Assigning a secure management IP address to 3750

Unanswered Question
May 8th, 2008

We currently have pair of cat3750s in a stack but have not enabled IP routing.We have created several vlans and those vlans are in production. To assign a management IP to the switch, we created the vlan interface on our management network (vlan2 for discussion sake)and assigned an IP address to it. This works fine. Now we need to enable IP routing. We will assign IP addresses the the other vlan interfaces as required. However, as soon as we enable IP routing, it will enable direct connections, via the onboard router, to the management interface. We want the management vlan to be restricted via an external firewall (which it already is). Enabling routing to the vlan2 interface would bypass our security. If we assign a physical interface as the management interface, then if that member switch is down, we would lose the management interface.

If we try to use ACLs to restrict access, we would need to apply ACLs to all the interfaces to prevent inbound access to the router.

Is there a way to assign a management IP address to the stack without enabling routing to that address and still be on vlan2?

thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
gpulos Thu, 05/08/2008 - 13:43

In short, no.

You cannot assign an IP Address to the 3750 to be used for 'routed' access if you do not enable IP Routing on the 3750 and create the SVI.

You can enable IP Routing on the 3750, create the SVI and assign the IP Address, then use static routes to send the VLAN2 traffic to the Firewall interface it needs to traverse so it does not bypass the firewall.

jseel Fri, 05/09/2008 - 05:03

Thanks for your response.

Doesn't a connected route have a distance metric of 0 and a static route have metrics of 1-254?

If I enter a static route on the router pointing away from that router to the firewall, and it has a distance metric of 1, won't the routing table entry for the connected route take precedence anyway?

padramas Thu, 05/08/2008 - 15:25

Hello John,

when routing is not enabled for the switch, you can still apply ACL to vty lines to restrict management of the switch.

If routing is configured with multiple SVI, then you need additional ACL entries to prevent managing the switch other than vlan 2 SVI

Applying IPv4 ACL to Terminal Line

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_44_se/configuration/guide/swacl.html#wp1220563

HTH

Padmanabhan

Actions

This Discussion