|
|
 FAQ
 Search
 Memberlist
 Usergroups
 Register
 Profile
 Private messages
 Log in
|
|
| Author |
Message |
Patrick Cervicek
Guest
|
 Posted: Tue Jul 24, 2007 12:57 pm Post subject: 3500XL: Disable/Block VLAN 1 on an uplink port |
 |
|
Ich want to disable VLAN 1 on an uplink port of an 3500XL Switch with
12.0(5)WC17.
Unfortunately it doesn't work.
rhsw#conf t
Enter configuration commands, one per line. End with CNTL/Z.
rhsw(config)#interface f0/48
rhsw(config-if)#switchport trunk allowed vlan 55
rhsw(config-if)#^Z
rhsw#show running-config interface f0/48
Building configuration...
Current configuration:
!
interface FastEthernet0/48
description frei
shutdown
switchport trunk allowed vlan 1,55,1002-1005
switchport mode trunk
spanning-tree portfast
end
Are there other way to filter VLAN 1? |
|
| Back to top |
|
 |
|
|
headsetadapter.com
Guest
|
| Posted: Tue Jul 24, 2007 12:57 pm Post subject: Re: 3500XL: Disable/Block VLAN 1 on an uplink port |
|
|
VLANs 1, and 1002-1005 are special VLANs, which carry all "vital technical
information". VLAN1 should ALWAYS exist, since Spanning Tree, CDP? VTP, and
other protocols use it to communicate between switches. In newer switches
you may "disable" it in the config, it may be not shown up in the commands,
but when you actually sniff the traffic, you see it there.
From the security standpoint... If you don't have corresponding IP address,
then what to worry about?
Good luck,
Mike
CCNP, CCDP, CCSP, Cisco Voice, MCSE W2K, MCSE+I, Security+, etc.
CCIE R&S (in progress), CCIE Voice (in progress)
------
Headset Adapters for Cisco IP Phones
www.ciscoheadsetadapter.com
www.headsetadapter.com
"Patrick Cervicek" <patrick@expires200707.spam.hs-esslingen.de> wrote in
message news:f84j09$nck$1@news.belwue.de...
| Quote: | Ich want to disable VLAN 1 on an uplink port of an 3500XL Switch with
12.0(5)WC17.
Unfortunately it doesn't work.
rhsw#conf t
Enter configuration commands, one per line. End with CNTL/Z.
rhsw(config)#interface f0/48
rhsw(config-if)#switchport trunk allowed vlan 55
rhsw(config-if)#^Z
rhsw#show running-config interface f0/48
Building configuration...
Current configuration:
!
interface FastEthernet0/48
description frei
shutdown
switchport trunk allowed vlan 1,55,1002-1005
switchport mode trunk
spanning-tree portfast
end
Are there other way to filter VLAN 1? |
|
|
| Back to top |
|
|
Arthur Brain
Guest
|
| Posted: Tue Jul 24, 2007 12:57 pm Post subject: Re: 3500XL: Disable/Block VLAN 1 on an uplink port |
|
|
Patrick Cervicek wrote:
| Quote: | Ich want to disable VLAN 1 on an uplink port of an 3500XL Switch with
12.0(5)WC17.
Unfortunately it doesn't work.
rhsw#conf t
Enter configuration commands, one per line. End with CNTL/Z.
rhsw(config)#interface f0/48
rhsw(config-if)#switchport trunk allowed vlan 55
rhsw(config-if)#^Z
rhsw#show running-config interface f0/48
Building configuration...
Current configuration:
!
interface FastEthernet0/48
description frei
shutdown
switchport trunk allowed vlan 1,55,1002-1005
switchport mode trunk
spanning-tree portfast
end
Are there other way to filter VLAN 1?
|
How's this for a theory:
Create a trunk between two switches.
Put the "native VLAN 1" on the network side, but "native VLAN 2" on
the outside. (VLAN mis-match)
You can then prune VLAN 2 on trunks past the far end, thus stopping
VLAN 1 from going any further. |
|
| Back to top |
|
|
Patrick Cervicek
Guest
|
| Posted: Tue Jul 24, 2007 12:57 pm Post subject: Re: 3500XL: Disable/Block VLAN 1 on an uplink port |
|
|
headsetadapter.com schrieb:
| Quote: | VLANs 1, and 1002-1005 are special VLANs, which carry all "vital technical
information". VLAN1 should ALWAYS exist, since Spanning Tree, CDP? VTP, and
other protocols use it to communicate between switches. In newer switches
you may "disable" it in the config, it may be not shown up in the commands,
but when you actually sniff the traffic, you see it there.
|
.... but are you shure you can connect to an Backbone IP in Vlan1 when
it's "disabled"?
| Quote: | From the security standpoint... If you don't have corresponding IP address,
then what to worry about?
|
The Interfaces of our Backbone are in vlan1. It ist dangerous in 2 scenarios
* We have VoIP Phones with a PC connected to it. We use 2 Vlans for
that, but we do not want to risk that smart users could connect to our
backbone via Vlan1
* We are using Accesspoint with a multi-ssid feature - each SSID is
using an own vlan. We do not need/want Vlan 1 here |
|
| Back to top |
|
|
|
|
