Best Practices for VLAN Design

Following these General Best practices when implementing VLANs can help to design and implement VLANs in a simple, secure and less troubleshooting-requiring Campus Network.
  • For the Local VLANs model, it is usually recommended to have only one to three VLANs per access module and limit those VLANs to a couple of access switches and the distribution switches.
  • Avoid using VLAN 1 as the “blackhole” for all unused ports. Use any other VLAN except 1 to assign all the unused ports to it.
  • Try to always have separate voice VLANs, data VLANs, management VLANs, native VLANs, blackhole VLANs, and default VLANs (VLAN 1).
  • In the local VLANs model, avoid VTP; it is feasible to use manually allowed VLANs in a network on trunks.
  • For trunk ports, turn off DTP and configure it manually. Use IEEE 802.1Q rather than ISL because it has better support for QoS and is a standard protocol.
  • Manually configure access ports that are not specifically intended for a trunk link.
  • Prevent all data traffic from VLAN 1; only permit control protocols to run on VLAN 1 (DTP, VTP, STP BPDUs, PAgP, LACP, CDP, and such.).
  • Avoid using Telnet because of security risks; enable SSH support on management VLANs.