Struggling with "default" VLAN on D-Link DGS-1100-24V2

[rkubes]

Below is a screenshot of where my configuration is now. All of the VLAN IDs that you see that are not "1" are all working as intended. I have changed my "management" VLAN to be one of those values that is not "1". The ports that are left as "Hybrid" are all turned off and don't have devices connected currently.

My issue is I want to now get rid of "VLAN 1" from the list, because I don't want to potentially leave behind a VLAN that something can get tagged as and be able to talk to any of the ports. However, the UI will not let me delete the VLAN "1" because it's "in use."

This is my first managed switch, so I'm not knowledgeable enough to know if whether the current state is "trusted enough," or if there's some further action I need to take to get VLAN 1 completely out of there.

I've seen suggestions of removing the "native VLAN" from each interface, but it's a required field on the D-Link switch. I've also see suggestions of changing it to some "dummy" VLAN that I don't use elsewhere, but in a sense, that's already what VLAN 1 is. I don't know if there's some other "proper" way to remove it from the "Untagged" and "Native" columns without just replacing it with some other dummy value.

Any guidance will be greatly appreciated!

 

[tgl]

Hmm, I'm quite befuddled by the terminology being used here. As far as I've ever heard, "native VLAN" and "untagged VLAN" mean the same thing, namely the VLAN ID that's deemed to be associated with packets on that port that don't have any VLAN ID in their headers. (wikipedia, for instance, seems to agree with that.) This switch GUI appears to think they are different things --- does the manual offer any hints on the meanings?

 

[abailey]

Usually your Native VLAN is only associated with trunk ports and your Untagged VLAN (or PVID) is only associated with access ports. I noticed your switch looks like it removed the Native VLAN setting from your access ports, as that makes sense. It did not remove the Untagged VLAN from the trunk ports which is a little puzzling. Usually even if an Untagged setting is listed for the Trunk ports, it is ignored and only the Native VLAN is used for untagged traffic. Now Hybrid ports are a different animal and I very rarely use them in production so I can't help you there. You said "I've also see suggestions of changing it to some "dummy" VLAN that I don't use elsewhere, but in a sense, that's already what VLAN 1 is". This is true, but I do usually change it to a "dummy VLAN" or one only used for trunk ports because if a hacker were to try to attack your switch they are almost always going to start with VLAN1 since all switches come with that. But that is a very low chance if your switch is behind a firewall. Every switch that I have ever used will not allow you to have a port (even one not in use or administratively tuned off) that is not assigned to a VLAN. So you have to park them somewhere, might as well be VLAN 1 which is the default VLAN for almost all switches. In fact some switches will not allow you to delete VLAN1 even if not in use. If your only using VLAN1 for your Native VLAN for trunk ports, and to park your Hybrid ports which you say are not in use, then you should be pretty safe. Just for reference your Native VLAN does not tag traffic, it passes along untagged traffic on the VLAN you choose. Whereas the PVID or Untagged VLAN setting does add a VLAN tag to traffic.