There are so many reasons to leave Vlan1 alone. Just let it do the bare minimum it has do and nothing else. There are three common abuses that administrators misuse vlan1 for (hey we are all guilty, including me).

1. Running switch management traffic over Vlan1. This is when an IP address is configured on Vlan1 in order to access the switch for management purposes. Every access switch comes with vlan1 in the default configuration, which makes it very easy to configure an IP address on it, in order to telnet to the switch for management.
2. Running user traffic over Vlan1. This happens typically in smaller networks where a switch is installed and the default port setup is used. The default configuration for all access switch ports is to run user traffic in this vlan.
3. Running native vlan traffic on trunk ports over vlan1, please see this remedy for that issue.

All three of these issues largely exist because of the default IOS configurations that Cisco defines for the switch. The defaults are designed for small networks and/or junior administrators so that they can get switches up and on the network quickly and easily. You are expected by Cisco to know when to change the defaults, however this commonly does not what happen, even in larger scale implementations.

This article will only focus on abuse number 1. There are other solutions to numbers 2 and 3, which is talked about separately.

Now, to be fair, back in the ‘early’ days, the ‘Management Vlan’, as it’s commonly referred as, couldn’t be changed. So if you were going to manage a switch over the network, the IP address had to be configured on Vlan1. This has long been remedied and really leaves little to no excuse for still using it.

Before showing how to change this, here are just a few facts about what vlan1 is used for that can’t be changed (thus the reason to leave it only to do these things).

• Cisco Discovery Protocol (CDP)
• Vlan Trunking Protocol (VTP)
• Port Aggregation Protocol (PAgP)
• Dynamic Trunking Protocol.(DTP)

In order to change the management vlan, you must first decide on a (preferably dedicated) vlan number to use. Once this is decided, connect to the conolse port of the switch and perform the following configuration:

Switch#config t
Switch(Config)#interface Vlan1
Switch(Config)#no ip address
Switch(Config)#shutdown
Switch(Config)#interface VlanX
Switch(Config)#ip address x.x.x.x y.y.y.y
Switch(Config)#no shut

After performing this configuration, you will be able to access the switch from the new vlan. As for access to this vlan, you must either have the host you are accessing from in the same vlan as the management, or have some type of layer3 interface in the management vlan. The benefits to having a layer3 interface in the management vlan allows you to use a firewall or an access list on a router interface to limit access to the devices.