Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1199
Views
9
Helpful
4
Replies

Cisco 3750X - "Isolated" SVI for management

sylvain.munaut
Level 1
Level 1

‎01-19-2012 06:58 AM - edited ‎03-07-2019 04:26 AM

Hi,

I have a stack of 3750-X that are used to both switch traffic inside Vlan and also to route a couple of WAN ranges from our uplink provider to the DMZ vlan.

Now I'd like to have a SVI Vlan1 with an IP in the "management vlan", but I'd like that SVI not to be routable.

More exactly :

- no traffic should ever exit that interface that's not the generated by the router itself (ssh/snmp/...)

- no incoming traffic on that interface should be forwarded anywhere

- I'd also like to have a different default gw to be used by traffic generated by the switch itself. (for eg, ssh traffic coming from any another subnet like 10.2.0.0/24 to the switch SVI Vlan1 ip 10.1.0.1/24 should be routed back through the Vlan1 gw and not through out uplink ptp gateway)

I think I can achieve the first two with ACLs on the SVI. But not sure about the last one ...

Cheers,

    Sylvain

Labels:
0 Helpful
4 Replies 4

Edison Ortiz
Hall of Fame
Hall of Fame

‎01-19-2012 07:44 AM

You can place Vlan1 under a VRF.

sylvain.munaut
Level 1
Level 1
In response to Edison Ortiz

‎01-19-2012 07:57 AM

Would you have a link to an example ? I don't have any VRF experience so it's a bit hard to imagine.

Also, I guess that requires the "IP service" license, which is a bit annoying "just" for that ... (I mean expensive for such a 'little' issue)

0 Helpful

Edison Ortiz
Hall of Fame
Hall of Fame
In response to sylvain.munaut

‎01-19-2012 04:15 PM

The following URL describes how VRF function within the 3750x line:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/12.2_58_se/configuration/guide/swiprout.html#wp1320198

For your requirement is really simple:

ip vrf management

rd 1:1

interface vlan 1

ip vrf forwarding management

ip address x.x.x.x y.y.y.y

ip route vrf management 0.0.0.0 0.0.0.0 g.g.g.g

The gateway needs to be reachable from the physical port associated to Vlan1.

Regards,

Edison.

sylvain.munaut
Level 1
Level 1
In response to Edison Ortiz

‎01-19-2012 07:57 PM

That indeed works great.

Unfortunately I don't have the "ip service" license so it will stop working when the trial expires

I tought about source routing but that requires PBR which is also "ip service".

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card