When to setup VLAN1?

wweboy

Hi everyone,

Can you explain to me when you don't need to setup VLAN1? as far as I understood VLAN1 always had to be configured and it was like the default IP address of the device and without that setup its dumb to the world. I spent an hour and half setting up a simple network to test rip routing and couldn't figure out why the advertisements were not working (in packet tracer0 and now I'm watching a video on youtube that has a display like this

http://ottolab.net/ytclip.png

Why isn't VLAN1 setup? also can you explain if I'd need to be making changes on the switch? here I thought I was really grasping the stuff from the CBT Nuggets video and now I'm confused as all hell on such a simple topic.I know every device has to be configured with an ip address and that is what I thought VLAN1 essentially did.

Can someone please enlighten me?

Thank you so much everyone.

SubnetZero

Yes all ports are in VLAN 1 by default but Cisco recommends you don't use it. If you want to manage your switches create a management VLAN and assign the IP address to that SVI. For example:

vtp mode transparent
vtp domain CCNA
vtp password cisco
!!
vlan 1000
name management
exit
!
int vlan 1000
description management
ip address 192.168.100.1 255.255.255.0

That's it!

Here is from Cisco:

Source: VLAN Security White Paper* [Cisco Catalyst 6500 Series Switches] - Cisco Systems

Precautions for the Use of VLAN 1

The reason VLAN 1 became a special VLAN is that L2 devices needed to have a default VLAN to assign to their ports, including their management port(s). In addition to that, many L2 protocols such as CDP, PAgP, and VTP needed to be sent on a specific VLAN on trunk links. For all these purposes VLAN 1 was chosen.

As a consequence, VLAN 1 may sometimes end up unwisely spanning the entire network if not appropriately pruned and, if its diameter is large enough, the risk of instability can increase significantly. Besides the practice of using a potentially omnipresent VLAN for management purposes puts trusted devices to higher risk of security attacks from untrusted devices that by misconfiguration or pure accident gain access to VLAN 1 and try to exploit this unexpected security hole.

To redeem VLAN 1 from its bad reputation, a simple common-sense security principle can be used: as a generic security rule the network administrator should prune any VLAN, and in particular VLAN 1, from all the ports where that VLAN is not strictly needed.

Therefore, with regard to VLAN 1, the above rule simply translates into the recommendations to:

•Not use VLAN 1 for inband management traffic and pick a different, specially dedicated VLAN that keeps management traffic separate from user data and protocol traffic.

•Prune VLAN 1 from all the trunks and from all the access ports that don't require it (including not connected and shutdown ports).

Similarly, the above rule applied to the management VLAN reads:

•Don't configure the management VLAN on any trunk or access port that doesn't require it (including not connected and shutdown ports).

•For foolproof security, when feasible, prefer out-of-band management to inband management. (Refer to [3] for a more detailed description of a out-of-band management infrastructure.)

As a general design rule it is desirable to "prune" unnecessary traffic from particular VLANs. For example, it is often desirable to apply VLAN ACLs and/or IP filters to the traffic carried in the management VLAN to prevent all telnet connections and allow only SSH sessions. Or it may be desirable to apply QoS ACLs to rate limit the maximum amount of ping traffic allowed.

If VLANs other than VLAN 1 or the management VLAN represent a security concern, then automatic or manual pruning should be applied as well. In particular, configuring VTP in transparent or off mode and doing manual pruning of VLANs is commonly considered the most effective method to exert a more strict level of control over a VLAN-based network.

gosh1976

a couple things that may help you get pointed in the right direction. apologies I am very tired so hopefully I don't miss "speak". 1. You don't have to do anything at all to the switches to get them to work just plug them in. so, in turn you don't have to mess with the switches to practice RIP. 2. how can you tell anything about vlans from the pic all I can tell is the ip addresses set up on the interfaces on one of the routers oh and I know which side is DCE 3. vlan 1 is there when you turn a switch on. (do a show vlan when you turn a switch on) but if you want to make it your management vlan give it an ip so you can telnet/ssh to it but you should probably not use vlan 1 as the management vlan

wweboy

Hmm thank you very much for the replies.

SubnetZero

wweboy wrote: »

Hmm thank you very much for the replies.

You're welcome. Does that answer your question? Let me know...

wweboy

Thanks SubnetZero, my buddy themagicone spelled it out for me. Basically it was this. I've been watching the CBT Nuggets videos and trying to emulate the labs exactly as shown. Early on in the videos as part of basic configuration it was always to setup VLAN1 and I always thought that gave the router / switch its IP address. So say if you set your router as 10.0.0.254 that was now what you pointed your switch and other routers too.

I was wrong here and that is part of the reason I was having such a hard time completing the lab. Every time I setup a new equipment I'd setup VLAN1 with the needed information thinking "Okay this router is now xxx.xx.x.x" and in reality I should of been setting an interface as such. Stuff like this is what isn't explained in the video and I haven't started reading my Sybex CCENT book yet.

Please let me know if there is anything more I should know or if I'm wrong in my thinking. I thought I was really doing a great job of retaining the information presented but I make such a simple mistake that affects everything it really shakes my confidence.

Thanks.

SubnetZero

There are lot's of different ways to do things, however you wouldn't create VLAN 1 interface on a router, that wont work. For routers you would be using the physical interfaces, however on a multilayer switch you could use either or.

For example if I try to configure interface vlan x on a router it wont work (this command of for switches)

Router(config)#interface vlan 1
^
% Invalid input detected at '^' marker.

So let's say I had a router and a switch connected together and I wanted to run EIGRP between them. To make this happen I could do it in two ways.

1) On the multilayer switch I could turn the switchport connecting to the router into a routed port and configure it with an IP address
2) On the multilayer switch I could create an SVI for the VLAN connecting to the router

Either one of these methods will bring up an EIGRP neighbor. Here is an example:

SW1

---

R1

So first we will turn the switchport into a routed port and running a routing protocol over it (EIGRP)

R1 (config)

interface FastEthernet0/0
ip address 192.168.100.1 255.255.255.0
no shut
!
router eigrp 100
passive-interface default
no passive-interface FastEthernet0/0
network 192.168.100.0
no auto-summary

SW1 (config)

SW1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#int gig0/1
SW1(config-if)#no switchport
SW1(config-if)#ip address 192.168.100.2 255.255.255.0
SW1(config-if)#no shut
SW1(config-if)#exit

*Mar 2 15:08:44.005: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to up
*Mar 2 15:08:45.011: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to up

SW1(config)#ip routing
SW1(config)#router eigrp 100
SW1(config-router)#no auto-summary
SW1(config-router)#network 192.168.100.0 0.0.0.255
SW1(config-router)#passive-interface default
SW1(config-router)#no passive-interface gig0/1

*Mar 2 15:10:28.938: %DUAL-5-NBRCHANGE: EIGRP-IPv4273) 100: Neighbor 192.168.100.1 (GigabitEthernet0/1) is up: new adjacency

Alternatively we can keep the same config on the router but change the switch config to use an SVI (interface vlan x) as opposed to a routed interface like we did above. Here is an example for you (we are only manipulating the switch here and I will use VLAN 12 for this example)

SW1(config)#vlan 12
SW1(config-vlan)#name SW1_R!
SW1(config-vlan)#exit

SW1(config)#int giga0/1
SW1(config-if)#switchport
SW1(config-if)#switchport mode access
SW1(config-if)#switchport access vlan 12
SW1(config-if)#spanning-tree portfast

SW1(config)#int vlan 12
SW1(config-if)#ip addr 192.168.100.12 255.255.255.0
SW1(config-if)#exit
SW1(config)#do ping 192.168.100.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.1, timeout is 2 seconds:
.!!!!

SW1(config)#ip routing
SW1(config)#router eigrp 100
SW1(config-router)#no auto-summary
SW1(config-router)#passive-interface default
SW1(config-router)#no passive-interface vlan 12

*Mar 2 15:27:18.280: %DUAL-5-NBRCHANGE: EIGRP-IPv4273) 100: Neighbor 192.168.100.1 (Vlan12) is up: new adjacency

So as you can see we can form neighbor relationships by using both physical and virtual interfaces between our routers and switches.

HTH

wweboy

Thank you so much for explaining it. I get it now!