[nsp] Moving sc0 to private VLAN on 5500

Eric Stockwell eric at opticfusion.net
Fri Jun 11 16:06:35 EDT 2004


We use a 5505 with an RSM as our core switch / router in our colo, 
putting each customer on their own vlan and then our equipment and the 
gateways on vlan 1. Due to the recent CatOS vulnerability, I'd like to 
move the sc0 interface on the switch to it's own vlan and use a /30 
between the vlan interface and the sc0. My hope is that I can then 
easily apply ACLs to limit access.

My problem is this:
Because there are no other devices in the VLAN, the interface in the RSM 
does not come up. Because the interface is not up, the sc0 interface 
cannot be moved to that VLAN. I've thought about sticking a single 
server in the VLAN to bring it up and adding it, but I'm not sure if it 
will stay up once we remove the server. I'm also not sure what would 
happen with the state of the interfaces in the event of a reboot. I also 
thought of leaving the server there, but I don't like the idea of access 
to the switch having a server as a single point of failure. And, if I 
stick it in a VLAN with multiple servers, I've kind of negated the point 
of putting it on it's own VLAN.

Does anyone have any ideas or suggestions?

-- 
Eric Stockwell
Optic Fusion



More information about the cisco-nsp mailing list