05-08-2008 12:19 PM - edited 03-05-2019 10:51 PM
We currently have pair of cat3750s in a stack but have not enabled IP routing.We have created several vlans and those vlans are in production. To assign a management IP to the switch, we created the vlan interface on our management network (vlan2 for discussion sake)and assigned an IP address to it. This works fine. Now we need to enable IP routing. We will assign IP addresses the the other vlan interfaces as required. However, as soon as we enable IP routing, it will enable direct connections, via the onboard router, to the management interface. We want the management vlan to be restricted via an external firewall (which it already is). Enabling routing to the vlan2 interface would bypass our security. If we assign a physical interface as the management interface, then if that member switch is down, we would lose the management interface.
If we try to use ACLs to restrict access, we would need to apply ACLs to all the interfaces to prevent inbound access to the router.
Is there a way to assign a management IP address to the stack without enabling routing to that address and still be on vlan2?
thanks.
05-08-2008 01:43 PM
In short, no.
You cannot assign an IP Address to the 3750 to be used for 'routed' access if you do not enable IP Routing on the 3750 and create the SVI.
You can enable IP Routing on the 3750, create the SVI and assign the IP Address, then use static routes to send the VLAN2 traffic to the Firewall interface it needs to traverse so it does not bypass the firewall.
05-09-2008 05:03 AM
Thanks for your response.
Doesn't a connected route have a distance metric of 0 and a static route have metrics of 1-254?
If I enter a static route on the router pointing away from that router to the firewall, and it has a distance metric of 1, won't the routing table entry for the connected route take precedence anyway?
05-08-2008 03:25 PM
Hello John,
when routing is not enabled for the switch, you can still apply ACL to vty lines to restrict management of the switch.
If routing is configured with multiple SVI, then you need additional ACL entries to prevent managing the switch other than vlan 2 SVI
Applying IPv4 ACL to Terminal Line
HTH
Padmanabhan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide