[c-nsp] Private VLAN questions.

Chris Cappuccio chris at nmedia.net
Thu Aug 4 13:44:27 EDT 2005 

Why not put the schools on their own VLAN and configure the DSLAM to not
filter ARP/to fully bridge for that VLAN.

Matthew Crocker [matthew at crocker.com] wrote:
> 
> Hello,
> 
>   I have a couple Ethernet based DSLAMS which are pushing T1/SHDSL/ 
> ADSL service to customers and bridging Ethernet over the circuits.   
> Each group of customers ( I have 30 schools in one group) are mapped  
> to a VLAN on a GigE upstream interface.  The DSLAM is configure to  
> only pass ARP requests through the uplink interface so one customer  
> can't see another customers ARP requests.   This, from my  
> understanding is what Private VLAN does.  The DSLAM is *not* a Cisco  
> product.   The GigE interface is connected to a Cisco 12000 GigE port  
> and I configure sub-interfaces on the port per VLAN.   Each VLAN has  
> an appropriately sized IP subnet to handle the customers on the  
> VLAN.   Everything is working fine but some customers want to be able  
> to talk to each other.  For example, I have a school district with 7  
> schools, they want to establish a VPN between all of the schools.   
> All of the schools are on the same VLAN using the same IP subnet.   
> When the School A firewall sends an ARP request out to  look for  
> School B MAC address the ARP will never reach School B. It will only  
> be passed upstream to the Cisco 12000.  Ideally I would want the  
> inter-school traffic to be switched at the DSLAM instead of routed by  
> the router which is 40 miles away.  There is no need for the Inter- 
> school traffic to leave the DSLAM (with the exception of the ARP  
> requests) and eat up GigE backbone bandwidth.
> 
> 
> Questions:
> 
> How do I configure the Cisco 12000 to respond to those ARP request  
> and send the MAC address for school B to school A when it asks?
> Can I put an ACL on the configuration so it will only ARP for certain  
> IPs?
> 
> --
> Matthew S. Crocker
> Vice President
> Crocker Communications, Inc.
> Internet Division
> PO BOX 710
> Greenfield, MA 01302-0710
> http://www.crocker.com
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

-- 
"Attacks always get better; they never get worse."
  -- "Old NSA saying"

More information about the cisco-nsp mailing list