Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Router Managment Access when interface is down




Please see the topology attached.

We have a customer network with number of routers/switches. We have a management network to manage devices via telnet/ssh.

On switches we have a vlan interface for switch management  while on routers we have sub-interfaces ( 802.1Q trunk, with encapsulation) connected back to the switch for the management.

Problem :

Customer has ask us to give them a access to router/switches, we have give them telnet/ssh access via management network, to access router remotely customer ssh router (the sub-interface IP address F0/0.10 on router), but when the router interface Fa0/0.10 is down ( because switch at the remote end is down), customer cannot  the telnet/ssh to router.


How can I allow customer to keep accessing the router while sub-interface on the router is down ( which they are telneting to)? I am happy to change to router config, but not sure which bits.

I can't create the loopback interface and assign the IP address to it from the managment network as the router subinterface F0/0.10 is already have IP address from that subnet and router gives overlapping mask error message.

I created the new looback interface on router and give is the same IP as of F0/0.10 and configure  F0/0.10 as a IP unumbered loopback 0,  it;s not working either for me.


Can I somehow configure the router to respond to the telnet/ssh when subinteface is down- I am happy to move the addresses, create new interfaces , change routing etc. but I can't change the network subnet that is already assigned to customer.


Please see the topology attached.

Any idea from anyone.








Hall of Fame Super Silver

You should be able to make

You should be able to make the Lo0 interface address with a /32 mask. It can be from an entirely new /24 netblock that is not currently used in your network.

Any device that's routing can use that scheme and will inject its /32 host address into the routing table (along with the networks associated with any other connected and up interfaces) as long as you haven't otherwise filtered it out.

Hall of Fame Super Silver

I find several parts of the

I find several parts of the description of this issue to be puzzling. Is there only the single switch connected to FA0/0.10? If the router connection is a physical connection to the single switch and the switch is down then it makes sense that the router subinterface would be down.


It is not clear to me in the description whether the customer is attempting to access the router or is attempting to access the switch. If the customer is attempting to access the router using the address of FA0/0.10 I can see that this would fail. And it seems to me that an easy alternative would be to allow the customer to access the router using the IP address that connects the router to the customer. If the customer is attempting to access the switch and the switch is down then there is no alternative that will allow access.





New Member

 Thanks for your responses. I


Thanks for your responses.


I don't want to allocate the new subnet with /32 for the management as it will require many changes in the network such firewall  etc.


There will be a single  switch connected to the router physical interface F0/0, but there will be a multiple switches hanging off the first switch. ( all switches in the vlan10, including router sub-interface F0/0.10).


Customer will require access to both, switch(es) and router, customer understand that if the first switch ( that physically connects to the router interface F0/0 ) fails, access to all other switches will also fail, which is acceptable. At this point we must have access to router regardless we have lost access to the switch.

Customer want router to be accessible even if the switch(es) are down, as the router at the point router is fine and is still connected to the WAN network. Customer will lose the access to the switch(es) but should not lose the router access.

We have different IP subnets ( VRF's) for the customer data network ( LAN) and the router management, so I can't assign the router management IP address from the customer LAN subnet


Forgot to mentioned that we have three VRF's on router ( vrf-lite/ multi vrf) , one for customer data network, one for router management, one switch ( es) management.

Fa0/0.10 is in the switch management VRF, while  router Loopback 0 is in the router VRF.

We have to maintain the vrf's to keep router and switch management traffic separate.

Router is always accessible  to us ( not to customer) via router vrf hence its still available even if the router LAN management interface F0/0 is down. 

Customer lose the access to both router and switch(es) if the F0/0  down.

The only option I can see would be to allocate a new subnet for customer router management and assign this to a new loopback and put under the switch management vrf.









Hall of Fame Super Silver

I do not fully understand

I do not fully understand parts of your explanation and probably do not understand all of your requirements. But it seems to me that the customer might be able to access your router using the IP address of the interface that provides their physical connection to the router. Would that solution satisfy your requirements?