Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Re : Creating an isolated network that does not interact with other SVIs'

Hi,

I have a scenario whereby I am creating a test network on a 6509 that has about another 30 SVIs. I would need to

send the traffic of the newly created SVI straight to the firewall that is managed by the ISP and the return traffic

should only come to this SVI without going to other SVIs. The IGP being used is EIGRP.

My thought of doing this was to create access-group in/out on the new test SVI but then again the traffic would still be in

the routing table and it can reach the other SVI's since I would be specifying traffic for this SVI. I believe I would need to

do something on the 'router eigrp' space to make this happen. But not too sure exactly what this would be.

What is the best way to do this ?

Pls advice,

Cheers,

- SN -

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: Re : Creating an isolated network that does not interact wit

sanjay.nadarajah wrote:

Hi,

I have a scenario whereby I am creating a test network on a 6509 that has about another 30 SVIs. I would need to

send the traffic of the newly created SVI straight to the firewall that is managed by the ISP and the return traffic

should only come to this SVI without going to other SVIs. The IGP being used is EIGRP.

My thought of doing this was to create access-group in/out on the new test SVI but then again the traffic would still be in

the routing table and it can reach the other SVI's since I would be specifying traffic for this SVI. I believe I would need to

do something on the 'router eigrp' space to make this happen. But not too sure exactly what this would be.

What is the best way to do this ?

Pls advice,

Cheers,

- SN -

SN

If you use an acl on the L3 SVI this will stop traffic from your test vlan going to any of the other 30 vlans. This would be the way to isolate the test vlan at a basic level. There is not a lot you can do with EIGRP to stop your new vlan appearing in the routing table because it is a directly connected interface as are the other 30 vlans so they will show up together in the routing table whether you use EIGRP or not.

If you wanted the test vlan to not show up in the routing table then using vrf's would be the way to go. You could use vrf-lite and then have your test vlan appear in it's own vrf routing table and not with all the others.  You would also need to subinterface the connection to the firewall, unless you had a spare interface. This would be quite a lot more work than a simple acl on the test vlan interface though.

So it really depends on how much work you want to do versus how long you need your test vlan.

Jon

1 REPLY
Hall of Fame Super Blue

Re: Re : Creating an isolated network that does not interact wit

sanjay.nadarajah wrote:

Hi,

I have a scenario whereby I am creating a test network on a 6509 that has about another 30 SVIs. I would need to

send the traffic of the newly created SVI straight to the firewall that is managed by the ISP and the return traffic

should only come to this SVI without going to other SVIs. The IGP being used is EIGRP.

My thought of doing this was to create access-group in/out on the new test SVI but then again the traffic would still be in

the routing table and it can reach the other SVI's since I would be specifying traffic for this SVI. I believe I would need to

do something on the 'router eigrp' space to make this happen. But not too sure exactly what this would be.

What is the best way to do this ?

Pls advice,

Cheers,

- SN -

SN

If you use an acl on the L3 SVI this will stop traffic from your test vlan going to any of the other 30 vlans. This would be the way to isolate the test vlan at a basic level. There is not a lot you can do with EIGRP to stop your new vlan appearing in the routing table because it is a directly connected interface as are the other 30 vlans so they will show up together in the routing table whether you use EIGRP or not.

If you wanted the test vlan to not show up in the routing table then using vrf's would be the way to go. You could use vrf-lite and then have your test vlan appear in it's own vrf routing table and not with all the others.  You would also need to subinterface the connection to the firewall, unless you had a spare interface. This would be quite a lot more work than a simple acl on the test vlan interface though.

So it really depends on how much work you want to do versus how long you need your test vlan.

Jon

181
Views
0
Helpful
1
Replies