A Switch Virtual Interface (SVI) is a logical interface on a Catalyst switch that represents an IP address for a VLAN. Unlike physical interfaces (Gi1/0/1), SVIs don't connect to cables—they connect to the VLAN itself. If VLAN 10 has ports on three different switches, all three can have an SVI in VLAN 10, but only the SVI on the switch with the default route (or the most direct path) actually forwards inter-VLAN traffic. SVIs are the foundation of modern switching: they provide management access to any switch and enable hardware-based inter-VLAN routing on Layer 3 switches.
What Is an SVI and When to Use It
An SVI is created with the command interface vlan {id}. It's a virtual Layer 3 interface, not a physical port. Once created, you assign an IP address and the switch can route traffic to that VLAN.
Two primary uses:
- Management Access: Create an SVI in the management VLAN so you can SSH/telnet to the switch. A switch in VLAN 30 (Management) with SVI
interface vlan 30andip address 10.10.30.11can be reached at 10.10.30.11. - Inter-VLAN Routing: On a Layer 3 switch (like Catalyst 9300), create SVIs for all VLANs. The switch then routes packets between VLANs at line rate in hardware (no bandwidth bottleneck like router-on-a-stick).
SVI Prerequisites: - The VLAN must exist in the switch's VLAN database (via vlan 10 or VTP) - At least one physical port in that VLAN must be up (Layer 1/2 active) - IP routing must be globally enabled on the switch (ip routing command)
If you create interface vlan 10 but no ports are assigned to VLAN 10, the SVI will be up/down (Layer 3 up but Layer 2 down).
Catalyst 9000 Switching Architecture
Catalyst 9000 series (9300, 9200, 9200L) are natively Layer 3 switches. They have: - Hardware-based routing between VLANs via SVIs - Full BGP, OSPF, and static routing support - Per-VLAN IP routing with no performance penalty - Extensive ACL and policy-based routing
This is different from older Catalyst 2960 (access switch only, no routing) or Catalyst 3850 (older L3 switch with similar capabilities).
Creating SVIs Step by Step
Step 1: Verify the VLAN Exists
Before creating an SVI, ensure the VLAN is defined:
CORE-SW1# show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- ----------------------------
1 default active Gi1/0/1, Gi1/0/2, ...
10 Users active Gi1/0/5
20 Servers active Gi1/0/8
30 Management active Gi1/0/9
All VLANs 10, 20, 30 exist and have at least one active port.
If a VLAN doesn't exist, create it:
CORE-SW1(config)# vlan 10
CORE-SW1(config-vlan)# name Users
CORE-SW1(config-vlan)# exit
Step 2: Enable IP Routing Globally
Layer 3 switches default to Layer 2-only mode. Enable routing:
CORE-SW1(config)# ip routing
Verify routing is enabled:
CORE-SW1# show ip protocols
IP Routing is NSF aware
Connected:
Directly connected subnets in Routing Information Base (RIB)
The presence of RIB (Routing Information Base) confirms routing is active.
Step 3: Create SVI Interfaces
Create an SVI for each VLAN. On CORE-SW1 (the core router), create SVIs for all VLANs:
CORE-SW1(config)# interface vlan 10
CORE-SW1(config-if)# description Users VLAN SVI
CORE-SW1(config-if)# ip address 10.10.10.1 255.255.255.0
CORE-SW1(config-if)# no shutdown
CORE-SW1(config-if)# exit
CORE-SW1(config)# interface vlan 20
CORE-SW1(config-if)# description Servers VLAN SVI
CORE-SW1(config-if)# ip address 10.10.20.1 255.255.255.0
CORE-SW1(config-if)# no shutdown
CORE-SW1(config-if)# exit
CORE-SW1(config)# interface vlan 30
CORE-SW1(config-if)# description Management VLAN SVI
CORE-SW1(config-if)# ip address 10.10.30.1 255.255.255.0
CORE-SW1(config-if)# no shutdown
CORE-SW1(config-if)# exit
CORE-SW1(config)# interface vlan 40
CORE-SW1(config-if)# description Voice VLAN SVI
CORE-SW1(config-if)# ip address 10.10.40.1 255.255.255.0
CORE-SW1(config-if)# no shutdown
CORE-SW1(config-if)# exit
CORE-SW1(config)# interface vlan 50
CORE-SW1(config-if)# description Guest VLAN SVI
CORE-SW1(config-if)# ip address 10.10.50.1 255.255.255.0
CORE-SW1(config-if)# no shutdown
CORE-SW1(config-if)# exit
CORE-SW1(config)# interface vlan 99
CORE-SW1(config-if)# description Native VLAN SVI
CORE-SW1(config-if)# ip address 10.10.99.1 255.255.255.0
CORE-SW1(config-if)# no shutdown
CORE-SW1(config-if)# end
Notice: - Each SVI gets a unique subnet and the .1 address (conventional gateway address) - VLAN 99 (native/management) also gets an SVI - no shutdown is explicit (sometimes enabled by default, but good practice)
Step 4: Configure SVIs on Distribution Switches for Management Only
Distribution switches (DIST-SW1, DIST-SW2) often only need SVIs for management access, not full inter-VLAN routing (the core switch handles that). Configure one management SVI:
DIST-SW1(config)# ip routing
DIST-SW1(config)# interface vlan 30
DIST-SW1(config-if)# description Management VLAN SVI
DIST-SW1(config-if)# ip address 10.10.30.2 255.255.255.0
DIST-SW1(config-if)# no shutdown
DIST-SW1(config-if)# exit
DIST-SW2(config)# ip routing
DIST-SW2(config)# interface vlan 30
DIST-SW2(config-if)# description Management VLAN SVI
DIST-SW2(config-if)# ip address 10.10.30.3 255.255.255.0
DIST-SW2(config-if)# no shutdown
DIST-SW2(config-if)# exit
This gives you a way to SSH to DIST-SW1 (10.10.30.2) and DIST-SW2 (10.10.30.3) even if they don't route inter-VLAN traffic.
Step 5: Configure Access Switch SVIs for Management (Optional)
Access switches typically don't need full IP routing, but a management SVI is useful:
ACC-SW1(config)# ip routing
ACC-SW1(config)# interface vlan 30
ACC-SW1(config-if)# description Management VLAN SVI
ACC-SW1(config-if)# ip address 10.10.30.11 255.255.255.0
ACC-SW1(config-if)# no shutdown
ACC-SW1(config-if)# exit
Access switches are typically accessed through the management gateway on CORE-SW1 or a dedicated out-of-band management network, so the SVI IP isn't strictly necessary—but it's useful for local troubleshooting.
Verifying SVI Configuration
Check SVI Status with show ip interface brief
CORE-SW1# show ip interface brief | include vlan
Interface IP-Address OK? Method Status Protocol
Vlan10 10.10.10.1 YES manual up up
Vlan20 10.10.20.1 YES manual up up
Vlan30 10.10.30.1 YES manual up up
Vlan40 10.10.40.1 YES manual up up
Vlan50 10.10.50.1 YES manual up up
Vlan99 10.10.99.1 YES manual up up
All SVIs are up/up, meaning: - Protocol up: Layer 3 is active (IP routing is enabled and the interface has an IP) - Interface up: At least one physical port in that VLAN is active
Detailed SVI Status with show interfaces vlan 10
CORE-SW1# show interfaces vlan 10
Vlan10 is up, line protocol is up (connected)
Hardware is Ethernet SVI, address is aabb.cc00.0100 (bia aabb.cc00.0100)
Description: Users VLAN SVI
Internet address is 10.10.10.1/24
MTU 1500 bytes, BW 1000000 Kbit/sec
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
ARP type: ARPA, ARP Timeout 04:00:00
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 1000 bits/sec, 1 packets/sec
5 minute output rate 500 bits/sec, 0 packets/sec
L2 Switched: ucast: 145 pkt, 11234 bytes - mcast: 23 pkt, 3234 bytes
L3 Switched: ucast: 89 pkt, 12456 bytes - mcast: 0 pkt, 0 bytes
L3 in Switched: ucast: 0 pkt, 0 bytes - mcast: 0 pkt, 0 bytes
Received 245 broadcasts (245 multicasts)
Output 340 broadcasts (215 multicasts)
Key observations: - State: Vlan10 is up, line protocol is up (Layer 1 and Layer 3 active) - Hardware address: Shows the switch's MAC (aabb.cc00.0100) - Internet address: 10.10.10.1/24 - L3 Switched: Shows packets switched at Layer 3 (inter-VLAN traffic)
View All SVIs Across the Switch
CORE-SW1# show interfaces summary vlan
Interface IP-Address Status Protocol
Vlan10 10.10.10.1 up up
Vlan20 10.10.20.1 up up
Vlan30 10.10.30.1 up up
Vlan40 10.10.40.1 up up
Vlan50 10.10.50.1 up up
Vlan99 10.10.99.1 up up
Check IP Routing Table
Verify that directly connected routes appear for each SVI subnet:
CORE-SW1# show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - bgp
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level 1, L2 - IS-IS level 2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic encrypted route, + - replicated route
b - replicated bgp route
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 12 subnets, 2 masks
C 10.10.10.0/24 is directly connected, Vlan10
L 10.10.10.1/32 is local, Vlan10
C 10.10.20.0/24 is directly connected, Vlan20
L 10.10.20.1/32 is local, Vlan20
C 10.10.30.0/24 is directly connected, Vlan30
L 10.10.30.1/32 is local, Vlan30
C 10.10.40.0/24 is directly connected, Vlan40
L 10.10.40.1/32 is local, Vlan40
C 10.10.50.0/24 is directly connected, Vlan50
L 10.10.50.1/32 is local, Vlan50
C 10.10.99.0/24 is directly connected, Vlan99
L 10.10.99.1/32 is local, Vlan99
Every SVI subnet is a directly connected route (C). The switch can immediately reach any host in those subnets without consulting upstream routers.
SVI States and Troubleshooting
SVI State: up/up (Working)
Vlan10 is up, line protocol is up
This is the desired state. The SVI is routing traffic normally.
Requirements met: - VLAN exists in the VLAN database - At least one port in VLAN 10 is up (Layer 1) - IP routing is enabled - IP address is configured
SVI State: up/down (Layer 2 Down)
Vlan20 is up, line protocol is down
The SVI has an IP address (Layer 3 up) but no physical ports in VLAN 20 are active (Layer 2 down).
Causes: 1. No ports assigned to VLAN 20 2. All ports in VLAN 20 are in err-disabled or shutdown state 3. Ports are configured but the cables are disconnected
Diagnosis:
CORE-SW1# show vlan id 20
VLAN Name Status Ports
---- -------------------------------- --------- ----------------------------
20 Servers active
CORE-SW1# show interfaces vlan 20
Vlan20 is up, line protocol is down (notconnect)
Check which ports should be in VLAN 20:
CORE-SW1# show interfaces switchport | include "Vlan 20"
Switchport Mode : access
Access Mode VLAN : 20
Find the physical interface:
CORE-SW1# show interfaces status | include "vlan 20"
Interface Status VLAN Duplex Speed Type
Gi1/0/8 notconnect 20 auto auto 10/100/1000BaseTX
Port Gi1/0/8 is in VLAN 20 but is notconnect (cable not plugged in or shut down).
Fix: Plug in a cable or enable the port:
CORE-SW1(config)# interface Gi1/0/8
CORE-SW1(config-if)# no shutdown
CORE-SW1(config-if)# end
Verify:
CORE-SW1# show interfaces vlan 20 | include "line protocol"
Vlan20 is up, line protocol is up (connected)
SVI State: administratively down
Vlan30 is administratively down, line protocol is down
The SVI was explicitly shut down.
Cause: Someone ran shutdown on the SVI.
Fix:
CORE-SW1(config)# interface vlan 30
CORE-SW1(config-if)# no shutdown
CORE-SW1(config-if)# end
SVI State: up/down Due to Missing VLAN
Vlan40 is up, line protocol is down (vlan down)
The SVI exists but the VLAN 40 doesn't exist in the VLAN database.
Cause: You created the SVI via interface vlan 40 but never created the VLAN with vlan 40.
Fix: Create the VLAN:
CORE-SW1(config)# vlan 40
CORE-SW1(config-vlan)# name Voice
CORE-SW1(config-vlan)# exit
Then add a port to the VLAN:
CORE-SW1(config)# interface Gi1/0/12
CORE-SW1(config-if)# switchport mode access
CORE-SW1(config-if)# switchport access vlan 40
CORE-SW1(config-if)# no shutdown
CORE-SW1(config-if)# end
Verify:
CORE-SW1# show interfaces vlan 40 | include "line protocol"
Vlan40 is up, line protocol is up (connected)
Configuring Default Gateway on Access Switches
Access switches don't have SVIs for all VLANs—the core switch does the inter-VLAN routing. But access switches need to know how to reach networks beyond their own VLANs. Configure a default gateway:
ACC-SW1(config)# ip default-gateway 10.10.30.1
Or, if routing is enabled on ACC-SW1 (optional), add a static default route:
ACC-SW1(config)# ip routing
ACC-SW1(config)# ip route 0.0.0.0 0.0.0.0 10.10.30.1
The default gateway tells ACC-SW1: "For any traffic you don't have a directly connected route for, send it to 10.10.30.1" (CORE-SW1's management SVI).
Verify:
ACC-SW1# show ip route static
S* 0.0.0.0/0 [1/0] via 10.10.30.1
Complete Lab Configuration
CORE-SW1 (All VLAN SVIs for Routing)
CORE-SW1(config)# ip routing
CORE-SW1(config)# interface vlan 10
CORE-SW1(config-if)# description Users VLAN SVI
CORE-SW1(config-if)# ip address 10.10.10.1 255.255.255.0
CORE-SW1(config-if)# no shutdown
CORE-SW1(config-if)# exit
CORE-SW1(config)# interface vlan 20
CORE-SW1(config-if)# description Servers VLAN SVI
CORE-SW1(config-if)# ip address 10.10.20.1 255.255.255.0
CORE-SW1(config-if)# no shutdown
CORE-SW1(config-if)# exit
CORE-SW1(config)# interface vlan 30
CORE-SW1(config-if)# description Management VLAN SVI
CORE-SW1(config-if)# ip address 10.10.30.1 255.255.255.0
CORE-SW1(config-if)# no shutdown
CORE-SW1(config-if)# exit
CORE-SW1(config)# interface vlan 40
CORE-SW1(config-if)# description Voice VLAN SVI
CORE-SW1(config-if)# ip address 10.10.40.1 255.255.255.0
CORE-SW1(config-if)# no shutdown
CORE-SW1(config-if)# exit
CORE-SW1(config)# interface vlan 50
CORE-SW1(config-if)# description Guest VLAN SVI
CORE-SW1(config-if)# ip address 10.10.50.1 255.255.255.0
CORE-SW1(config-if)# no shutdown
CORE-SW1(config-if)# exit
CORE-SW1(config)# interface vlan 99
CORE-SW1(config-if)# description Native VLAN SVI
CORE-SW1(config-if)# ip address 10.10.99.1 255.255.255.0
CORE-SW1(config-if)# no shutdown
CORE-SW1(config-if)# end
DIST-SW1 and DIST-SW2 (Management SVI Only)
DIST-SW1(config)# ip routing
DIST-SW1(config)# interface vlan 30
DIST-SW1(config-if)# description Management VLAN SVI
DIST-SW1(config-if)# ip address 10.10.30.2 255.255.255.0
DIST-SW1(config-if)# no shutdown
DIST-SW1(config-if)# end
DIST-SW2(config)# ip routing
DIST-SW2(config)# interface vlan 30
DIST-SW2(config-if)# description Management VLAN SVI
DIST-SW2(config-if)# ip address 10.10.30.3 255.255.255.0
DIST-SW2(config-if)# no shutdown
DIST-SW2(config-if)# end
Access Switches (Management SVI + Default Gateway)
ACC-SW1(config)# ip routing
ACC-SW1(config)# interface vlan 30
ACC-SW1(config-if)# description Management VLAN SVI
ACC-SW1(config-if)# ip address 10.10.30.11 255.255.255.0
ACC-SW1(config-if)# no shutdown
ACC-SW1(config-if)# exit
ACC-SW1(config)# ip route 0.0.0.0 0.0.0.0 10.10.30.1
ACC-SW1(config)# end
ACC-SW2(config)# ip routing
ACC-SW2(config)# interface vlan 30
ACC-SW2(config-if)# description Management VLAN SVI
ACC-SW2(config-if)# ip address 10.10.30.12 255.255.255.0
ACC-SW2(config-if)# no shutdown
ACC-SW2(config-if)# exit
ACC-SW2(config)# ip route 0.0.0.0 0.0.0.0 10.10.30.1
ACC-SW2(config)# end
ACC-SW3(config)# ip routing
ACC-SW3(config)# interface vlan 30
ACC-SW3(config-if)# description Management VLAN SVI
ACC-SW3(config-if)# ip address 10.10.30.13 255.255.255.0
ACC-SW3(config-if)# no shutdown
ACC-SW3(config-if)# exit
ACC-SW3(config)# ip route 0.0.0.0 0.0.0.0 10.10.30.1
ACC-SW3(config)# end
Key Takeaways
- SVIs are virtual Layer 3 interfaces for VLANs: Unlike physical ports, SVIs don't connect to cables. They represent the VLAN itself and enable the switch to route traffic between VLANs.
- SVI prerequisites: The VLAN must exist, at least one port in it must be up, and
ip routingmust be enabled globally. - SVI state up/up means both layers are active: Layer 1 (physical connectivity) and Layer 3 (routing). Up/down means Layer 3 is configured but no physical ports are active.
- Catalyst 9000 switches route at hardware speeds: SVIs on a 9300 enable full-wire-speed routing between VLANs with no bottleneck, unlike router-on-a-stick designs.
- Management SVIs on all switches: Configure a SVI in VLAN 30 on every switch to enable out-of-band management access—this is a production requirement.