Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Best configuration for this scenario?

I'm fairly new at trying to create isolated network segments on Cisco switches. What i'm trying to do is have multiple isolated paths that originate from my vSphere infrastructure travel through a layer 2 link, vLAN, up to a MLS, and ultimately out to to the internet through a firewall. Each subnet might ultimately have a number of hosts on it, but I don't think the make up of those hosts will matter here.

My initial thought was creating vLAN tagged port groups on vSwitches on my vSphere infrastructure. Physical connections will go from my ESXi hosts to the 2900 series Cisco switch connected to trunk ports. Both vLANs would be configured on the switch but not assigned to physical ports. The physcial connection to the 3750 would also be a trunk port connection from the 2960. The 3750 would have SVI's created that are attached to VRFs that would control route traffic. This might be totally wrong but from what i've read it seems to be going down the correct path I think.

Two part question, is this the best way to go about designing this network? If so I seem to be really strugglying with the SVI/VRF part. Every time I create an SVI all of my hosts on the 10.10.10.x network can ping them, regardless of which vLAN they're on.

I just cannot seem to isolate the 172 network.

Crude drawing follows:


Hall of Fame Super Silver

Best configuration for this scenario?

Hello Adam,

for isolating some IP subnets from the other ones the right tool is VRF lite on C3750.


Each VRF lite can be formed by multiple Vlans and corresponding SVIs.

In your design each routing context / VRF should have a logical connection with the FW, so the inside interface of the FW should become a vlan tagged interface with a logical interface for each context / VRF.

In this way each VRF is isolated up to the FW. On the FW you can provide internet access to each VRF and if you like you can provide some level of inter VRF communication in a controlled way ( by stateful FW using FW ACLs).


ip vrf Workgroup

rd 1000:100


on all L3 interfaces belonging to the 172.0 address range do the following

interface Vlan X

ip vrf forwarding Workgroup

! now retype ip address and mask this is a needed step

ip address 172.x.y.z 255.255.255.K

create two vlans Z and W

vlan Z uses 10.0.0 0 address range and it is part of global routing table ( SVI Vlan Z)

vlan W is part of range and it is part of VRF Workgroup (SVI Vlan W)

configure the physical port to FW as a layer 802.1Q trunk carrying Vlans Z,W

interface gix/y


switchport trunk enc dot1q

switchport mode trunk

switchport trunk allowed vlan Z.W

configure the FW to use vlan based subinterfaces with vlan tag Z and W

Hope to help


New Member

Best configuration for this scenario?

I think I have achived my isolation. However I cannot seem to route traffic from my 172.16.0.x network to the default gateway,

Hall of Fame Super Silver

Best configuration for this scenario?

Hello Adam,

my suggestion included changes on the FW to offer a different gateway to the workgroup.

It is not clear how you achieved network isolation, if you used VRF lite you need a different logical interface on the FW as in VRF lite is in another address space and it is not reachable anymore.

Hope to help