RE: Private VLANs on the 6509's

From: Desmarais, Jonathan (JDesmarais@colt-telecom.com)
Date: Thu Feb 15 2001 - 12:02:06 EST


This is a good point Fabio,

The hosts must have a static route to the connect network with the
Promiscuous Interface based router as the gateway. This way traffic between
hosts on the same segment but isolated is routed through the MSFC.

This is the problem with P-VLAN's IMO, as to ensure the same level of
security now access-lists etc, are needed to keep the hosts more secure.
This in turn negates the L-3 switching power. The only real advantage of the
P-VLAN is to ensure hosts cannot do ARP look-up's and spoof traffic to or
from other servers on the segment.

We only intend to use P-VLAN's for our backup-network, this is a network
where each host only needs to see the backup-server.

Jon..

> -----Original Message-----
> From: Fabio Ribas [mailto:fabio_ribas@optiglobe.com.br]
> Sent: 15 February 2001 16:05
> To: 'Edward S. Desouza'
> Cc: 'cisco-nsp@puck.nether.net'
> Subject: RE: Private VLANs on the 6509's
>
>
> Hi Edward,
>
> just one question, because I thought sometime ago on use
> private vlan and I
> didnīt.
> Do you know what happend if two customer, which are connected
> on the switch
> to the isolated vlan, want to exchange traffic with each
> other ? I think
> they canīt.
> Another thing, when we implement private vlan can we use
> trunk to export the
> pvlan the another switch ? I am asking because the domain is
> private not
> client or server.
>
> Regards,
> Fabio
>
> -----Original Message-----
> From: Edward S. Desouza [mailto:edward_desouza@yahoo.com]
> Sent: quinta-feira, 15 de fevereiro de 2001 02:48
> To: Rich Sena
> Cc: cisco-nsp@puck.nether.net
> Subject: Re: Private VLANs on the 6509's
>
>
> Hi,
> I finally got a soln :
>
>
> 1. Make A primary pVLAN
> 2. Create a secondary VLAN as isolated assign all
> ports on the switch to the isolated VLAN
> 3. Set port 15/1 as a promiscous port
>
>
> Now, each isolated VLAN can ping the default gateway.
> ( Since 15/1 is a prmiscous port )
>
> Each port cannot ping other ports on the switch due to
> isolated VLANs
>
> All other VLANs ( normal VLANS ) cann communicate with
> each of the isolated port the router ( since port 15/1
> ) is configured as a promiscous port.
>
>
> Tried it out and works fine. THe key was to set 15/1
> as a promiscous port !!!!!
> Rgds,
>
> Edward
>
> --- Rich Sena <ras@poppa.thick.net> wrote:
> >
> > Ed you just need to set a trunk between the
> > switches... since everyitng is
> > in a private vLAN it will have to be routed traffic
> > for any hosts on the
> > private segment to intercommunicate - i-e: they will
> > have to exchange at a
> > router or MSFC - not at layer 2
> >
> > On Feb 14, 2001 Edward S. Desouza reported:
> >
> > > Hi Guys,
> > > Have any of you implemented Private VLANs on
> > the
> > > 6500 series CISCO switches ? The documentation is
> > > pretty sketchy. I need to do the following :
> > >
> > >
> > >
> > >
> > > 1.Each Customer that co-locates in my IDC will be
> > > given an isolated port on the Primary VLAN ( at
> > the
> > > access layer )
> > >
> > > 2. The primary and secondary VLAN's will be
> > trunked
> > > through the MSFC to the distribution layer ( also
> > ) a
> > > 6500 series.
> > >
> > > 3. Now, is where my problem starts. I need to
> > assign a
> > > promiscuos port on my distribution switch.
> > >
> > > Once I set up the promiscous port and assign it to
> > the
> > > primary vlan, do I create another VLAN and enable
> > > routing between the two VLANs ( primary vlan and
> > the
> > > new VLAN ? Even after doing so, othervlans in
> > other
> > > switch blocks cannot access the isolated ports
> > even
> > > after passing through the distribution switch.
> > >
> > >
> > > Would really appreciate if any of you guys have
> > some
> > > sample configs.
> > > Rgds,
> > > Edward
> > >
> > >
> > >
> > > __________________________________________________
> > > Do You Yahoo!?
> > > Get personalized email addresses from Yahoo! Mail
> > - only $35
> > > a year! http://personal.mail.yahoo.com/
> > >
> >
> > --
> > Rich Sena - ras@thick.net
> > ThickNET Consulting
> > "On the way to understanding; you understand, and
> > forget."
> >
>
>
> =====
> Edward S. Desouza
> 23/24 Manali 5,
> Evershine Nagar,
> Malad (W),
> Bombay 400064.
> Tel :9122-8886362
>
> __________________________________________________
> Do You Yahoo!?
> Get personalized email addresses from Yahoo! Mail - only $35
> a year! http://personal.mail.yahoo.com/
>

**********************************************************************
COLT Telecommunications
Registered in England No. 2452736
Registered Office: Bishopsgate Court, 4 Norton Folgate, London E1 6DQ
Tel. 020 7390 3900

This message is subject to and does not create or vary any contractual
relationship between COLT Telecommunications, its subsidiaries or
affiliates ("COLT") and you. Internet communications are not secure
and therefore COLT does not accept legal responsibility for the
contents of this message. Any view or opinions expressed are those of
the author. The message is intended for the addressee only and its
contents and any attached files are strictly confidential. If you have
received it in error, please telephone the number above. Thank you.

**********************************************************************



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:29 EDT