We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is Why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 605 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)


361 New Members signed up the last 30 days!


100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Forum Replies

  1. Hi Thomas,

    The default native VLAN 1 is one but it’s not used or required in that example. We use the native vlan for some management protocols like PaGP, LACP, VTP, CDP, etc.


  2. Hello Dinh.

    I had a production network where I wanted to implement exactly what you describe. The solution I used was access lists as you mentioned. It is probably the fastest and most immediate solution. However, there are a couple of other solutions that may be more flexible as well. These are described below:

    VLAN access list - This is just an access list but it filters based on VLAN rather than IP. It is a layer 2 solution. An example configuration can be seen below:

    interface Vlan1
    no ip address
    interface Vlan2
    description VLan connected to Internet
    ip address
    interface Vlan10
    description User VLAN
    ip address
    interface Vlan20
    description Server VLAN
    ip address
    interface Vlan30
    description Management VLAN
    ip address
    ip route
    ip access-list standard INTERNET
    permit any
    ip access-list extended DENY-INTERNAL
    permit ip
    vlan access-map MY-VLAN-MAP 10
    action drop
    match ip address DENY-INTERNAL
    vlan access-map MY-VLAN-MAP 20
    action forward
    match ip address INTERNET
    vlan filter MY-VLAN-MAP vlan-list 10-30

    In this example, users on the three VLANs can access ONLY VLAN2 to connect to the internet, however, any attempt for inter VLAN connectivity will be dropped. So intervlan routing is essentially blocked for VLANs 10, 20 and 30.

    The other option, which is a layer 3 solution is the use of policy based routing. An example can be seen below:

    access-list 100 permit ip any
    access-list 110 permit ip any
    route-map vlan500 permit 10
    match ip address 100
    set ip next-hop
    route-map vlan600 permit 10
    match ip address 110
    set ip next-hop
    interface vlan 500
    ip address
    ip policy route-map vlan500
    interface vlan 600
    ip address
    ip policy route-map vlan600

    This is probably the most flexible of the above solutions because you can configure it per range of IP addresses. Your access lists can be more specific to include specific hosts within a subnet/VLAN so that some hosts will have access to specific VLANs and others won’t.

    I hope this has been helpful.


  3. Hello Brian

    Please allow me to step in and participate, as this is an issue that I had trouble in visualising and understanding. I hope I can be of some help. For the most part, you’ve got it, maybe I can make things a little bit clearer for you.

    It is possible to have SVIs on multiple switches be in the same subnet, and depending on how you have set up your network, you can make any one of those SVIs a default gateway for use by the hosts on the subnet. In the same way, you can place multiple routers on the same subnet and have them function as multiple possible default gateways. The concept is the same.

    Yes, that is correct.

    Keep in mind that:

    • An SVI can be thought of as a (virtual) layer three interface that resides on a VLAN.
    • It can be used for several purposes, one of which is to function as a default gateway for inter-VLAN routing, so devices on that specific VLAN will be able to communicate with other subnets, either on or off of the specific layer three switch.
    • It can also used as an interface to configure the switch itself, either via telnet/ssh or via http.

    Yes, that is absolutely right!

    Keep in mind that inter-VLAN routing is still routing, and as such, it still requires a default gateway, so in this sense, an SVI will function as a default gateway.

    I hope this has been helpful!


  4. Renee / Lagapides
    A question please i have read on this forum as follows:
    It is possible to have SVIs on multiple switches be in the same subnet, and depending on how you have set up your network, you can make any one of those SVIs a default gateway for use by the hosts on the subnet…
    So based on above can you clarify please further do you mean this can be done also when stretching across 2 x core switches but where those core switches route in different routing domains so to speak EG what if you have 2 x core switch that are for example EBGP peers (different AS) with L2 direct connection which could trunk VLaNs (if required). So I then want to deploy a single but SAME subnet say 10.1.1.x/24 where x is constant and want to stretch that across each individual respective campus is it possible ? And secondly how would SVI,s be numbered ie would you use a .1 on each core switch SVI interface (my wider reading suggests it’s never good practice to stretch or span vlans) I labbed this in gns and it seemed to work to a point through a vlan add to the layer 2 trunk adjoining each core switch (presumably no spanning issues as port channel) i connected and configured hosts in same subnet either side of core switch directly connected as well as other test subnets (so 10.1.2.x & 10.1.3.x) - it seemed to work configuring only a single svi on one core switch for the subnet with vlans added both sides and to the layer 2 trunk I could ping between all hosts but also works for svi on both core switch with some success) which would you or could you do if any but on bgp I could only think to configure host routes /32 to null 0 to push into bgp to allow specific L3 routing updates beyond the core network so traffic destined for each directly connected /32 host within the subnet gets explicitly routed to the correct core switch - this shaped up to a point however, bgp route should propagated to core peers for same respective subnet would show in local ip bop table but would be unreachable ‘U’ / !H … sorry long question I know but this is a response to the statement by lagapides and confusion caused by the rhetoric surrounding spanning or stretching layer 2 clans beyond the core - await any input on this’ll most appreciated hope this makes sense - ps I think this touches on a wider design issue however also focusses as a good example on the specific use case for svi and also incorporates the use case of actually routing svi as well whereas all education often point should to handling routed vlans separately from l3 side many thank so will

  5. Happy to provide my example lab and diagram if helps I really have spent long time reading on this on your site and wider sources but I’m not sure what is allowed or should be allowed and most importantly if vlans have to be stretched (spanned is different I think) what is the right / best way to do it. (Assuming a subnet has to Ben stretched)

57 more replies! Ask a question or join the discussion by visiting our Community Forum