An SVI stuck in up/down means something is wrong with the underlying VLAN — no active ports, a deleted VLAN, or STP blocking every path. Here is how to diagnose and fix every cause.
You configure an SVI, assign an IP address, type no shutdown, and expect it to come up. Instead, show ip interface brief shows the line protocol as down while the interface itself says up. Devices in that VLAN cannot reach their default gateway, DHCP relay fails, and inter-VLAN routing breaks for the entire subnet. The SVI's line protocol is the single most common VLAN troubleshooting issue on Catalyst switches, and it has a finite list of causes — every one of them fixable once you know where to look.
This article walks through every reason an SVI shows up/down on Cisco Catalyst 9000 series switches running IOS XE 17.x, with the exact show commands to diagnose each cause and the configuration to resolve it.
Understanding SVI Line Protocol States
An SVI can be in one of three states:
| Interface | Protocol | Meaning |
|---|---|---|
| up | up | Healthy — VLAN has at least one active port, SVI is configured and not shutdown |
| up | down | SVI is enabled (no shutdown) but the underlying VLAN has no active forwarding port |
| administratively down | down | SVI has been explicitly shut down with the shutdown command |
The up/down state is the problem state. The switch has created the SVI and it is not administratively disabled, but something about the VLAN prevents the line protocol from coming up.
Cause 1: No Ports Assigned to the VLAN
The most common cause. An SVI's line protocol requires at least one physical port (access or trunk) in the VLAN to be in an up/up state.
Diagnosis
CORE-SW1# show interfaces Vlan10
Vlan10 is up, line protocol is down
Hardware is EtherSVI, address is aabb.cc00.0001
Internet address is 10.10.10.1/24
...
CORE-SW1# show vlan brief | include ^10
10 Users active
The VLAN exists and is active, but no ports are listed. Check trunk ports:
CORE-SW1# show interfaces trunk
Port Mode Encapsulation Status Native vlan
Po1 on 802.1q trunking 99
Po2 on 802.1q trunking 99
Port Vlans allowed on trunk
Po1 1-4094
Po2 1-4094
Port Vlans allowed and active in management domain
Po1 10,20,30,40,50,99
Po2 10,20,30,40,50,99
If VLAN 10 appears in the "allowed and active" column for at least one trunk, the SVI should be up/up. If VLAN 10 is missing from this column — it is either not in the allowed list or not created on the switch.
Fix
If using trunk ports (typical for CORE-SW1):
CORE-SW1(config)# interface Port-channel1
CORE-SW1(config-if)# switchport trunk allowed vlan add 10
If using access ports (typical for ACC switches):
ACC-SW1(config)# interface GigabitEthernet1/0/1
ACC-SW1(config-if)# switchport mode access
ACC-SW1(config-if)# switchport access vlan 10
ACC-SW1(config-if)# no shutdown
Cause 2: All Ports in the VLAN Are Down
The VLAN has ports assigned, but every port is either administratively shut down or has no link:
Diagnosis
ACC-SW1# show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
10 Users active Gi1/0/1, Gi1/0/2, Gi1/0/3
Ports are listed. Now check their status:
ACC-SW1# show interfaces status | include Gi1/0/[1-3]
Gi1/0/1 User-PC1 disabled 10 a-full a-1000 10/100/1000BaseTX
Gi1/0/2 User-PC2 notconnect 10 auto auto 10/100/1000BaseTX
Gi1/0/3 User-PC3 notconnect 10 auto auto 10/100/1000BaseTX
All three ports are either disabled (shutdown) or notconnect (no cable/device). The SVI has no active ports, so its line protocol stays down.
Fix
Bring at least one port up:
ACC-SW1(config)# interface GigabitEthernet1/0/1
ACC-SW1(config-if)# no shutdown
Or connect a device to one of the ports. The SVI line protocol will come up within a few seconds of the first port reaching up/up (assuming STP converges to forwarding state).
Cause 3: VLAN Deleted from the Database
If the VLAN is deleted (either manually or by a VTP revision number disaster), every port assigned to it becomes inactive, and the SVI line protocol drops.
Diagnosis
CORE-SW1# show vlan id 10
VLAN id 10 not found in current VLAN database
The VLAN does not exist. Ports previously in VLAN 10 are now inactive — show interfaces switchport will show them assigned to VLAN 10, but the VLAN itself is gone.
Fix
Re-create the VLAN:
CORE-SW1(config)# vlan 10
CORE-SW1(config-vlan)# name Users
CORE-SW1(config-vlan)# exit
The SVI and all ports will reactivate once the VLAN is back in the database. If this was caused by a VTP revision number issue, see VTP Configuration on Cisco Switches for the full disaster recovery process.
Cause 4: VLAN Suspended
VLANs can be suspended (placed in a suspend state) either manually or via VTP. A suspended VLAN's ports become inactive.
Diagnosis
CORE-SW1# show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
10 Users sus/lshut
The sus/lshut status means the VLAN is locally suspended.
Fix
CORE-SW1(config)# vlan 10
CORE-SW1(config-vlan)# no shutdown
CORE-SW1(config-vlan)# exit
Note this is the shutdown command under the VLAN configuration, not under the SVI. They are separate — the SVI can be no shutdown while the VLAN itself is shut down.
Cause 5: STP Blocking All Ports in the VLAN
If every port in a VLAN is in STP blocking (or listening/learning) state on this particular switch, the SVI line protocol stays down. This can happen after a topology change if the switch loses the root bridge election and all its ports for that VLAN become non-designated.
Diagnosis
CORE-SW1# show spanning-tree vlan 10
VLAN0010
Spanning tree enabled protocol rstp
Root ID Priority 4106
Address aabb.cc00.ff01
Cost 4
Port 1 (Port-channel1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32778 (priority 32768 sys-id-ext 10)
Address aabb.cc00.0001
...
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- ----- --------- -------- ----
Po1 Root FWD 3 128.1 P2p
Po2 Altn BLK 3 128.2 P2p
If you see all ports in BLK (blocking) and none in FWD (forwarding), the SVI has no active path. In this case, Po1 is forwarding, so the SVI should be up. But if both showed BLK, the SVI would be down.
Fix
This is typically a STP design issue. Verify the root bridge priority is correct for this VLAN. See the STP series for root bridge configuration and troubleshooting. A quick fix:
CORE-SW1(config)# spanning-tree vlan 10 priority 4096
This makes CORE-SW1 the root bridge for VLAN 10, ensuring its ports transition to forwarding.
Cause 6: Autostate Behavior
By default, the SVI line protocol is determined by the "autostate" feature — it tracks whether any port in the VLAN is actively forwarding. This is usually what you want. But in some topologies, you might need an SVI to stay up even when no local ports are forwarding (for example, if the SVI is used only for management and the VLAN exists only on trunk ports that temporarily go down).
Diagnosis
Check autostate status:
CORE-SW1# show interfaces Vlan10
Vlan10 is up, line protocol is down
...
If the SVI drops when a specific trunk flaps, autostate is working correctly — it detects that the last forwarding port went down.
Fix — Autostate Exclude
You can exclude specific ports from autostate calculations. This is useful if a port's state should not affect the SVI:
CORE-SW1(config)# interface Port-channel2
CORE-SW1(config-if)# switchport autostate exclude
Alternatively, you can disable autostate entirely on the SVI (not recommended for production — the SVI stays up even when the VLAN has no working ports):
CORE-SW1(config)# interface Vlan10
CORE-SW1(config-if)# no autostate
Use no autostate with extreme caution. If the SVI is up but the VLAN has no ports, the switch will accept routed traffic for that subnet and black-hole it.
Systematic Diagnosis Checklist
When you encounter an SVI in up/down, run these commands in order:
! Step 1: Check the SVI state
show interfaces Vlan10
! Step 2: Check if the VLAN exists
show vlan id 10
! Step 3: Check which ports are in the VLAN (access ports)
show vlan brief | include ^10
! Step 4: Check trunk ports carrying the VLAN
show interfaces trunk
! Step 5: Check port status (are ports up?)
show interfaces status
! Step 6: Check STP state for the VLAN
show spanning-tree vlan 10
! Step 7: Check if the VLAN is suspended
show vlan id 10
Work through these in sequence. The first command that reveals an anomaly is your root cause.
Quick Reference: SVI States and Causes
| SVI State | Line Protocol | Cause | Fix |
|---|---|---|---|
| up | up | Healthy | None needed |
| up | down | No active forwarding port | Add port, un-shut port, fix STP, re-create VLAN |
| admin down | down | shutdown on the SVI |
no shutdown under the SVI |
| Missing | N/A | SVI not configured | Create with interface Vlan 10 |
Key Takeaways
- An SVI in
up/downmeans the VLAN has no active forwarding port on this switch — the SVI is enabled but has nothing to bridge to. - The six causes are: no ports in VLAN, all ports down, VLAN deleted, VLAN suspended, STP blocking all ports, and autostate behavior.
- Run
show vlan brief,show interfaces trunk,show interfaces status, andshow spanning-tree vlanto systematically identify the cause. - The VLAN
shutdowncommand and the SVIshutdowncommand are independent — check both. - Use
autostate excludesparingly. Prefer fixing the underlying port/VLAN issue rather than masking it.
For related inter-VLAN routing issues, see Troubleshooting Inter-VLAN Routing. For trunk-specific VLAN problems, see Troubleshooting VLAN and Trunk Problems.