Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
483
Views
0
Helpful
3
Replies

SVI Interface on ACE

sidcracker
Level 1
Level 1

‎10-30-2009 02:45 AM

Hi,

SVI Interfaces are supposedly for communication between the MSFC and the ACE. So the command

interface vlan 250 configured on the 6500 Switch would enable SVI on the MSFC.

In our setup we have multiple contexts on the ACE and our VPN box sits behind an inside switch.

The VLAN defined for the outside VPN interface is say 200... so why would we define a SVI interface.. interface vlan 200 on the 6500 switch which is actually our border that connects to the Internet.

Is it because it should be routable from the Internet?

If so what is the difference between an SVI Interface (Connection between a switch and ACE) and VLAN L3 interface

Thanks

Labels:
0 Helpful
3 Replies 3

Gilles Dufour
Cisco Employee
Cisco Employee

‎10-30-2009 03:26 AM

you don't need the SVI interface on the MSFC if you have an external device doing the routing for the ACE.

You need to configure the SVCLC on the MSFC to tell which vlans are allowed on the trunk to the ACE.

Traffic coming out of ACE is inside a trunk and will be L2 switched to either an external gateway or to the 'interface vlan x' of the MSFC....it all depends on the destination mac-address.

Gilles.

0 Helpful

sidcracker
Level 1
Level 1
In response to Gilles Dufour

‎10-30-2009 03:33 AM

I get the point, but if I dont define interface vlan 200 on the 6500 switch then how will the switch route the traffic to the VPN box.

The 6500 is the border router that routes traffic.

So my question is even if the VPN device is located external to the switch/ACE will that VLAN 200 still be communicated to the ACE contexts? that VLAN does not reside in any of the contexts because its not meant to be for the ACE.

So in the VPN VLAN case, i use it only to route traffic to the VPN box?

I am asking this only to clear a doubt of my mind. Appreciate your response

Thanks

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to sidcracker

‎10-30-2009 03:57 AM

The Cat6k will not "route" the traffic from the ace to the vpn ... it with "switch" it....

the difference is that as long as the traffic is part of the same vlan (ie: 200) the switching is done based on the mac-address.

So if ACE sends the traffic with dest-mac == VPN-device, the Cat6k will see traffic coming from ace vlan 200 and with destination vpn-mac-vlan200 ...so it will just switch it to the corresponding interface.

When you create an 'interface vlan X' on the cat6k you actually create a L3 interface... in the old days there was a Sup and an MSFC.

The Sup did the switching and the MSFC the routing.

The 'interface vlan x' command was to conigure the MSFC.

But it is not required for the Sup to switch traffic inside a single vlan.

Same idea here.

Gilles.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents