Can I still access SVI even though VLAN not allowed on trunk?

Unanswered Question
Jun 24th, 2009
User Badges:

To manage our access layer switches we use vlan1 SVI. I'm about restrict the vlans on the trunks back to the cores. Do I need allow vlan 1 on the trunks so we can manage them even though no ports are members of vlan1. If not please could someone explain why.


Many Thanks

Darren

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
cisco_lad2004 Wed, 06/24/2009 - 02:32
User Badges:
  • Gold, 750 points or more

The issue would be that ur SVI would remain in down/down status, so pratically useless until you switch the VLAN.


HTH



Sam

davy.timmermans Wed, 06/24/2009 - 02:35
User Badges:
  • Silver, 250 points or more

A good practice would be to change the management vlan to another vlan than vlan 1.


If you don't allow vlan 1 over the trunks you won't be able to manage the switch anymore because ... traffic in vlan 1 is not allowed anymore. If you're sitting in another vlan and want to manage your switch, you go first to your default gateway of your vlan and then you'll go over to vlan 1. But as soon you're packets reach a trunk where vlan 1 is not allowed, they won't pass the trunk.


updated:

cisco_lad2004 has a good point

glen.grant Wed, 06/24/2009 - 03:36
User Badges:
  • Purple, 4500 points or more

If you want to manage the switches yes you have to allow vlan 1 across the trunk . The mgt. vlan should have been made something other than vlan 1 . If vlan 1 is not allowed across the trunk it has no path to the management address on the switch.

Giuseppe Larosa Wed, 06/24/2009 - 03:54
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Darren,

as Sam has noted an SVI can be up/up only if at least one L2 port in STP forwarding state for the same vlan.

A trunk port is enough for the autostate check.(the name of this feature)


let me enforce the concept:

you need a complete end-to-end path over the trunk ports to reach the SVIs on vlan1: who can answer for an ARP reply for SVI ip address if the broadcast domain is not extended where necessary?


if you partition vlan1 again you can have problems or connectivity.


You can think to deploy a different vlan for management because usage of Vlan1 is not recommended for security reasons as noted by Davy


Hope to help

Giuseppe


Actions

This Discussion