Hi Bob, I would create a L3 interface, bring it up and then put it in a vrf. You could name the vrf dmz_vrf or public_vrf, whatever best describes its purpose.
>From other engineers viewpoint, they will have to know what they are doing to leak the network into the global routing table and if they try to remove the vrf statement the ip address is automatically stripped off the interface. Hope that helps, Andres Villalva On 26/11/2011 7:22 AM, "Bob McCouch" <[email protected]> wrote: Hi Experts, I know this mailing list is for IPExpert materials discussions but I'm going to abuse it just a touch to get some best practice input from a collection of seasoned engineers. I am always on the fence about how to treat unrouted L2 VLANs that exist on an L3 switch, like a guest network that is being piped up to a firewall or a (gasp) DMZ that is running as a VLAN on the internal network, or just a voice VLAN that is gatewayed by another device. Here are the two positions I float between: 1) Create the SVI (interface VlanX), no ip address, shutdown, put a description that warns not to activate the SVI. 2) Ignore it at L3 completely and don't even instantiate the SVI. The argument for #1 goes that by creating the interface put purposely shutting it and adding description, you're hopefully less likely to have someone else accidentally enable routing on that interface one day thinking they're taking care of something that got missed. Actively document the designed behavior rather than just leave a questionable absence of configuration. The argument for #2 says completely ignore this VLAN and don't even let the routing engine "listen" in any fashion to it. Anyone know of any actual security/architecture best practices on this, or is there a common opinion on this? Thanks! _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com To Unsubscribe from this list please visit the following link and follow the directions to unsubscribe. http://onlinestudylist.com/mailman/listinfo/ccie_rs _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com http://onlinestudylist.com/mailman/listinfo/ccie_rs
