We have two 4500-X layer 3 switches, one at each location running EIGRP and Layer 2. There are two connections between the 4500's that are trunk lines. We have about 30 VLANs, all of them are within the 10.x.x.x range. We have routing enabled, EIGRP is set for the network 10.x.x.x and everything is working perfectly, however....
Our lowest VLAN is 100, which is used for our network management. I created an ACL for this VLAN to only allow specific IP addresses in, tested it, 30 statements later, everything is working perfectly.
I start seeing EIGRP broadcasts, so I started marking VLANs as passive interfaces to prevent these, the thought would be that only VLAN 100 would not be passive, as the two switches would use this interface to exchange EIGRP messages securely. As soon as I start marking interfaces passive, my ACL starts blockings tons of traffic that has nothing to do with the statements in the ACL.
My suspicion is that EIGRP is routing information between the two 4500's over this EIGRP interface, it was selected as the primary EIGRP interface between VLANs, which is fine, but the ACL is interacting with it.
I'm trying to find a solution, my guess is to create a lower numbered VLAN and use this for EIGRP, but i'm not entirely too sure how EIGRP picks its chosen VLAN to start sending information over, even if this is the right path of my troubleshooting.
Any help would be greatly appreciated.
if you want to use Vlan 100 as management Vlan and you want to control what IP addresses or IP subnets can access it with an ACL , then Vlan 100 cannot be used as a "transit" Vlan for routing.
So yes you need either to remove the passive statement from another Vlan or to create one or two Vlan dedicated to EIGRP routing.
In my opinion the ACL is not blocking EIGRP traffic hellos and updates it is blocking user traffic that is attempting to transit over it.
You can make an interface not preferred by EIGRP by increasing delay
int vlan 100
on both ends
and remove the passive interface for other two Vlans and you should be fine.
Or create two dedicated Vlans for EIGRP routing.
Hope to help
>> Besides I guess just setting it up and making the rest of them passive.
This is enough. The best choice is to use new Vlans with no end user clients connected to it, and a small IP subnet.
This is what I mean with dedicated Vlans for EIGRP routing.
Hope to help