[nsp] Colo DC setup

Alexandre Snarskii snar at paranoia.ru
Tue Dec 9 07:50:02 EST 2003 

On Mon, Dec 08, 2003 at 03:22:22PM +0000, Sven Huster wrote:
> Hello
> 
> I'm trying to design a new network for our colo/dedicated server customers.
> What we are going to get will be most propably 2x 6500s for the 
> core/distribution and 2950s for the access layer. So the customers servers 
> will be connected to the 2950s which got 1 uplink to each of the 6500s 
> running HSRP.
> The 6500s will also be connected to our upstream ISPs as well as peers 
> running BGP.
> Guess the 6500s will run native IOS and the 2950 the EI.
> 
> We got a /19 which is split into /24s where the customers servers are on.
> 
> What I wanted to do then is to isolated the customers servers 
> as much as possible with the option to enable communication were necessary.
> 
> I read about PVLAN and protected ports but can really fit this together 100%.
> 
> Can someone outline how-to configure the 6500s and the 2950s to work 
> in the described setup, please?

Hi!

Unfortunately, private vlans on cat65xx and private vlan edge on 2950
are not compatible. 
The best setup you can reach is that one: 
Clients can't send any traffic to each other directly. 
If they need to communicate - they can, but only with unicast traffic,
and, any packet between clients goes through your 6500. 
Broadcast traffic from any client reaches only cat6500. 

To set up this, you need: 
on the cat65xx you must configure one vlan per each access switch. 
then, configure vlan interface as: 

in vlanXX 
 ip address ... 
 standby .... 
 ip local-proxy-arp 

Note the last command - this allows your 6500 to answer to broadcast
arp queries for the local network. So, if client A wants to send packet
to client B on the same vlan - it got arp reply from 6500, with 6500
mac address.

on the cat29xx you configuring ports as: 

in fa 0/y
switchport mode access
switch acc vl XX
switchport protected (or port protected on 2924xl/3524xl)

uplink trunks configured just as usual: 

in gi 0/x
 switch trunk enca dot
 switch mode trunk

- so, in this configuration trunk port is the only the packets from 
protected ports may exit switch. 

> 
> I guess I create a primary VLAN e.g. for the subnet 10.1.1.0/24 
> (pvlan-10-1-1) and assign a secondary VLAN (svlan-10-1-1) to it and 
> use VLAN-ACLs to deny traffic between the servers.
> Do I need to create only one secondary for all the machines in 
> the primary or do i need to break it down more then that?
> 
> Also as far as i understand I configure the server ports on the 2950s 
> as protected and the trunks not. 
> 
> But how to I configure the VLAN membership on the 2950s. Primary or 
> secondary VLAN?
> 
> How will the traffic flow? Will it be part of the primary VLAN once 
> it left the 2950 or will it be carried on the secondary?
> 
> How will broadcast traffic being handled?
> 
> Many thanks
> Kind regards
> --
> Sven
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list