[ previous ] [ next ] [ threads ]
 From:  Guy Boisvert <guy dot boisvert at ingtegration dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: Fwd: [m0n0wall] Virtual LAN?
 Date:  Fri, 12 Nov 2010 15:40:00 -0500
Le 2010-11-12 15:30, Jon Reynolds a écrit :
> Good info Guy. One thing to watch out for is using a vlan id of 1. 
> Some switches use this as their management  vlan id.
>> Jon
> Sorry Guy, I meant for this to go to the list and not directly to you.
> Jon

Good to point that out Jon, i forgot to mention the "special aspect" of 
the VLAN 1.  That's why i called it "Management", i may have been 
misleading because i was meaning for telecom infrastructure management.

For those who don't know, VLAN 1 is a special one.  Citing Cisco:

"All switchports must be members of a VLAN, and, by default, it is VLAN 
1. Because VLAN 1 was selected as the default VLAN for all switchports, 
it was also chosen to handle special traffic such as VLAN Trunking 
Protocol (VTP) advertisements, CDP, Port Aggregation Protocol (PAgP), or 
Link Aggregation Control Protocol messages (LACP). By default, in-band 
management interfaces such as sc0 are members of VLAN 1."

"Over the years, a common scenario involving VLAN 1 and the management 
interface developed. In this scenario, administrators assigned an IP 
address to sc0, left it in VLAN 1, and created other VLANs for all user 
traffic. All ports not changed or enabled remain in VLAN 1. Trunked 
ports between switches are created to connect VLANs, and, by default, 
all VLANs (1-1005 or 1-4096 depending on trunk type and switch software 
version) are allowed across a trunk. Because each switch will have a 
management interface, likely sc0, this can result in VLAN 1 spanning the 
entire switched network. Remember that IEEE spanning tree only allows 
seven switch hops between end stations, and many times large networks 
that allow all VLANs to be trunked can approach or exceed the limit, 
especially for VLAN 1. When a spanning tree exceeds seven switch hops, 
the spanning-tree topology can become unpredictable during a topology 
change and reconvergence can be slow if the spanning tree reconverges at 
all. A few different options should be considered to alleviate this 
problem. The first option is to use a different VLAN other than VLAN 1 
for the management interfaces in the network. As of Catalyst OS version 
5.4(1) and later, VLAN 1 can be cleared from both Inter-Switch Link 
(ISL) Protocol and 802.1q trunks, thus removing VLAN 1 from the 
spanning-tree topology on those trunks. Simply substituting a different 
VLAN number does not alleviate the problem of new VLAN spanning the 
switched network and potentially exceeding the allowed number of hops. 
To avoid the problem, either multiple VLANs must be dedicated to network 
management or the management interfaces must be placed in multiple VLANs 
along with user traffic. Either way, the management interfaces must be 
reachable by the network management stations. In the configuration 
examples later in this chapter, the sc0 interface is placed in a user 
VLAN along with other ports. "


Thanks again Jon for pointing that out.


Guy Boisvert, ing.
IngTegration inc.

AVIS DE CONFIDENTIALITÉ : ce message peut contenir des
renseignements confidentiels appartenant exclusivement à
IngTegration Inc. ou à ses filiales. Si vous n'êtes pas
le destinataire indiqué ou prévu dans ce  message (ou
responsable de livrer ce message à la personne indiquée ou
prévue) ou si vous pensez que ce message vous a été adressé
par erreur, vous ne pouvez pas utiliser ou reproduire ce
message, ni le livrer à quelqu'un d'autre. Dans ce cas, vous
devez le détruire et vous êtes prié d'avertir l'expéditeur
en répondant au courriel.

CONFIDENTIALITY NOTICE : Proprietary/Confidential Information
belonging to IngTegration Inc. and its affiliates may be
contained in this message. If you are not a recipient
indicated or intended in this message (or responsible for
delivery of this message to such person), or you think for
any reason that this message may have been addressed to you
in error, you may not use or copy or deliver this message to
anyone else. In such case, you should destroy this message
and are asked to notify the sender by reply email.