Following these General Best practices when implementing VLANs can help to design and implement VLANs in a simple, secure and less troubleshooting-requiring Campus Network.
- For the Local VLANs model, it is usually recommended to have only one to three VLANs per access module and limit those VLANs to a couple of access switches and the distribution switches.
- Avoid using VLAN 1 as the “blackhole” for all unused ports. Use any other VLAN except 1 to assign all the unused ports to it.
- Try to always have separate voice VLANs, data VLANs, management VLANs, native VLANs, blackhole VLANs, and default VLANs (VLAN 1).
- In the local VLANs model, avoid VTP; it is feasible to use manually allowed VLANs in a network on trunks.
- For trunk ports, turn off DTP and configure it manually. Use IEEE 802.1Q rather than ISL because it has better support for QoS and is a standard protocol.
- Manually configure access ports that are not specifically intended for a trunk link.
- Prevent all data traffic from VLAN 1; only permit control protocols to run on VLAN 1 (DTP, VTP, STP BPDUs, PAgP, LACP, CDP, and such.).
- Avoid using Telnet because of security risks; enable SSH support on management VLANs.