SVI_Lab

This is a very basic lab with a lot of concepts / gotchas labbed toward the bottom half of the post, very important behaviors to know for exam day, but as always first the fundamentals and theory that is a must know for exam day!

 

Fundamentals of SVI (Switch Virtual Interface) vs L3 / Routed Ports

 

There are two types of Layer 3 ports that can be configured on a switch depending on what you need to do, an SVI is for Inter-VLAN communication on a switch without the need for a router, and a Routed Port functions entirely at Layer 3 (no L2 services).
Two distinct differences between the two interfaces for exam day:

  • SVI = Creating a Logical Interface for configuration
  • Routed Port = Re-configuring a Physical interface

This means SVI = Logical interface, and Routed Port = Physical interface

Before diving into the two, it is very important to note that “ip routing” must be globally configured on the switch or NO routing will occur between VLANs or Routed Ports:

SW1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#ip routing
SW1(config)#

If things are going wrong with MLS routing in the exam room or on the job, make sure that “ip routing” is enabled on the switch, or if given a scenario where L3 routing is an issue on an MLS then “ip routing” could be a correct answer from multiple choices!

SVI interfaces

SVIs are logical interfaces on a switch that are tied to certain VLANs, providing a Layer 3 gateway for configured VLANs on the switch, allowing Inter-VLAN communication.

Cisco switches have a default SVI called interface VLAN 1, referred to as the “Management Interface” if the switch is running as a Layer 2 device, as assigning an IP Address to this interface in a “flat” network configuration (one subnet) will allow for remote access via telnet or ssh to the switch from the devices on the same subnet – Hence the name Management Interface.

This type of Layer 3 interface is specifically meant for communication on switches between VLANs, because it is an extension of the VLAN # itself being the “gateway” for that VLAN, and the most important distinction is that it allows for Layer 2 protocols such as STP / DTP / Etc to run!

To demonstrate the default SVI interface VLAN 1, I completely wiped out the switches configurations, then verified the SVI’s status and proceeded with configuration:

Verification

Switch#sh ip int bri
Interface IP-Address OK? Method Status Protocol
Vlan1 unassigned YES unset administratively down down
FastEthernet1/0/1 unassigned YES unset up up
FastEthernet1/0/2 unassigned YES unset up up
FastEthernet1/0/3 unassigned YES unset up up

Configuration

Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#int vlan 1
Switch(config-if)#ip add 10.0.0.1 255.255.255.0
Switch(config-if)#no shut
Switch(config-if)#
*Mar 1 00:05:37.087: %LINK-3-UPDOWN: Interface Vlan1, changed state to up
*Mar 1 00:05:37.096: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up
Switch(config-if)#

SW1 now has an IP Address that can be used to telnet / ssh to it for remote management, before any sort of VLANs are added onto it, so either Host A or Host B could reach the switch for management purposes – All on default SVI interface VLAN 1!

One important thing to note about the default SVI interface VLAN 1, is that it IS present on the switch by default, however it is ADMIN DOWN as well – It must be “no shut” on the interface VLAN 1 to be Up / Active!

When new SVI’s are configured, they will go directly to an Up/Up state upon creation, and would need to be manually shutdown on the SVI interface, shown below during the configuration section.

Layer 3 / Routed Port interfaces

The other type is an L3 / Layer 3 / Routed Port, which this is done by turning a Layer 2 interface into a Layer 3 interface by issuing the command “no switchport” on the physical interface, turning off Layer 2 services and turning on Layer 3 routing services.

A Routed Port is ideal for Layer 2 / Layer 3 boundaries in the network, as no Layer 2 protocols will send traffic to the connected remote device, so this is used to connect a switch uplink to the edge router or also from the Distribution layer in the 3-layer switch model to the Core layer switches.

For exam day its not only useful to Routers or Firewalls, but also to Core layer switches, for reference to the 3-layer switch model it is discussed here.

A dynamic routing protocol will be needed (or strongly recommended) on the switch containing the Routed Port, that includes all the subnets from VLANs in the switched network, as Layer 2 protocols will not be in use to propagate routing information.

Static routing is possible to use, however it is not a scalable / manageable solution (like statically assigning IP addresses to devices on the network), so for the L2 / L3 boundary in the network Dynamic Routing is the way to go!

 

SVI interface configuration and verification

 

 

SVI_Lab

The VLANs have already been setup on SW1, the hosts A (R1) and B (R2) are already configured, so the configuration will be very straight forward here.
Verification of current VLAN Database

SW1(config)#do sh vlan bri

VLAN Name Status Ports
—- ——————————– ——— ——————————-
1 default active (Lots of Ports)
10 VLAN0010 active Fa1/0/10
20 VLAN0020 active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
SW1(config)#

Note VLAN 10 has an interface in it, while VLAN 20 doesn’t yet have an interface added.

Configuration of IP Routing to allow Layer 3 communication!

SW1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#ip routing
SW1(config)#

Configuration of SVI VLAN10

SW1(config)#int vlan 10
SW1(config-if)#
*Mar 1 00:46:13.575: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan10, changed state to up
SW1(config-if)#

Line Protocol comes up immediately, even without an IP Address, which infers that the logical interface should be up as well – This is a bit different from SVI VLAN1 because by default it is Administratively Down until turned Up.

Verification SVI is Up/Up even without an IP Address

SW1#sh ip int brief
Interface IP-Address OK? Method Status Protocol
Vlan1 10.0.0.1 YES NVRAM up up
Vlan10 unassigned YES unset up up

Configuration of the IP Address

SW1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#int vlan10
SW1(config-if)#ip add 10.0.10.10 255.255.255.0

Verify Layer 3 Connectivity from Host A

Host_A#ping 10.0.10.10

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.10.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
Host_A#

Now for configuration of VLAN 20, I’ll see how not having any active interfaces residing in the VLAN will impact the configuration of the SVI.

Configuration / Verification for SVI VLAN20

SW1(config)#int vlan20
SW1(config-if)#
*Mar 1 01:13:26.736: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan20, changed state to up
SW1(config-if)#do sh ip int brief
Interface IP-Address OK? Method Status Protocol
Vlan1 10.0.0.1 YES NVRAM up up
Vlan10 10.0.10.10 YES manual up up
Vlan20 unassigned YES unset up up

Absolutely no difference, I have seen this taught incorrectly or in outdated material that a VLAN must have an active interface in it for the Line Protocol to come up immediately, and this is not the case!

Configuring the IP Address

SW1(config)#int vlan20
SW1(config-if)#ip add 10.0.20.20 255.255.255.0
SW1(config-if)#

Verify Host B can ping SVI VLAN20

Host_B#ping 10.0.20.20
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.20.20, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)

Forgot to add the interface to VLAN 20!

Adding interface to VLAN 20

SW1(config-if)#int fa1/0/12
SW1(config-if)#switchport access vlan 20
SW1(config-if)#

Testing connectivity once more to SVI VLAN20

Host_B#ping 10.0.20.20
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.20.20, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
Host_B#

And there we have it.

Back on SW1 there is now a routing table, that should allow for inter-VLAN communication without any further configuration:

SW1#sh ip route
Codes: L – local, C – connected, S – static, R – RIP, M – mobile, B – BGP
D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area
N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2
E1 – OSPF external type 1, E2 – OSPF external type 2
i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2
ia – IS-IS inter area, * – candidate default, U – per-user static route
o – ODR, P – periodic downloaded static route, H – NHRP, l – LISP
+ – replicated route, % – next hop override

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
C 10.0.0.0/24 is directly connected, Vlan1
L 10.0.0.1/32 is directly connected, Vlan1
C 10.0.10.0/24 is directly connected, Vlan10
L 10.0.10.10/32 is directly connected, Vlan10
C 10.0.20.0/24 is directly connected, Vlan20
L 10.0.20.20/32 is directly connected, Vlan20
SW1#

The 3 SVI interfaces (1 default, 2 manually configured) can now be seen as local routing interfaces, their connected networks for those VLANs residing above them, and I also left all the routing protocol codes in there to demonstrate once “ip routing” is enabled you get the full range of routing protocols to configure on the switch!

With this full routing table, Host A should be able to ping across VLAN 10 to VLAN 20 and back with no issues, right?

Host_A#ping 10.0.20.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.20.1, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)

Wrong!

When using SVIs for Inter-VLAN communication, the default gateway of the host must be set to that VLANs SVI Interfaces IP Address, which currently not the case on Host A (R1):

Host_A#sh ip route
(Route codes redacted)
Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.0.10.0/24 is directly connected, FastEthernet0/1
L 10.0.10.1/32 is directly connected, FastEthernet0/1
Host_A#

This will not work at all, so I add the default routes to their respective gateways:

Host_A#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Host_A(config)#ip route 0.0.0.0 0.0.0.0 10.0.10.10
Host_A(config)#
ASR#4
[Resuming connection 4 to r2 … ]

Host_B#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Host_B(config)#ip route 0.0.0.0 0.0.0.0 10.0.20.20
Host_B(config)#

NOW there should be no issue pinging between Host A and Host B across VLANs:

Host_A#ping 10.0.20.20

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.20.20, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Host_A#

So to summarize all of those steps:

  • Enable “ip routing” in global configuration
  • Configure “int vlan #” to create the SVI for the corresponding VLAN #
  • Assign an IP Address / Subnet mask in interface configuration
  • Configure hosts to use the IP Address of the newly created SVI
  • Connectivity!

Configuration of Layer 3 Routed Port

This will be much briefer, as this will be covered with dynamic routing protocols in the following post / lab session, however to configure a Routed Port it is just as easy:
Configuration

SW1(config-if)#no switchport ?
access Set access mode characteristics of the interface
autostate Include or exclude this port from vlan link up calculation
backup Set backup for the interface
block Disable forwarding of unknown uni/multi cast addresses
host Set port host
mode Set trunking mode of the interface
nonegotiate Device will not engage in negotiation protocol on this
interface
port-security Security related command
priority Set appliance 802.1p priority
private-vlan Set the private VLAN configuration
protected Configure an interface to be a protected port
trunk Set trunking characteristics of the interface
voice Voice appliance attributes
<cr>

SW1(config-if)#

The <cr> on the very bottom is saying this interface is no longer a switchport, and it turns off all Layer 2 services entirely, to verify this after issuing the command:

SW1(config-if)#no switchport
SW1(config-if)#
*Mar 1 02:04:24.912: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/24, changed state to down
SW1(config-if)#
*Mar 1 02:04:26.926: %LINK-3-UPDOWN: Interface FastEthernet1/0/24, changed state to up
*Mar 1 02:04:27.932: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/24, changed state to up
SW1(config-if)#

This will bounce the interface if you issue “switchport” to change an L3 interface into an L2, or “no switchport” to make an L2 interface into an L3 Routed interface.

 

Behaviors of “ip routing” not being enabled to watch out for on exam day!

 

Lastly there is the business of turning IP Routing off on a switch, or forgetting to turn it on in the first place, here are different behaviors caused by IP routing being disabled:

Disabling IP routing

SW1(config)#
SW1(config)#no ip routing
SW1(config)#

No console messages, nothing falling from the sky, just quietly turns off routing.

Viewing the IP route table of configured SVIs

SW1(config)#do sh ip route
Default gateway is not set

Host Gateway Last Use Total Uses Interface
ICMP redirect cache is empty
SW1(config)#

Nothing happening here at all.

Which surprised me by the interface level configuration a bit with IP routing disabled:

Configuring a Layer 3 interface

SW1(config-if)#no switchport
SW1(config-if)#
*Mar 1 02:14:11.536: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/24, changed state to down
SW1(config-if)#
*Mar 1 02:14:13.558: %LINK-3-UPDOWN: Interface FastEthernet1/0/24, changed state to up
*Mar 1 02:14:14.565: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/24, changed state to up

Just being able to change a Layer 2 interface to a Layer 3 interface with IP routing globally disabled intrigued me, so I tried to assign it the Default Gateway Address from Host B (which is currently plugged into this interface)

SW1(config-if)#ip add 10.0.20.20 255.255.255.0
% 10.0.20.0 overlaps with Vlan20
SW1(config-if)#

So it does still recognize the virtual or logical SVI interface created for VLAN 20:

SW1(config-if)#do sh ip int brief
Interface IP-Address OK? Method Status Protocol
Vlan1 10.0.0.1 YES NVRAM up up
Vlan10 10.0.10.10 YES manual up up
Vlan20 10.0.20.20 YES manual up up

All the SVIs are still showing Up/Up even with IP Routing globally disabled, however without an IP Route table, there is no way Inter-VLAN communication even after moving the cable for Host B back the Fa1/0/12 in VLAN 20

HOWEVER, you can actually ping SVI interfaces on the switch by IP from a host with IP Routing globally disabled, just not hosts off the switchports in the different VLAN:

Ping to SVI VLAN10

Host_A#ping 10.0.10.10

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.10.10, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms

Ping to SVI VLAN20

Host_A#ping 10.0.20.20

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.20.20, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/8 ms

To Host B (R2)

Host_A#ping 10.0.20.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.20.1, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)
Host_A#

To wrap this up, I can’t help but test this with a Layer 3 Routed Port, so I plugged Host B back into Fa1/0/24, and configured both sides to route to each other to see how it would respond differently to the different type of Layer 3 interface.

The configuration of both SW1 and Host B

SW1(config-if)#int fa1/0/24
SW1(config-if)#no switchport
SW1(config-if)#ip add 10.0.30.30 255.255.255.0
SW1(config-if)#
ASR#4
[Resuming connection 4 to r2 … ]
[OK]
Host_B#
Host_B#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Host_B(config)#ip route 0.0.0.0 0.0.0.0 10.0.30.30
Host_B(config)#int fa0/1
Host_B(config-if)#ip add 10.30.0.1 255.255.255.0
Host_B(config-if)#

To the Layer 3 connected interface

Host_B#ping 10.0.30.30
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.30.30, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)

Much different result, when IP Routing is disabled, a Routed Interface configured with “no switchport” will not even respond to pings, to confirm it gets no response at Layer 2:

To SVI VLAN1 logical interface

Host_B#ping 10.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)
Host_B#

This ping fails as well, because once it is configured manually to be a Layer 3 port on the switch, it is no longer in VLAN 1 (or any VLAN).

So despite being able to fully configure the interface, with “ip routing” not enabled or disabled, those interfaces will not be able to communicate at all because their underlying Layer 3 services are turned off!

You can also verify if a switchport is L2 or L3 with the “sh int (int) switchport” command:

SW1#sh int fa1/0/24 switchport
Name: Fa1/0/24
Switchport: Disabled

SW1#

In other labs that I’ve reviewed that for Trunking / VLAN / all switchport info, there is a lot of Layer 2 output in this output, if of course the interface is actually a “switchport” !

That is all I have for this one.

Onto the next topic, switch redundancy and switch stacking / stackwise!