Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
664
Views
0
Helpful
3
Replies

Assigning a secure management IP address to 3750

jseel
Level 1
Level 1

‎05-08-2008 12:19 PM - edited ‎03-05-2019 10:51 PM

We currently have pair of cat3750s in a stack but have not enabled IP routing.We have created several vlans and those vlans are in production. To assign a management IP to the switch, we created the vlan interface on our management network (vlan2 for discussion sake)and assigned an IP address to it. This works fine. Now we need to enable IP routing. We will assign IP addresses the the other vlan interfaces as required. However, as soon as we enable IP routing, it will enable direct connections, via the onboard router, to the management interface. We want the management vlan to be restricted via an external firewall (which it already is). Enabling routing to the vlan2 interface would bypass our security. If we assign a physical interface as the management interface, then if that member switch is down, we would lose the management interface.

If we try to use ACLs to restrict access, we would need to apply ACLs to all the interfaces to prevent inbound access to the router.

Is there a way to assign a management IP address to the stack without enabling routing to that address and still be on vlan2?

thanks.

Labels:
0 Helpful
3 Replies 3

gpulos
Level 8
Level 8

‎05-08-2008 01:43 PM

In short, no.

You cannot assign an IP Address to the 3750 to be used for 'routed' access if you do not enable IP Routing on the 3750 and create the SVI.

You can enable IP Routing on the 3750, create the SVI and assign the IP Address, then use static routes to send the VLAN2 traffic to the Firewall interface it needs to traverse so it does not bypass the firewall.

0 Helpful

jseel
Level 1
Level 1
In response to gpulos

‎05-09-2008 05:03 AM

Thanks for your response.

Doesn't a connected route have a distance metric of 0 and a static route have metrics of 1-254?

If I enter a static route on the router pointing away from that router to the firewall, and it has a distance metric of 1, won't the routing table entry for the connected route take precedence anyway?

0 Helpful

padramas
Cisco Employee
Cisco Employee

‎05-08-2008 03:25 PM

Hello John,

when routing is not enabled for the switch, you can still apply ACL to vty lines to restrict management of the switch.

If routing is configured with multiple SVI, then you need additional ACL entries to prevent managing the switch other than vlan 2 SVI

Applying IPv4 ACL to Terminal Line

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_44_se/configuration/guide/swacl.html#wp1220563

HTH

Padmanabhan

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card