Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1682
Views
0
Helpful
3
Replies

Bridging between two VLAN (SVI) interfaces on a 6500 in different vrf

nowcommsupport
Level 1
Level 1

‎05-07-2009 05:13 AM - edited ‎03-06-2019 05:35 AM

All,

I'm running into a little issue on a Catalyst 6500 with a Supervisor 720-10G which previously used to work when I configured this on a Supervisor 720. We have an IPS module installed within a Catalyst 6500 and I would like to route traffic through the IPS. If the IPS fails the routing protocol will redirect traffic a different way. The IPS is configured to bridge between a VLAN pair. One of the VLAN is configured as an SVI in the global routing table and the other SVI is configured as part of the VRF. Both VLANS are given an IP address within the same IP subnet. EIGRP is then run between two EIGRP processes one defined in the global routing table and one defined within the vrf.

The problem I normally run into is that as two VLANS are bridged together, both with defined SVI interface. The interfaces cannot speak to each other as they have the same MAC address (as do all SVI interfaces on a 6500). I normally change the mac address assigned to the SVI within the VRF to be a little different and everything works. The ARP table and mac-address table all show the changed has worked but no communication. EIGRP will not form an adjacency and you cannot ping between the two interfaces. The IPS works fine as if I put a PC in the VLAN protected by the IPS (the VLAN with an SVI defined as part of the vrf) I can ping all the interfaces.

Does anybody have any idea why the two SVI interfaces cannot ping each other and why EIGRP will not come up. I'm convinced it's something to do with the way the mac address is assigned to the SVI.

Quick config snipit

ip vrf IPS

rd 1024:1

interface Vlan10

description unprotected vlan

ip address 192.168.0.1 255.255.255.0

interface vlan20

description IPS protected vlan

mac-address 0019.06de.24c1

ip vrf forwarding IPS

ip address 192.168.0.2 255.255.255.0

router eigrp 100

network 192.168.0.0

no auto-summary

!

address-family ipv4 vrf IPS

network 192.168.0.0

no auto-summary

autonomous-system 100

exit-address-family

!

Labels:
0 Helpful
3 Replies 3

drolemc
Level 6
Level 6

‎05-14-2009 06:03 AM

If you are trying to ping the SVI of Switch from another Switch then enable "ip routing" on the Switch.

http://www.cisco.com/en/US/tech/tk389/tk815/technologies_configuration_example09186a008019e74e.shtml#tshoot

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎05-14-2009 08:32 AM

Hello James,

your configuration looks like correct.

We have a similar setup with the following differences:

both SVIs are in two different VRFs

device in the middle is a FWSM context in transparent mode.

And it works with one SVI with a modified MAC as you did

you could also add an eigrp router-id command under the AF vrf to be sure they are different but you should at least be able to ping.

Notice that in your case when you ping from VRF you need to use ping vrf IPS.

To be noted : the ips is working as a switch or it has different ip addresses on its interfaces ?

you say :

The IPS works fine as if I put a PC in the VLAN protected by the IPS (the VLAN with an SVI defined as part of the vrf) I can ping all the interfaces.

Do you mean the PC can ping 192.168.0.1 and 192.168.0.2 or you are referring to ip addresses on the IPS ?

Hope to help

Giuseppe

0 Helpful

rakesh.hegde
Level 1
Level 1
In response to Giuseppe Larosa

‎05-18-2009 01:24 PM

Hi,

I agree with Giuseppe that 0.1 and 0.2 should be able to ping each other. Does "sh ip arp ' show the manually configured MAC for 192.168.0.2? If this was working with Sup720, everything points to Sup720-10G. Did you have a chance to open a case with the TAC ?

HTH,

Rakesh

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card