[nsp] Moving sc0 to private VLAN on 5500
lee.e.rian at census.gov
lee.e.rian at census.gov
Fri Jun 11 17:09:10 EDT 2004
Eric,
It sounds like you're already protected:
> We use a 5505 with an RSM as our core switch / router in our colo,
> putting each customer on their own vlan and then our equipment and the
> gateways on vlan 1.
No customer equipment on vlan 1 and the only way to get there is via your
gateways. Add some access lists to the gateways so customers can't get to
the switch sc0 .
But I'm probably missing something, so have you tried putting sc0 on it's
own vlan and seeing if the RSM vlan comes up? It's been a couple of years,
but I had the opposite problem. The vlan assigned to sc0 would _never_ go
down on the RSM - even after a card went down that had the one and only
port for that vlan. TACs recommendation was to move the link to one of the
supervisor ports.
If Cisco has changed the RSM/sc0 vlan behavior try doing a
set rsmautostate disable
That used to enable all RSM vlans regardless of the vlan state on the
switch. But then you've got the potential for the RSM to advertise routes
for vlans that are down on the switch...
Regards,
Lee
|---------+--------------------------------->
| | Eric Stockwell |
| | <eric at opticfusion.net>|
| | Sent by: |
| | cisco-nsp-bounces at puck|
| | .nether.net |
| | |
| | |
| | 06/11/2004 04:06 PM |
| | |
|---------+--------------------------------->
>---------------------------------------------------------------------------------------------------------------------------------------------|
| |
| To: cisco-nsp at puck.nether.net |
| cc: |
| Subject: [nsp] Moving sc0 to private VLAN on 5500 |
>---------------------------------------------------------------------------------------------------------------------------------------------|
We use a 5505 with an RSM as our core switch / router in our colo,
putting each customer on their own vlan and then our equipment and the
gateways on vlan 1. Due to the recent CatOS vulnerability, I'd like to
move the sc0 interface on the switch to it's own vlan and use a /30
between the vlan interface and the sc0. My hope is that I can then
easily apply ACLs to limit access.
My problem is this:
Because there are no other devices in the VLAN, the interface in the RSM
does not come up. Because the interface is not up, the sc0 interface
cannot be moved to that VLAN. I've thought about sticking a single
server in the VLAN to bring it up and adding it, but I'm not sure if it
will stay up once we remove the server. I'm also not sure what would
happen with the state of the interfaces in the event of a reboot. I also
thought of leaving the server there, but I don't like the idea of access
to the switch having a server as a single point of failure. And, if I
stick it in a VLAN with multiple servers, I've kind of negated the point
of putting it on it's own VLAN.
Does anyone have any ideas or suggestions?
--
Eric Stockwell
Optic Fusion
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list