Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Assigning a secure management IP address to 3750

We currently have pair of cat3750s in a stack but have not enabled IP routing.We have created several vlans and those vlans are in production. To assign a management IP to the switch, we created the vlan interface on our management network (vlan2 for discussion sake)and assigned an IP address to it. This works fine. Now we need to enable IP routing. We will assign IP addresses the the other vlan interfaces as required. However, as soon as we enable IP routing, it will enable direct connections, via the onboard router, to the management interface. We want the management vlan to be restricted via an external firewall (which it already is). Enabling routing to the vlan2 interface would bypass our security. If we assign a physical interface as the management interface, then if that member switch is down, we would lose the management interface.

If we try to use ACLs to restrict access, we would need to apply ACLs to all the interfaces to prevent inbound access to the router.

Is there a way to assign a management IP address to the stack without enabling routing to that address and still be on vlan2?



Re: Assigning a secure management IP address to 3750

In short, no.

You cannot assign an IP Address to the 3750 to be used for 'routed' access if you do not enable IP Routing on the 3750 and create the SVI.

You can enable IP Routing on the 3750, create the SVI and assign the IP Address, then use static routes to send the VLAN2 traffic to the Firewall interface it needs to traverse so it does not bypass the firewall.

New Member

Re: Assigning a secure management IP address to 3750

Thanks for your response.

Doesn't a connected route have a distance metric of 0 and a static route have metrics of 1-254?

If I enter a static route on the router pointing away from that router to the firewall, and it has a distance metric of 1, won't the routing table entry for the connected route take precedence anyway?

Cisco Employee

Re: Assigning a secure management IP address to 3750

Hello John,

when routing is not enabled for the switch, you can still apply ACL to vty lines to restrict management of the switch.

If routing is configured with multiple SVI, then you need additional ACL entries to prevent managing the switch other than vlan 2 SVI

Applying IPv4 ACL to Terminal Line