On Tue, Oct 15, 2013 at 1:55 PM, Matthew W. Ross <[email protected]> wrote: <snip> >> vlan 1 >> name "DEFAULT_VLAN" >> untagged 50-52 >> ip address dhcp-bootp >> no untagged 1-49 >> exit > [SNIP] >> Nothing is ever put into vlan 1, > > Wait... what? If nothing is plugged into vlan 1, why is it there? Also, it > appears you have it configured to get a DHCP address... Is this by your > design?
vlan 1 is the default, but it isn't used, and I'm not sure (it's been a while since I looked) if that it can be removed. Certainly, it's reasonable to have an unused vlan - if for no other reason than if a port is unused, you want to park it in a vlan where it won't get any addresses, so that if the port is hot (connected to a jack), the traffic won't go anywhere. The reference to DHCP refers to getting an address for the switch on the VLAN, and it's a noop - there won't be any DHCP requests for that VLAN. >> and vlan 101 is the management, and vlan 101 is also the primary vlan. > > So it's possible for your end users to reach the management interfaces on > your switches? Isn't that a "Bad Thing" (TM)? (P.S. I'll ignore the confusion > of your vlan 99 being named "vlan101"...) No, they can't reach it. ACLs and firewalling prevent that. >> Port 49 is the one that is connected to the core >> switch. I normally reserve port 50 for the monitor/mirror/span port, >> to be used as needed in troubleshooting. > > Having the dedicated Mirror port is a good idea. I'll think on that one. I've found it useful on more than one occasion... Kurt
