To allow remote access to a Cisco IOS Catalyst switch with protocols like telnet or SSH, we need to configure an IP address on the switch. You also need this if you want to use any network management tools to monitor your switch.
On L2 switches, the IP address is only used for remote access to your switch. On L3 (multilayer) switches, we also use these SVI interfaces for routing.
Most switches have a lot of physical interfaces so where are we going to configure an IP address? Instead of using a physical interface, we often use a virtual interface called a SVI (Switch Virtual Interface). Here’s how to visualize this:
The IP address is configured on the SVI interface. All physical interfaces within the same VLAN will be able to communicate with this SVI interface.
The default VLAN on your Cisco Catalyst switch will be VLAN 1, all interfaces belong to this VLAN by default. This means that if you create a SVI interface for VLAN 1 and put an IP address on it, everyone will be able to reach it. It is possible to use access-lists to restrict which IP addresses are allowed but it’s better to create a separate VLAN for management. Here’s an illustration:
On the left side, we have two hosts in VLAN 10. These will be able to communicate with each other since they are in the same VLAN. On the right side, we see a computer that is only used for management. This computer is connected to interface FastEthernet 0/3 and there is an SVI interface with IP address 192.168.20.1.
This management computer will be able to exchange IP packets with our switch. This is a nice and secure method to access the switch only from computers that are supposed to.
Let me show you how to configure the SVI interface. First, you have to make sure you created the VLAN in the VLAN database:
SW1(config)#vlan 20 SW1(config-vlan)#exitNow we can create a new SVI interface:
SW1(config)#interface vlan 20 SW1(config-if)#no shutdown SW1(config-if)#ip address 192.168.20.1 255.255.255.0Make sure you don’t forget the no shutdown command. By default, all SVI interfaces are shut. Make sure you add one of the physical interfaces to VLAN 20:
SW1(config)#interface FastEthernet 0/3 SW1(config-if)#switchport mode access SW1(config-if)#switchport access vlan 20That’s all you have to do. Let’s see if it’s working.
Let’s check if the SVI interface is up and running:
SW1#show ip interface brief | include Vlan Vlan20 192.168.20.1 YES manual up up This is looking good. I will connect a computer to the FastEthernet0/3 interface of my switch to see if I can ping the switch. I also configured a static IP address in the same subnet as our switch:
C:\Users\mgmt>ipconfig /all Windows IP Configuration Host Name . . . . . . . . . . . . : vmware Primary Dns Suffix . . . . . . . : Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No Ethernet adapter Ethernet0: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel(R) 82574L Gigabit Network Connection Physical Address. . . . . . . . . : 00-50-56-8E-5E-33 DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes Link-local IPv6 Address . . . . . : fe80::e8b4:ac21:751f:fa34%12(Preferred) IPv4 Address. . . . . . . . . . . : 192.168.20.2(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Lease Obtained. . . . . . . . . . : Tuesday, October 6, 2015 1:46:34 AM Lease Expires . . . . . . . . . . : Wednesday, October 7, 2015 2:02:04 AM DHCPv6 IAID . . . . . . . . . . . : 251678806 DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1D-13-64-E8-00-50-56-8E-5E-33 NetBIOS over Tcpip. . . . . . . . : EnabledLet’s try that ping:
C:\Users\mgmt>ping 192.168.20.1 Pinging 192.168.20.1 with 32 bytes of data: Reply from 192.168.20.1: bytes=32 time=3ms TTL=255 Reply from 192.168.20.1: bytes=32 time=1ms TTL=255 Reply from 192.168.20.1: bytes=32 time=2ms TTL=255 Reply from 192.168.20.1: bytes=32 time=1ms TTL=255 Ping statistics for 192.168.20.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 1ms, Maximum = 3ms, Average = 1msIt’s working. All devices in VLAN 20 will be able to reach our switch.
In this lesson, you have learned how to configure an SVI interface with a separate management VLAN so that you can access the switch remotely. We will use this later for remote access through telnet/SSH.
