Cisco 3750X - "Isolated" SVI for management

sylvain.munaut · ‎01-19-2012

Hi,

I have a stack of 3750-X that are used to both switch traffic inside Vlan and also to route a couple of WAN ranges from our uplink provider to the DMZ vlan.

Now I'd like to have a SVI Vlan1 with an IP in the "management vlan", but I'd like that SVI not to be routable.

More exactly :

- no traffic should ever exit that interface that's not the generated by the router itself (ssh/snmp/...)

- no incoming traffic on that interface should be forwarded anywhere

- I'd also like to have a different default gw to be used by traffic generated by the switch itself. (for eg, ssh traffic coming from any another subnet like 10.2.0.0/24 to the switch SVI Vlan1 ip 10.1.0.1/24 should be routed back through the Vlan1 gw and not through out uplink ptp gateway)

I think I can achieve the first two with ACLs on the SVI. But not sure about the last one ...

Cheers,

Sylvain

Edison Ortiz · ‎01-19-2012

You can place Vlan1 under a VRF.

sylvain.munaut · ‎01-19-2012

Would you have a link to an example ? I don't have any VRF experience so it's a bit hard to imagine.

Also, I guess that requires the "IP service" license, which is a bit annoying "just" for that ... (I mean expensive for such a 'little' issue)

Edison Ortiz · ‎01-19-2012

The following URL describes how VRF function within the 3750x line:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/12.2_58_se/configuration/guide/swiprout.html#wp1320198

For your requirement is really simple:

ip vrf management

rd 1:1

interface vlan 1

ip vrf forwarding management

ip address x.x.x.x y.y.y.y

ip route vrf management 0.0.0.0 0.0.0.0 g.g.g.g

The gateway needs to be reachable from the physical port associated to Vlan1.

Regards,

Edison.

sylvain.munaut · ‎01-19-2012

That indeed works great.

Unfortunately I don't have the "ip service" license so it will stop working when the trial expires

I tought about source routing but that requires PBR which is also "ip service".