[nsp] Colo DC setup

Sven Huster sven at huster.me.uk
Tue Dec 9 08:52:23 EST 2003 

On Tue, Dec 09, 2003 at 03:50:02PM +0300, Alexandre Snarskii wrote:
> On Mon, Dec 08, 2003 at 03:22:22PM +0000, Sven Huster wrote:
> > Hello
> > 
> > I'm trying to design a new network for our colo/dedicated server customers.
> > What we are going to get will be most propably 2x 6500s for the 
> > core/distribution and 2950s for the access layer. So the customers servers 
> > will be connected to the 2950s which got 1 uplink to each of the 6500s 
> > running HSRP.
> > The 6500s will also be connected to our upstream ISPs as well as peers 
> > running BGP.
> > Guess the 6500s will run native IOS and the 2950 the EI.
> > 
> > We got a /19 which is split into /24s where the customers servers are on.
> > 
> > What I wanted to do then is to isolated the customers servers 
> > as much as possible with the option to enable communication were necessary.
> > 
> > I read about PVLAN and protected ports but can really fit this together 100%.
> > 
> > Can someone outline how-to configure the 6500s and the 2950s to work 
> > in the described setup, please?
> 
> Hi!
> 
> Unfortunately, private vlans on cat65xx and private vlan edge on 2950
> are not compatible. 

:-( 

> The best setup you can reach is that one: 
> Clients can't send any traffic to each other directly. 
> If they need to communicate - they can, but only with unicast traffic,
> and, any packet between clients goes through your 6500. 

Which is ok for me. It should not be the usual case that the connected hosts need to communicate directly as for this purpose we might introduce a "private LAN" option. This is more a work around for special cases.

> Broadcast traffic from any client reaches only cat6500. 
> 
> To set up this, you need: 
> on the cat65xx you must configure one vlan per each access switch. 
> then, configure vlan interface as: 
> 
> in vlanXX 
>  ip address ... 
>  standby .... 
>  ip local-proxy-arp 

The thing is that a switch might have only 20 hosts connected to it which 1 IP each.
So would that mean I'd have to split my /24 in smaller subnets, which does not look like a good option to me, or could I use VLAN ACLs to block the traffic between different switches on the same /24?

Sven

More information about the cisco-nsp mailing list