[c-nsp] Private VLAN questions.

Matthew Crocker matthew at crocker.com
Thu Aug 4 13:51:19 EDT 2005


> Why not put the schools on their own VLAN and configure the DSLAM  
> to not
> filter ARP/to fully bridge for that VLAN.


All schools are in the same VLAN,  they share applications and have  
inter-school and inter-school-district traffic.  The DSLAM is  
currently configured to fully bridge the traffic but that opens up  
issues when a mis-informed school IT director (you know the type,   
the physic teacher that knows where the power is) mis-configures  
their firewall and steps all over the default gateway.  I have the  
schools all working but had an outage where one school took down  
another school because they started ARPing for the wrong IP  
addresses.  PrivateVLAN will protect against that.  I'm  trying to  
avoid hard coding ARP tables in the school firewalls which are a mix  
of home-brew Linux, SonicWall and Novell Border Manager.

-Matt


--
Matthew S. Crocker
Vice President
Crocker Communications, Inc.
Internet Division
PO BOX 710
Greenfield, MA 01302-0710
http://www.crocker.com



More information about the cisco-nsp mailing list