06-24-2009 02:26 AM - edited 03-06-2019 06:25 AM
To manage our access layer switches we use vlan1 SVI. I'm about restrict the vlans on the trunks back to the cores. Do I need allow vlan 1 on the trunks so we can manage them even though no ports are members of vlan1. If not please could someone explain why.
Many Thanks
Darren
06-24-2009 02:32 AM
The issue would be that ur SVI would remain in down/down status, so pratically useless until you switch the VLAN.
HTH
Sam
06-24-2009 02:35 AM
A good practice would be to change the management vlan to another vlan than vlan 1.
If you don't allow vlan 1 over the trunks you won't be able to manage the switch anymore because ... traffic in vlan 1 is not allowed anymore. If you're sitting in another vlan and want to manage your switch, you go first to your default gateway of your vlan and then you'll go over to vlan 1. But as soon you're packets reach a trunk where vlan 1 is not allowed, they won't pass the trunk.
updated:
cisco_lad2004 has a good point
06-24-2009 03:36 AM
If you want to manage the switches yes you have to allow vlan 1 across the trunk . The mgt. vlan should have been made something other than vlan 1 . If vlan 1 is not allowed across the trunk it has no path to the management address on the switch.
06-24-2009 03:54 AM
Hello Darren,
as Sam has noted an SVI can be up/up only if at least one L2 port in STP forwarding state for the same vlan.
A trunk port is enough for the autostate check.(the name of this feature)
let me enforce the concept:
you need a complete end-to-end path over the trunk ports to reach the SVIs on vlan1: who can answer for an ARP reply for SVI ip address if the broadcast domain is not extended where necessary?
if you partition vlan1 again you can have problems or connectivity.
You can think to deploy a different vlan for management because usage of Vlan1 is not recommended for security reasons as noted by Davy
Hope to help
Giuseppe
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: