For the Local VLANs model, it is usually recommended to have only one to three VLANs per access module and, as discussed, limit those VLANs to a couple of access switches and the distribution switches.
Avoid using VLAN 1 as the “blackhole” for all unused ports. Use any other VLAN except 1 to assign all the unused ports to it.
Try to always have separate voice VLANs, data VLANs, management VLANs, native VLANs, blackhole VLANs, and default VLANs (VLAN 1).
In the local VLANs model, avoid VTP; it is feasible to use manually allowed VLANs in a network on trunks.
For trunk ports, turn off DTP and configure it manually. Use IEEE 802.1Q rather than ISL because it has better support for QoS and is a standard protocol.
Manually configure access ports that are not specifically intended for a trunk link.
Prevent all data traffic from VLAN 1; only permit control protocols to run on VLAN 1 (DTP, VTP, STP BPDUs, PAgP, LACP, CDP, and such.).
Avoid using Telnet because of security risks; enable SSH support on management VLANs.
No comments:
Post a Comment