[c-nsp] Private VLAN questions.
Matthew Crocker
matthew at crocker.com
Thu Aug 4 13:04:34 EDT 2005
Hello,
I have a couple Ethernet based DSLAMS which are pushing T1/SHDSL/
ADSL service to customers and bridging Ethernet over the circuits.
Each group of customers ( I have 30 schools in one group) are mapped
to a VLAN on a GigE upstream interface. The DSLAM is configure to
only pass ARP requests through the uplink interface so one customer
can't see another customers ARP requests. This, from my
understanding is what Private VLAN does. The DSLAM is *not* a Cisco
product. The GigE interface is connected to a Cisco 12000 GigE port
and I configure sub-interfaces on the port per VLAN. Each VLAN has
an appropriately sized IP subnet to handle the customers on the
VLAN. Everything is working fine but some customers want to be able
to talk to each other. For example, I have a school district with 7
schools, they want to establish a VPN between all of the schools.
All of the schools are on the same VLAN using the same IP subnet.
When the School A firewall sends an ARP request out to look for
School B MAC address the ARP will never reach School B. It will only
be passed upstream to the Cisco 12000. Ideally I would want the
inter-school traffic to be switched at the DSLAM instead of routed by
the router which is 40 miles away. There is no need for the Inter-
school traffic to leave the DSLAM (with the exception of the ARP
requests) and eat up GigE backbone bandwidth.
Questions:
How do I configure the Cisco 12000 to respond to those ARP request
and send the MAC address for school B to school A when it asks?
Can I put an ACL on the configuration so it will only ARP for certain
IPs?
--
Matthew S. Crocker
Vice President
Crocker Communications, Inc.
Internet Division
PO BOX 710
Greenfield, MA 01302-0710
http://www.crocker.com
More information about the cisco-nsp
mailing list