Can I still access SVI even though VLAN not allowed on trunk?

darrenriley5 · ‎06-24-2009

To manage our access layer switches we use vlan1 SVI. I'm about restrict the vlans on the trunks back to the cores. Do I need allow vlan 1 on the trunks so we can manage them even though no ports are members of vlan1. If not please could someone explain why.

Many Thanks

Darren

cisco_lad2004 · ‎06-24-2009

The issue would be that ur SVI would remain in down/down status, so pratically useless until you switch the VLAN.

HTH

Sam

davy.timmermans · ‎06-24-2009

A good practice would be to change the management vlan to another vlan than vlan 1.

If you don't allow vlan 1 over the trunks you won't be able to manage the switch anymore because ... traffic in vlan 1 is not allowed anymore. If you're sitting in another vlan and want to manage your switch, you go first to your default gateway of your vlan and then you'll go over to vlan 1. But as soon you're packets reach a trunk where vlan 1 is not allowed, they won't pass the trunk.

updated:

cisco_lad2004 has a good point

glen.grant · ‎06-24-2009

If you want to manage the switches yes you have to allow vlan 1 across the trunk . The mgt. vlan should have been made something other than vlan 1 . If vlan 1 is not allowed across the trunk it has no path to the management address on the switch.

Giuseppe Larosa · ‎06-24-2009

Hello Darren,

as Sam has noted an SVI can be up/up only if at least one L2 port in STP forwarding state for the same vlan.

A trunk port is enough for the autostate check.(the name of this feature)

let me enforce the concept:

you need a complete end-to-end path over the trunk ports to reach the SVIs on vlan1: who can answer for an ARP reply for SVI ip address if the broadcast domain is not extended where necessary?

if you partition vlan1 again you can have problems or connectivity.

You can think to deploy a different vlan for management because usage of Vlan1 is not recommended for security reasons as noted by Davy

Hope to help

Giuseppe