Re : Creating an isolated network that does not interact with other SVIs'

Answered Question
Aug 4th, 2010

Hi,

I have a scenario whereby I am creating a test network on a 6509 that has about another 30 SVIs. I would need to

send the traffic of the newly created SVI straight to the firewall that is managed by the ISP and the return traffic

should only come to this SVI without going to other SVIs. The IGP being used is EIGRP.

My thought of doing this was to create access-group in/out on the new test SVI but then again the traffic would still be in

the routing table and it can reach the other SVI's since I would be specifying traffic for this SVI. I believe I would need to

do something on the 'router eigrp' space to make this happen. But not too sure exactly what this would be.

What is the best way to do this ?

Pls advice,

Cheers,

- SN -

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 6 years 4 months ago

sanjay.nadarajah wrote:

Hi,

I have a scenario whereby I am creating a test network on a 6509 that has about another 30 SVIs. I would need to

send the traffic of the newly created SVI straight to the firewall that is managed by the ISP and the return traffic

should only come to this SVI without going to other SVIs. The IGP being used is EIGRP.

My thought of doing this was to create access-group in/out on the new test SVI but then again the traffic would still be in

the routing table and it can reach the other SVI's since I would be specifying traffic for this SVI. I believe I would need to

do something on the 'router eigrp' space to make this happen. But not too sure exactly what this would be.

What is the best way to do this ?

Pls advice,

Cheers,

- SN -

SN

If you use an acl on the L3 SVI this will stop traffic from your test vlan going to any of the other 30 vlans. This would be the way to isolate the test vlan at a basic level. There is not a lot you can do with EIGRP to stop your new vlan appearing in the routing table because it is a directly connected interface as are the other 30 vlans so they will show up together in the routing table whether you use EIGRP or not.

If you wanted the test vlan to not show up in the routing table then using vrf's would be the way to go. You could use vrf-lite and then have your test vlan appear in it's own vrf routing table and not with all the others.  You would also need to subinterface the connection to the firewall, unless you had a spare interface. This would be quite a lot more work than a simple acl on the test vlan interface though.

So it really depends on how much work you want to do versus how long you need your test vlan.

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Wed, 08/04/2010 - 19:45

sanjay.nadarajah wrote:

Hi,

I have a scenario whereby I am creating a test network on a 6509 that has about another 30 SVIs. I would need to

send the traffic of the newly created SVI straight to the firewall that is managed by the ISP and the return traffic

should only come to this SVI without going to other SVIs. The IGP being used is EIGRP.

My thought of doing this was to create access-group in/out on the new test SVI but then again the traffic would still be in

the routing table and it can reach the other SVI's since I would be specifying traffic for this SVI. I believe I would need to

do something on the 'router eigrp' space to make this happen. But not too sure exactly what this would be.

What is the best way to do this ?

Pls advice,

Cheers,

- SN -

SN

If you use an acl on the L3 SVI this will stop traffic from your test vlan going to any of the other 30 vlans. This would be the way to isolate the test vlan at a basic level. There is not a lot you can do with EIGRP to stop your new vlan appearing in the routing table because it is a directly connected interface as are the other 30 vlans so they will show up together in the routing table whether you use EIGRP or not.

If you wanted the test vlan to not show up in the routing table then using vrf's would be the way to go. You could use vrf-lite and then have your test vlan appear in it's own vrf routing table and not with all the others.  You would also need to subinterface the connection to the firewall, unless you had a spare interface. This would be quite a lot more work than a simple acl on the test vlan interface though.

So it really depends on how much work you want to do versus how long you need your test vlan.

Jon

Actions

This Discussion