Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco 3750X - "Isolated" SVI for management


I have a stack of 3750-X that are used to both switch traffic inside Vlan and also to route a couple of WAN ranges from our uplink provider to the DMZ vlan.

Now I'd like to have a SVI Vlan1 with an IP in the "management vlan", but I'd like that SVI not to be routable.

More exactly :

- no traffic should ever exit that interface that's not the generated by the router itself (ssh/snmp/...)

- no incoming traffic on that interface should be forwarded anywhere

- I'd also like to have a different default gw to be used by traffic generated by the switch itself. (for eg, ssh traffic coming from any another subnet like to the switch SVI Vlan1 ip should be routed back through the Vlan1 gw and not through out uplink ptp gateway)

I think I can achieve the first two with ACLs on the SVI. But not sure about the last one ...



Hall of Fame Super Bronze

Cisco 3750X - "Isolated" SVI for management

You can place Vlan1 under a VRF.

New Member

Cisco 3750X - "Isolated" SVI for management

Would you have a link to an example ? I don't have any VRF experience so it's a bit hard to imagine.

Also, I guess that requires the "IP service" license, which is a bit annoying "just" for that ... (I mean expensive for such a 'little' issue)

Hall of Fame Super Bronze

Cisco 3750X - "Isolated" SVI for management

The following URL describes how VRF function within the 3750x line:

For your requirement is really simple:

ip vrf management

rd 1:1

interface vlan 1

ip vrf forwarding management

ip address x.x.x.x y.y.y.y

ip route vrf management g.g.g.g

The gateway needs to be reachable from the physical port associated to Vlan1.



New Member

Cisco 3750X - "Isolated" SVI for management

That indeed works great.

Unfortunately I don't have the "ip service" license so it will stop working when the trial expires

I tought about source routing but that requires PBR which is also "ip service".