We currently have pair of cat3750s in a stack but have not enabled IP routing.We have created several vlans and those vlans are in production. To assign a management IP to the switch, we created the vlan interface on our management network (vlan2 for discussion sake)and assigned an IP address to it. This works fine. Now we need to enable IP routing. We will assign IP addresses the the other vlan interfaces as required. However, as soon as we enable IP routing, it will enable direct connections, via the onboard router, to the management interface. We want the management vlan to be restricted via an external firewall (which it already is). Enabling routing to the vlan2 interface would bypass our security. If we assign a physical interface as the management interface, then if that member switch is down, we would lose the management interface.
If we try to use ACLs to restrict access, we would need to apply ACLs to all the interfaces to prevent inbound access to the router.
Is there a way to assign a management IP address to the stack without enabling routing to that address and still be on vlan2?