I'd take the first option - say "DONT DO THIS" on an interface description will make it obvious to someone coming along later... If you take the second option, then someone later may see "oh look, that vlan isnt routing, I'll just fix that" and then fix it good and proper.
In NAC deployments, you would often have unrouted vlans. In the interface description, a short rationale may help, or an email address. ie: interface vlan 666 shutdown description vlan of death - leave shutdown desc NAC quarantine desc non routable - email Bob desc dragons and sharks with lasers etc Of course it wont matter if it is shutdown or not with no L3 on it, but in case someone puts an address on, then double checks they will see it is shutdown and (might) not no shut it. Cheers, Matt CCIE #22386 CCSI #31207 On 26 November 2011 07:28, Bob McCouch <[email protected]> wrote: > Hi Experts, > > I know this mailing list is for IPExpert materials discussions but I'm > going to abuse it just a touch to get some best practice input from a > collection of seasoned engineers. I am always on the fence about how to > treat unrouted L2 VLANs that exist on an L3 switch, like a guest network > that is being piped up to a firewall or a (gasp) DMZ that is running as a > VLAN on the internal network, or just a voice VLAN that is gatewayed by > another device. Here are the two positions I float between: > > 1) Create the SVI (interface VlanX), no ip address, shutdown, put a > description that warns not to activate the SVI. > 2) Ignore it at L3 completely and don't even instantiate the SVI. > > The argument for #1 goes that by creating the interface put purposely > shutting it and adding description, you're hopefully less likely to have > someone else accidentally enable routing on that interface one day thinking > they're taking care of something that got missed. Actively document the > designed behavior rather than just leave a questionable absence of > configuration. The argument for #2 says completely ignore this VLAN and > don't even let the routing engine "listen" in any fashion to it. > > Anyone know of any actual security/architecture best practices on this, or > is there a common opinion on this? > > Thanks! > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > > To Unsubscribe from this list please visit the following link and follow the > directions to unsubscribe. http://onlinestudylist.com/mailman/listinfo/ccie_rs > _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com To Unsubscribe from this list please visit the following link and follow the directions to unsubscribe. http://onlinestudylist.com/mailman/listinfo/ccie_rs
