Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3752
Views
0
Helpful
3
Replies

Switches with Multiple SVI and IP Addresses Bad Practice??

Go to solution
gene.uhl
Level 1
Level 1

‎08-21-2013 06:20 AM - edited ‎03-07-2019 03:03 PM

Hello,

I have a typical Access-Distribution-Core.  Access is all L2 switches (3560,3750 running IP Basic)  Distribution are L3 (3560E, 3750, 3750X running IP Services) then the Core is a Nexus.

Each Access switch has multiple VLANs trunked to the Distribution Layer which handles all the routing between the VLANS, unless it needs to go farther up the chain, where it is routed through the core.

Each Access Switch VLAN has an SVI with an IP address assigned to it AND each instance of the VLAN on the Distribution switch has an IP address assigned to it as this is the default gateway for the VLAN.  (ie each vlan on the access switch would have an IP address like 10.10.X.253/24 and the IP address on the VLAN at the Distribution Switch where L3 is conducted would be 10.10.X.254/24  where teh X=subnet)

With that said, I can SSH to the access or distribution switches on any number of IP addresses obvioulsy.  This is the way it was set up when I got here and I just propegated the design as opposes to creating a single management VLAN or multiple routed vlans, but one on each switch as the dedicated Management VLAN)

SO the million dollar question is this really bad practice?  Can this cause bad things to happen?  Would I be experiencing problems that I don't know about in my network?  Someone told me when I mix vlans with VLAN based routing there can be unpredictablility so I should restrict the switch IP to one VLAN by using the NOMGT option (I have no idea what this means and is this statement true????)  I have not noticed any issues with this design in years and my network is rather large.

Any insight is welcome...

Thank you

Gene

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-21-2013 06:40 AM

I wouldn't say it's bad because it causes bad things to happen but I would counsel against it as it adds confusion to whoever comes along later (as is your case).

The best practice (reference Cisco Smart Business Architecture LAN Deployment Guide, page 20) for when you have a layer 2 access switch is to setup an SVI for a management network. That is the one and only SVI on that switch. Distribution and/or core layers to the L3 routing and have all the SVIs.

The other option is to have a layer 3 access layer in which case the gateways for the user VLANs are on the access switch, but that would not apply in your setup.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-21-2013 06:40 AM

I wouldn't say it's bad because it causes bad things to happen but I would counsel against it as it adds confusion to whoever comes along later (as is your case).

The best practice (reference Cisco Smart Business Architecture LAN Deployment Guide, page 20) for when you have a layer 2 access switch is to setup an SVI for a management network. That is the one and only SVI on that switch. Distribution and/or core layers to the L3 routing and have all the SVIs.

The other option is to have a layer 3 access layer in which case the gateways for the user VLANs are on the access switch, but that would not apply in your setup.

0 Helpful

Go to solution
gene.uhl
Level 1
Level 1
In response to Marvin Rhoads

‎08-21-2013 08:46 AM

Thank you.  Completely understand.  I set up my old network like that at each route point I defined a vlan 255 that trunked to all the access/edge switches on the far side of that distribution layer, essentially setting up a flat management network to all those edge switches.    Then on another corresponding L3 route point, I created VLAN255 again but with a diffent subnet trunked to all those access switches which had Mgmt IP addresses in that defined subnet.  So VLAN 255 was my management subnet for the entire network, but different subnets so it was not entirely flat, just at the L3 route points.

Problem is doing that now would be a lot of work I can't get to, so if you are telling me that this is not best practice, but is really NOT causing any actually network issues, just looks klugey, I can deal with that  :-))

Thanks

Gene

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to gene.uhl

‎08-21-2013 08:51 AM

You're welcome.

As a professional services engineer for a Cisco partner I see LOTS of networks with things the incumbent or prior engineers couldn't get to.

Please rate and/or mark your question as answered if it is. Cheers.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card