Showing results for 
Search instead for 
Did you mean: 
Join Customer Connection to register!

Bridging between two VLAN (SVI) interfaces on a 6500 in different vrf


I'm running into a little issue on a Catalyst 6500 with a Supervisor 720-10G which previously used to work when I configured this on a Supervisor 720. We have an IPS module installed within a Catalyst 6500 and I would like to route traffic through the IPS. If the IPS fails the routing protocol will redirect traffic a different way. The IPS is configured to bridge between a VLAN pair. One of the VLAN is configured as an SVI in the global routing table and the other SVI is configured as part of the VRF. Both VLANS are given an IP address within the same IP subnet. EIGRP is then run between two EIGRP processes one defined in the global routing table and one defined within the vrf.

The problem I normally run into is that as two VLANS are bridged together, both with defined SVI interface. The interfaces cannot speak to each other as they have the same MAC address (as do all SVI interfaces on a 6500). I normally change the mac address assigned to the SVI within the VRF to be a little different and everything works. The ARP table and mac-address table all show the changed has worked but no communication. EIGRP will not form an adjacency and you cannot ping between the two interfaces. The IPS works fine as if I put a PC in the VLAN protected by the IPS (the VLAN with an SVI defined as part of the vrf) I can ping all the interfaces.

Does anybody have any idea why the two SVI interfaces cannot ping each other and why EIGRP will not come up. I'm convinced it's something to do with the way the mac address is assigned to the SVI.

Quick config snipit

ip vrf IPS

rd 1024:1

interface Vlan10

description unprotected vlan

ip address

interface vlan20

description IPS protected vlan

mac-address 0019.06de.24c1

ip vrf forwarding IPS

ip address

router eigrp 100


no auto-summary


address-family ipv4 vrf IPS


no auto-summary

autonomous-system 100



Frequent Contributor

If you are trying to ping the SVI of Switch from another Switch then enable "ip routing" on the Switch.

Giuseppe Larosa
Hall of Fame Master

Hello James,

your configuration looks like correct.

We have a similar setup with the following differences:

both SVIs are in two different VRFs

device in the middle is a FWSM context in transparent mode.

And it works with one SVI with a modified MAC as you did

you could also add an eigrp router-id command under the AF vrf to be sure they are different but you should at least be able to ping.

Notice that in your case when you ping from VRF you need to use ping vrf IPS.

To be noted : the ips is working as a switch or it has different ip addresses on its interfaces ?

you say :

The IPS works fine as if I put a PC in the VLAN protected by the IPS (the VLAN with an SVI defined as part of the vrf) I can ping all the interfaces.

Do you mean the PC can ping and or you are referring to ip addresses on the IPS ?

Hope to help



I agree with Giuseppe that 0.1 and 0.2 should be able to ping each other. Does "sh ip arp ' show the manually configured MAC for If this was working with Sup720, everything points to Sup720-10G. Did you have a chance to open a case with the TAC ?