disable VLAN 1
Open, WishlistPublicFEATURE REQUEST
Actions

Assigned To

None

Authored By

	Apachez
	Oct 29 2023, 5:54 AM

Description

When dealing with bridges VLAN 1 often have a “magic” purpose of always existing.

It will be like the /dev/null interface where whatever doesnt match a defined VLAN will be considered part of VLAN 1.

This can be a security problem where given a quick look at the config things might look to be properly setup but then you have VLAN 1 lurking in the shadows and interconnecting all interfaces anyway which can be kind of bad…

For example in VyOS:

https://docs.vyos.io/en/latest/configuration/interfaces/bridge.html#enable-vlan-aware-bridge

It is not valid to use the vif 1 option for VLAN aware bridges because VLAN aware bridges assume that all unlabeled packets belong to the default VLAN 1 member and that the VLAN ID of the bridge’s parent interface is always 1

One mitigation for this with other vendors is to do a combination of always define “allowed-vlans” when configuring a switchport but also to simply shutdown the VLAN 1 like so:

vlan 1
   state suspend
   trunk group DO_NOT_USE
!

Feature request is to make it possible to shutdown/suspend/disable VLAN 1 also in VyOS.

Details

Difficulty level: Unknown (require assessment)
Version: -
Why the issue appeared?: Will be filled on close
Is it a breaking change?: Unspecified (possibly destroys the router)
Issue type: Improvement (missing useful functionality)

Event Timeline

Apachez created this task.Oct 29 2023, 5:54 AM

pasik added a subscriber: pasik.Oct 29 2023, 9:21 AM

ishan added a subscriber: ishan.Nov 2 2023, 8:37 PM

Do any suggestions for CLI and Linux examples?

Viacheslav triaged this task as Wishlist priority.Jan 20 2024, 1:43 PM

Make it possible to shutdown/suspend/disable VLAN 1Open, WishlistPublicFEATURE REQUESTActions

Description

Details

Event Timeline

Make it possible to shutdown/suspend/disable VLAN 1
Open, WishlistPublicFEATURE REQUEST
Actions