[c-nsp] PVLAN

[Mathias.Kenfack-Tabakem at TelecityRedbus.com]

Hi Guys,

I recently changed my network from Foundry BigIron8000 to Cisco 7609. My
setup is not complicated - two 7609(WS-SUP720-3BXL with WS-F6700-DFC3BXL
equipped line cards) running BGP with 7 carriers across two sites. I
also have a few 3750G. I have two peering LAN and on it I have my
carriers and some transit customers peering with me and some peering
with my carriers using the peering LAN. Note that there are two /24 in
total (one for each peering LAN - so each carrier, transit customers and
myself is given one IP address per connection with a mask of /24).

The Foundry boxes used to fall over when a customer pushed around 100M.
Although that problem is resolved with the Cisco gear, it has created
one that I did not have before.

I used mac-filters on Foundry for layer2 security. It allowed me to
apply the "mac access-group" command to physical interfaces and it
worked like a charm. All I want is to replicate that onto the 7609. But
it doesn't work.

I tried mac filters on 7609 but they can only be applied to vlan
interfaces. Cisco told me PVLAN was designed for that but my setup is a
bit different so it does not work since traffic is not allowed between
Isolated ports and also between different Community ports. Do you guys
know of a way I could achieve layer2 security based on mac addresses?

Port security is not the solution. My options are limited and I do not
want to redesign the network to get read of the peering LANs. Any
pointer is most welcomed.

Mathias,
This e-mail is intended only for the use of the addressees named above and may be confidential. 
If you are not an addressee you must not use any information contained in nor copy it nor inform any person other than the addressees of its existence or contents. 
If you have received this e-mail in error, please contact the IT department on +44 207 001 0090