SVI and access interface in different VLANs - communication possible?

a1111 · ‎08-04-2024

Hello,

Can someone please confirm if this is correct?

Topology:
SW1–R1

Switch 1 (SW1) is connected to Router 1 (R1) via an access link configured for VLAN 222. SW1 has an SVI in VLAN 111 with an IP address assigned for management purposes. SW1 isn’t connected to any other L3-speaking device, only R1.

Given that the link between SW1 and R1 is a Layer 2-only access link in VLAN 222, is it possible to reach SW1’s SVI in VLAN 111?

In other words: if an SVI is in VLAN 111, and a frame enters in VLAN 222 via an access interface (so not a trunk), will the SVI respond?

I’d say no. If R1 were to ARP for SW1’s VLAN 111 SVI IP address, the ARP would only be flooded out all other ports that are in VLAN 222. Since the SVI is not in that VLAN, R1 would never get the MAC address.

But even if the MAC address were statically assigned on R1, SW1 would drop all traffic destined for its (SW1’s) VLAN 111 SVI IP address, because the traffic would be in different VLANs.

What do you think?

MHM Cisco World · ‎08-05-2024

I’d say no. If R1 were to ARP for SW1’s VLAN 111 SVI IP address, the ARP would only be flooded out all other ports that are in VLAN 222. Since the SVI is not in that VLAN, R1 would never get the MAC address.

Correct

But even if the MAC address were statically assigned on R1, SW1 would drop all traffic destined for its (SW1’s) VLAN 111 SVI IP address, because the traffic would be in different VLANs

Correct

MHM

Joseph W. Doherty · ‎08-05-2024

As already confirmed by @MHM Cisco World , you're correct. This because between L2 domains you need a L3 path, which you haven't provided.

If the L3 switch also had a SVI for VLAN 222, you would then have a L3 path, but crossing between wouldn't necessarily work either. For your example of the router ARPs for a MAC not on VLAN 222, the SVI on VLAN 222 would need to have proxy enabled.

Regarding the port being a trunk, with just the SVI on VLAN 111, that doesn't matter. What matters is then how the router is configured.

a1111 · ‎08-05-2024

Thank you both for the help!

If I understand it correctly, the solution you have in mind is proxy ARP. And the way that would work is:

1. On SW1, I configure an SVI in VLAN 222.
2. On SW1, I configure proxy ARP on the SVI in VLAN 222.

Then,

1. R1 ARPs for SW1's VLAN 111 SVI.
2. R1 gets an ARP response, but not from the VLAN 111 SVI, but instead from the SVI in VLAN 222.
3. R1 now has the MAC address of the SVI in VLAN 222.
4. When R1 sends a message to the VLAN 111 SVI, it uses the MAC address of the SVI in VLAN 222. (Since R1 mistakenly believes that this MAC address belongs to the VLAN 111 SVI, as that's the MAC address it got in the ARP response.)

Is this how it would work?

MHM Cisco World · ‎08-05-2024

Router send arp for

1- defualt GW if ip routing is disable

2- next hop if the routing is enable

3- ip routing is disable and no defualt Gw is config here the router send arp ask mac of destiantion IP' and here proxy arp work :-

A- proxy config in vlan 222

The vlan svi reply to arp by it mac' so router use mac of vlan 222 to connect to vlan 111

B- no proxy is config in vlan 222

Router not get reply for arp and connection drop

MHM

Joseph W. Doherty · ‎08-05-2024

Yes, correct, if you ARP for an IP not on the router's subnet.

The way I wrote my prior reply, it might be unclear you need to ARP for the IP. This is important because as you also asked about using a statically defined MAC, that bypasses ARP, so it would expect a MAC (I believe) to be on the L2 domain directly connected to the router's interface. Proxy ARP, as you describe, makes the off-net IP appear to be on the local L2 domain, using the proxy ARP interface's MAC, as you've described.

As an alternative, if you send packets to the SVI on VLAN 222, but not using SVI 222's IP, it will try to route them. If there is both a SVI for VLANs 111 and 222, and if IP routing is enabled on the switch, SVIs will route the packets.