When dealing with bridges VLAN 1 often have a “magic” purpose of always existing.
It will be like the /dev/null interface where whatever doesnt match a defined VLAN will be considered part of VLAN 1.
This can be a security problem where given a quick look at the config things might look to be properly setup but then you have VLAN 1 lurking in the shadows and interconnecting all interfaces anyway which can be kind of bad…
For example in VyOS:
https://docs.vyos.io/en/latest/configuration/interfaces/bridge.html#enable-vlan-aware-bridge
It is not valid to use the vif 1 option for VLAN aware bridges because VLAN aware bridges assume that all unlabeled packets belong to the default VLAN 1 member and that the VLAN ID of the bridge’s parent interface is always 1
One mitigation for this with other vendors is to do a combination of always define “allowed-vlans” when configuring a switchport but also to simply shutdown the VLAN 1 like so:
vlan 1
state suspend
trunk group DO_NOT_USE
!
Do there exist something similar in VyOS to disable VLAN 1?