I have a stack of 3750-X that are used to both switch traffic inside Vlan and also to route a couple of WAN ranges from our uplink provider to the DMZ vlan.
Now I'd like to have a SVI Vlan1 with an IP in the "management vlan", but I'd like that SVI not to be routable.
More exactly :
- no traffic should ever exit that interface that's not the generated by the router itself (ssh/snmp/...)
- no incoming traffic on that interface should be forwarded anywhere
- I'd also like to have a different default gw to be used by traffic generated by the switch itself. (for eg, ssh traffic coming from any another subnet like 10.2.0.0/24 to the switch SVI Vlan1 ip 10.1.0.1/24 should be routed back through the Vlan1 gw and not through out uplink ptp gateway)
I think I can achieve the first two with ACLs on the SVI. But not sure about the last one ...
Would you have a link to an example ? I don't have any VRF experience so it's a bit hard to imagine.
Also, I guess that requires the "IP service" license, which is a bit annoying "just" for that ... (I mean expensive for such a 'little' issue)
The following URL describes how VRF function within the 3750x line:
For your requirement is really simple:
ip vrf management
interface vlan 1
ip vrf forwarding management
ip address x.x.x.x y.y.y.y
ip route vrf management 0.0.0.0 0.0.0.0 g.g.g.g
The gateway needs to be reachable from the physical port associated to Vlan1.
That indeed works great.
Unfortunately I don't have the "ip service" license so it will stop working when the trial expires
I tought about source routing but that requires PBR which is also "ip service".