Cisco vlan config for IP Cameras

We are going to be adding approx 40 surveillance ip cameras at a new site.  Network is setup as a wheel and spoke topology, with several fiber strands available between core and new site.  The plan is to run 2 switches, 3560's, each with its own fiber pair back to the core.  One as a network edge switch and one dedicated for ip cameras.  Camera switch cannot be on it's own physical network as it needs to be accessed from internal network.   I'm looking at a config from another switch that previous administration configured and have some questions.  This assumes vlan 4020 has been configured for ip cameras with ip network  Vlan and network ip were also configured on the core switch as well.

interface Vlan4020
 ip address
ip classless
ip route

interface Vlan1
 no ip address
interface Vlan4020
 ip address
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 4020
 switchport trunk allowed vlan 4020
 switchport mode trunk

Question, is this the best configuration for minimizing ip camera traffic given the aforementioned scenario.  Not being completely well versed with vlans, why is the trunk on its own native vlan instead of just doing a standard trunk, only allowing vlan 4020.

Thanks in advance.
KemimolIT EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Don JohnstonInstructorCommented:
Well, it is a bit peculiar.  A trunk allowing only one VLAN is really not a trunk.  So why they did that is a mystery.
KemimolIT EngineerAuthor Commented:
Is it based more on security, by changing the native vlan on the trunk and restricting only that vlan through.  Would this have any impact on management traffic?

Also, what is the difference between setting ip route to vs the ip address of the core switch?

I see the core switch has vlan 4020 with ip address, whereas the ip camera switch has vlan 4020 with ip address  Any idea why the same vlan would have two different ip addresses?
Don JohnstonInstructorCommented:
Is it based more on security, by changing the native vlan on the trunk and restricting only that vlan through.  Would this have any impact on management traffic?
No.  Having a trunk with one VLAN allowed doesn't make much sense. It's basically an access port.

I can't address the next hop address of the route since I don't know the topology.
Cloud as a Security Delivery Platform for MSSPs

Every Managed Security Service Provider (MSSP) needs a platform to deliver effective and efficient security-as-a-service to their customers. Scale, elasticity and profitability are a few of the many features that a Cloud platform offers. View our on-demand webinar to learn more!

KemimolIT EngineerAuthor Commented:
It's a spoke and hub topology, with all sites connecting directly to the core.  Next hop on these edge switches is the core,  IP camera switch is trunked directly to core.

Just curious, what config would you recommend, with the following parameters:
Need inter vlan for remote access
Broadcasting minimized as much as possible
Allow only vlan 4020 traffic
VTP/CDP not needed.
Don JohnstonInstructorCommented:
Then I would point the route to the IP of the SVI for VLAN 4020 on the core.
KemimolIT EngineerAuthor Commented:
Still uncertain on the native vlan assigned.  So, if the native vlan for the network is 1, what is accomplished by assigning native vlan 4020 to the trunk between the core and ip camera switch.  I know native vlan 1 is not best practice, however, the network was already setup this way.  Thanks
Don JohnstonInstructorCommented:
The native VLAN is not tagged on the trunk.

So by allowing only VLAN 4020 and making that the native VLAN, you are sending traffic for that VLAN over the link with no tag.  And that's the only VLAN allowed.  So it's basically an access link.

Which means there is no benefit or reason for the link to be a trunk.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
KemimolIT EngineerAuthor Commented:
Pretty much what I was thinking.  Thanks Don.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Switches / Hubs

From novice to tech pro — start learning today.