Seperates user and management traffic.
ACL's or security features applied to an interface might not always affect traffic going to the actual device. Therefore, add ACLs to the vty lines in case traffic gets routed to the management interface that should still be blocked unless from authorized IP addresses.
You can't actually stop VLAN 1 sending LLDP/STP/LACP/VRRP/BPDU/CDP/PaGP/VTP/GVRP/etc. Across trunk (802.1Q) links, but what you can do is:
- Create a VLAN, e.g., VLAN 999, to put all ports that are unused into.
- There is no need to create an L3 SVI for VLAN 999 because it is only for unused ports.
- Change the native VLAN from VLAN 1 to another VLAN.
- Again this VLAN does not need an L3 SVI because the native VLAN does not need to be routed.
- Create a separate VLAN (other than VLAN 1) to manage your switches.
- From the console, shutdown the VLAN 1 interface on each switch and add an L3 SVI for the new VLAN.
- Move user ports in VLAN 1 into different VLANs.
After this, VLAN 1 will only be used for L2 management protocols (LLDP/STP/LACP/VRRP/BPDU,etc.)
No comments:
Post a Comment
Please add comments so I may update the material to accommodate platform modification to various commands. Also if you have some real-world caveats, do please share.