-06-2013 04:23 PM

‎06-06-2013 04:23 PM

Re: vlan 1 on interconnect links between switchs

There is a bit of mixture in that paragraph; having in-band management on a separate VLAN is good advice. Disabling VLAN 1 is a bit of a maybe; if you assigned every port on the network to VLAN 73 it wouldn't be any more secure. Some of the general comments about VLAN 1 - misleading, or just plain wrong as far as I can see.

 

For MSTP, I would think of it as operating at a lower level than the VLAN. MSTP packets always go untagged, even when there are no untagged VLANs on the link. In a factory default configuration that's a bit like being on VLAN 1 - but it isn't really.

 

Peter_Debruyne
Honored Contributor

‎06-07-2013 01:04 AM

‎06-07-2013 01:04 AM

Re: vlan 1 on interconnect links between switchs

Hi,

 

both comware and provision are quite well-behaved regarding control protocols and vlan 1. They consider vlan 1 as a user data vlan, so all the L2 control protocols will run, independent of the vlan 1 or any other untagged vlan on the port.

 

Most of these L2 control protocols (STP, 802.1x start, LLDP, LACP, etc) are using the 01:80:c2:xx:xx:xx mac range. So even when there is no untagged vlan (or vlan 1) configured on the port, when the switch receives an untagged packet with this destination mac on an interface, these packets are not forwarded by the ASIC, but picked up by the interface and delivered to the CPU (software) for processing.

 

This mechanism ensures no dependencies on vlan 1 or any other untagged vlan configuration, so you can safely get rid of vlan 1 (as long as you use some other vlan for management of course).

 

Hope this helps,Peter

0 Kudos
manuel.bitzi
Trusted Contributor

‎06-14-2013 07:02 AM

‎06-14-2013 07:02 AM

Re: vlan 1 on interconnect links between switchs

Of course it is a philosophical question or a question of which book you read.

 

But I remove the VLAN 1 on each trunk link and only allow tagged vlans on comware, procurve and cisco switches since 8 years. I never run into troubles.

 

 

best regards

Manuel

H3CSE, MASE Network Infrastructure [2011], Switzerland
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.