[c-nsp] separation of management traffic on L3 switch

Rutger Bevaart rutger.bevaart at illian.net
Wed Jan 25 04:10:38 EST 2006


hello list,

I'd like to use two 3550 switches as routers in an ethernet-only
environment. Nothing fancy, just redundant routing for a small set of
VLAN's (20-30). Now I would like to have a separate VLAN for management
(snmp, ssh access, syslog) that is not reachable from the other VLAN's.
The VLAN will contain other devices as well (tacacs+ server) which need to
be inaccessible from the other VLAN's.

So I would have:

VLAN A     customer A (eg. 10.1.1.0/24)
VLAN B     customer B (eg. 10.1.2.0/24)
VLAN C     customer C (eg. 10.1.3.0/24)
VLAN D     management vlan (eg. 10.200.200.0/24)

Just using a "plain vanilla" 3550 with routing enabled will nicely route
between those VLAN's.

What I figured would be plausible scenario's:

1. Use egress ACL's on all customer VLAN's.
2. Use PBR to prevent routing to the Management subnet.
3. Use VRF's to separate into two zones.

What would need to be done anyway is protect the 3550 snmp and vty with
ACL's.

Anybody have any insights they can share?

Regards,
Rutger Bevaart



More information about the cisco-nsp mailing list