SVI access from another subnet

dimeifieddimeified Member Posts: 13 ■□□□□□□□□□
Hi guys,
I am currently studying for CCNA, and have been reading about the virtual vlan interfaces on the switch that are used to connect remotely to administer the switch. By default, the virtual vlan interface is set up on vlan 1, and from what I read, only 1 virtual interface can be up at a time for remote administration, and that assumes at least 1 device is connected to that vlan, otherwise the virtual interface would be down.

So I wonder, if only 1 virtual interface can be up at a time, does that mean that to administer a switch from a vlan of which the virtual interface is not assigned, my connection traffic would have to be routed from the vlan I am in, to the vlan that has the virtual interface thats up? If so, then why would a virtual interface need to be assigned to any other vlan other than the default vlan1? Perhaps if routing fails (router on a stick)?

So then what if I have a virtual interface set up for vlan2, then the virtual interface on vlan1 goes down as it should, right? Then lets say I physically unplug all devices from the second vlan, that means the switch turns off the virtual interface for vlan 2? Then am I locked out remotely? Or does the vlan1 virtual interface automatically come back up and then I would have to guess to try to connect vlan1's virtual interface?

Forgive my ignorance, I've yet only watched CBT vids, and I'm only in chapter 7 of Wendell Odom's ICND1 book, but I couldn't help but to think ahead and wonder how this works before I start to approach the topic in depth.

Comments

  • Dieg0MDieg0M Member Posts: 861
    1 SVI per switch on a L2 switch. On a multilayer switch you can have several SVI's up at the same time.
    Follow my CCDE journey at www.routingnull0.com
  • esr0159esr0159 Member Posts: 80 ■□□□□□□□□□
    You need to assign it to a different vlan for security reasons.

    "All control traffic is sent on VLAN 1. Therefore, when the native VLAN is changed to something other than VLAN 1, all control traffic is tagged on IEEE 802.1Q VLAN trunks (tagged with VLAN ID 1). A recommended security practice is to change the native VLAN to a different VLAN than VLAN 1. The native VLAN should also be distinct from all user VLANs. Ensure that the native VLAN for an 802.1Q trunk is the same on both ends of the trunk link." -excerpt from the Cisco2 R&S, chapter 3.

    I hope this helped
    CCNP R&S | Planning to hit IE R&S or JNCIA or Security path|
  • Jon_CiscoJon_Cisco Member Posts: 1,772 ■■■■■■■■□□
    Vlan1 is the default and the switch comes configured so that it can work right out of the box in a simple environment.

    Once you try manage it with remote access you will want to consider your network ans security requirements. This will dictate what vlans might be required.

    You might create a management vlan just for management traffic and another vlan for your users data. This way uses can not attempt to manage the switch. It is recommended to move all traffic off vlan1 as it is a default and therefore less secure.

    I hope to see some more questions from you as you continue your studies!
  • Corndork2Corndork2 Member Posts: 266
    +1 to Jon

    In the field you'll almost always see VLAN 1 shut down and not used. A management VLAN will be set up and access restricted to only net admins or similar.
    Brocade: BAIS, BACNS, BAEFS Cisco: CCENT, CCNA R&S CWNP: CWTS Juniper: JNCIA-JUNOS
    CompTIA: A+ (2009), Network+ (2009), A+ CE, Network+ CE, Security+ CE, CDIA+
    Mikrotik: MTCNA, MTCRE, MTCWE, MTCTCE VMware: VCA-DV Rackspace: CloudU
  • dimeifieddimeified Member Posts: 13 ■□□□□□□□□□
    thanks guys, i just hit chapter 9, the picture is much clearer. im pretty comfortable with the material so far, but I have a question about one of the responses.

    'You might create a management vlan just for management traffic and another vlan for your users data. This way uses can not attempt to manage the switch.'

    This is where it gets fuzzy for me. If vlan management would be through ssh or telnet, wouldn't the terminal traffic be layer 3 to access the management interface? if there are some routing capabilities in the enterprise, then how could the user not access the svi on a switch? acls?
  • Magic JohnsonMagic Johnson Member Posts: 414
    dimeified wrote: »
    thanks guys, i just hit chapter 9, the picture is much clearer. im pretty comfortable with the material so far, but I have a question about one of the responses.

    'You might create a management vlan just for management traffic and another vlan for your users data. This way uses can not attempt to manage the switch.'

    This is where it gets fuzzy for me. If vlan management would be through ssh or telnet, wouldn't the terminal traffic be layer 3 to access the management interface? if there are some routing capabilities in the enterprise, then how could the user not access the svi on a switch? acls?

    username + password. ;)

    EDIT: But yes, ACLs, so you can permit only a specific IP(s). This is especially handy if it is a remote device.

    Though our Windoze admin misconfigured my vpn client on my laptop so I was appearing from the wrong IP and couldn't access any of our devices remotely! Check whatismyip if remote access is an issue! Haha.
Sign In or Register to comment.