Hi Jon,

Thanks for replying.

q3) no you don't and you can't because on a L2 switch you can only have one SVI up at any one time unlike a L3 switch where obviously you can have multiple SVIs up.
 

q1) So can i double confirm that, on a L2 switch, although I can have multiple VLANs, but there is only 1 SVI and that SVI is used only for accessing the switch management.  In which also, the ip default gateway in the switch would have to be in the same subnet as the SVI  -- am i right ?

q4) yes, the management vlan is simply to allow you to connect to the switch and configure it so once you connect you can configure whatever you like.

q2) Can i say that the management vlan / SVI is used for global configurations of the switch and not just to any particular VLANs ?

==========================================================================================================

This brought me to think about L3 switches whereby you mentioned many SVIs can be setup.  In that case, if I have 3 VLAN (10,20,30)

VLAN 10 - 192.168.1.0/24  - SVI  - 192.168.1.1

VLAN 20 - 192.168.2.0/24 - SVI  - 192.168.2.1

VLAN 30 - 192.168.3.0/24 - SVI - 192.168.3.1

q3) which SVI would be the one to be use for switch management ?

q4) in the above, do we still need to set a ip default gateway, or we can leverage on a default route ?

Will ip default gateway take any effect, if i have ip routing on and a default route set ?

Regards,
Noob

Hi Jon,
 

q3) whichever one you want. Usually you would have a dedicated vlan for management with an SVI. And your L2 switch default gateways would be the SVI management vlan IP on the L3 switch.

q1) so on my L2 switch, my IP default gateway will be the SVI IP on the L3 switch. Can I think of it in this way that the SVI is = router interface to the L2 switch.

q2) There will be a total of 2 SVI/IP for management, 1 for the l2 switch, 1 for the L3 switch,

if I specify the L2's svi, i will be connecting to the L2 switch management, if i specify the L3 SVI, i will be connecting to the L3 switch management

and they are both under the same management VLAN

L2 SVI default gateway will be L3's SVI ip address

and L3's SVI default gateway will be using ip routing (depends on which network you are connected to and trying to access the L3's SVI)

Am i right ?

q3) Jon, can you help take a look at this thread and let me know your opinions ?

https://supportforums.cisco.com/discussion/12475606/management-port-cisco-switches-are-they-really-physical-port

Are the management port we are talking right now having the same usage as the external ethernet management port ? other then they are out of band.

Thank you.

Regards,
Alan

Hi Jon,

Any updates on the above ?

Regards,
Noob

q1) yes you can think of it as the L3 gateway for the switch

q2) yes, one vlan but each switch needs an SVI in the vlan.

So a common setup is all L2 switches have an SVI for that vlan and so does the L3 switch and the default gateway on all L2 switches is the L3 SVI IP address for that vlan.

q3) I did look at that thread.

Basically I have never used the management port on the 2960 switches.

It doesn't sound right to me ie. if you give it an IP address it must be communicating with IP and therefore needs mac addresses etc.

If you cannot assign a default gateway you can't access that port from a different subnet as far as I can see.

Other switches do have dedicated management ports in their own VRF and you can assign a default gateway or default route to the VRF so you can access it remotely but perhaps you can't with these switches.

Like I say I haven't used that port on those switches so I can't really comment.

Jon

Hi Jon,

Thanks for replying. Having your assurance that my questions make sense are more then enough even though you do not have the answers as yet.

Lastly, just a curious question, as you say, as long as we can telnet / ssh to the any VLAN SVI, we can manage the switch globally.

But as a matter of fact, vlans is a logical breakdown of a physical switch into smaller logical switches.

Will it be a security issue, if i access VLAN01 SVI to the switch management but make changes to configurations that affect VLAN02 ?

Regards,

Noob

It's not a security issue being able to make changes to the switch configuration but you do need to limit who is allowed to access the switch.

This is generally done using either local usernames and passwords on the switch itself or using a centralised authentication system such as TACACS which allows you to store the usernames and passwords on a server which the network devices then query.

You can give different privilege levels to people who are allowed to access the switch eg. for some you might only want to allow them to view the configuration whereas for others, the network engineers, you would give full access so they can modify the configuration if needed.

Jon

Duly noted.

Thanks Jon