Vlan admin down

Unanswered Question
May 17th, 2008

Hey guys,

I would like to know somthing about vlan being administratively down.

Do we able to access any devices associated with the admin down vlan?

Please refer here:

T001#sh run int vlan 301

Building configuration...

Current configuration : 97 bytes


interface Vlan301

ip address XX6.228.222.58

no ip route-cache



T001#sh run int g8/2

Building configuration...

Current configuration : 150 bytes


interface GigabitEthernet8/2

description UVPNFT001_Public


switchport access vlan 301

no ip address

speed 100

duplex full




UVPNFT001 which is connected to this switch is accessible even its vlan is shut down.

By right, any interfaces that belong to this vlan should be inaccessible right?

Thank you.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
bvsnarayana03 Sat, 05/17/2008 - 01:01

Are you sure the port is processing traffic. What is the output of sh int gi8/2 & sh int gi8/2 status ?

sirajmuneer Sat, 05/17/2008 - 01:22

I am sure as the user able to access the box remotely,

here are the requested output:

T001#sh int g8/2

GigabitEthernet8/2 is up, line protocol is up (connected)

Hardware is C6k 1000Mb 802.3, address is 0018.1833.d145 (bia 0018.1833.d145)

Description: UVPNT001_Public

MTU 1500 bytes, BW 100000 Kbit, DLY 10 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA, loopback not set

Keepalive set (10 sec)

Full-duplex, 100Mb/s

input flow-control is off, output flow-control is on

Clock mode is auto

ARP type: ARPA, ARP Timeout 04:00:00

Last input never, output 00:00:47, output hang never

Last clearing of "show interface" counters 43w0d

Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 18799

Queueing strategy: fifo

Output queue: 0/40 (size/max)

5 minute input rate 17000 bits/sec, 2 packets/sec

5 minute output rate 7000 bits/sec, 6 packets/sec

744989835 packets input, 613399131664 bytes, 0 no buffer

Received 318 broadcasts (0 multicasts)

0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

0 watchdog, 0 multicast, 0 pause input

0 input packets with dribble condition detected

724533228 packets output, 186620582563 bytes, 0 underruns

0 output errors, 0 collisions, 1 interface resets

0 babbles, 0 late collision, 0 deferred

0 lost carrier, 0 no carrier, 0 PAUSE output

0 output buffer failures, 0 output buffers swapped out


T001#sh int g8/2 stat


Switching path Pkts In Chars In Pkts Out Chars Out

Processor 0 0 429361 197800269

Route cache 0 0 0 0

Distributed cache 0 0 0 0

Total 0 0 429361 197800269


Thank you.

glen.grant Sat, 05/17/2008 - 07:43

Not necessarily correct . You don't mention what kind of switch this is . More than likely this vlan is being routed by another device so its gateway on vlan 301 will be that device . If you look around you will find a connection to another routing device with vlan 301 on it . On layer 2 type switches the "interface vlan" or SVI is for managing the switch only and has nothing to do with any kind of routing for devices attached to that switch.

Richard Burts Sat, 05/17/2008 - 09:23


I agree with Glen but would take a slightly different emphasis. You assume that if the VLAN interface is shut down then the VLAN is down. But this confuses what happens at layer 2 with what happens at layer 3. If you shut down the VLAN interface then you stop the layer 3 processing of that VLAN on that switch. But it does not impact the processing of layer 2 on that switch. So the port remains active, the switch still maintains the mac-address-table and forwards to the PC connected to that port. And as long as there is an active layer 3 interface somewhere in that VLAN acting as default gateway for the PC then everything will work.



sirajmuneer Sun, 05/18/2008 - 21:07

Thanks for the explanation Rick,

But i still unable to understand the way this kind of network setup.

Surely anyone will access PC based on vlan 301's ip address which is act as default gateway for all interfaces that belong to its vlan group.

If we shut down vlan301, layer 3 process will be down for that subnet, so ip packets wont reach the destination right?

Appreciate if anyone able to review this kind of setup.



Richard Burts Mon, 05/19/2008 - 04:27


If the VLAN interface on this switch is shutdown then this switch is not providing layer 3 services (including routing) for VLAN 301. But as Glen pointed out, there is some other device that is providing the layer 3 routing. Perhaps there is another layer 3 switch in the network. Or perhaps there is a trunk port from the switch to some router that is doing inter VLAN routing.

It would be interesting to know what is configured on the PC as its default gateway.




This Discussion