[nsp] Moving sc0 to private VLAN on 5500
Eric Stockwell
eric at opticfusion.net
Fri Jun 11 18:30:48 EDT 2004
You're right, I tried putting it in the vlan again and the interface
came right up.
The reason it wasn't before was because I had a typo in the command, I
was trying:
cs01> (enable) set int sc0 vlan 99
Invalid state or IP address/netmask format
The message "invalid state" was making me think that it wasn't changing
because of the vlan interface being down. In fact, all I needed to do
was correctly assign it to the vlan with:
cs01> (enable) set int sc0 99
Interface sc0 vlan set.
So, long story short, I'm an idoit. Thanks for the help.
Eric Stockwell
Optic Fusion
lee.e.rian at census.gov wrote:
>Eric,
>It sounds like you're already protected:
>
>
>>We use a 5505 with an RSM as our core switch / router in our colo,
>>putting each customer on their own vlan and then our equipment and the
>>gateways on vlan 1.
>>
>>
>No customer equipment on vlan 1 and the only way to get there is via your
>gateways. Add some access lists to the gateways so customers can't get to
>the switch sc0 .
>
>But I'm probably missing something, so have you tried putting sc0 on it's
>own vlan and seeing if the RSM vlan comes up? It's been a couple of years,
>but I had the opposite problem. The vlan assigned to sc0 would _never_ go
>down on the RSM - even after a card went down that had the one and only
>port for that vlan. TACs recommendation was to move the link to one of the
>supervisor ports.
>
>If Cisco has changed the RSM/sc0 vlan behavior try doing a
> set rsmautostate disable
>That used to enable all RSM vlans regardless of the vlan state on the
>switch. But then you've got the potential for the RSM to advertise routes
>for vlans that are down on the switch...
>
>Regards,
>Lee
>
>
>
>
>|---------+--------------------------------->
>| | Eric Stockwell |
>| | <eric at opticfusion.net>|
>| | Sent by: |
>| | cisco-nsp-bounces at puck|
>| | .nether.net |
>| | |
>| | |
>| | 06/11/2004 04:06 PM |
>| | |
>|---------+--------------------------------->
> >---------------------------------------------------------------------------------------------------------------------------------------------|
> | |
> | To: cisco-nsp at puck.nether.net |
> | cc: |
> | Subject: [nsp] Moving sc0 to private VLAN on 5500 |
> >---------------------------------------------------------------------------------------------------------------------------------------------|
>
>
>
>
>We use a 5505 with an RSM as our core switch / router in our colo,
>putting each customer on their own vlan and then our equipment and the
>gateways on vlan 1. Due to the recent CatOS vulnerability, I'd like to
>move the sc0 interface on the switch to it's own vlan and use a /30
>between the vlan interface and the sc0. My hope is that I can then
>easily apply ACLs to limit access.
>
>My problem is this:
>Because there are no other devices in the VLAN, the interface in the RSM
>does not come up. Because the interface is not up, the sc0 interface
>cannot be moved to that VLAN. I've thought about sticking a single
>server in the VLAN to bring it up and adding it, but I'm not sure if it
>will stay up once we remove the server. I'm also not sure what would
>happen with the state of the interfaces in the event of a reboot. I also
>thought of leaving the server there, but I don't like the idea of access
>to the switch having a server as a single point of failure. And, if I
>stick it in a VLAN with multiple servers, I've kind of negated the point
>of putting it on it's own VLAN.
>
>Does anyone have any ideas or suggestions?
>
>--
>Eric Stockwell
>Optic Fusion
>
>_______________________________________________
>cisco-nsp mailing list cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
>
>
>
>
>
More information about the cisco-nsp
mailing list