[c-nsp] pvlan (Private Vlan) setup question

[Erik Witkop]

So I have two 3750 (no stackwise) that uplink to a 6509.

I have setup pvlans on both 3750's and they are working as expected. I 
cannot ping servers on the same 3750 switch.
But of course if the servers try to communicate with another server on 
the OTHER 3750 switch, the ping is successful (traveling via the uplink 
to distribution).
I know that pvlans only work local to the switch it is configured on.

So I need a way to block that 3750-to-3750 communication on the 
distribution layer.

My distribution switch is a 6509 (sup720). I was hoping to see if I 
could use 'switchport protected' as a quick one liner so that each 
downlink to the 3750's would not be able to communicate.
But that is only on the 3550, I think.

Any ideas?

3750 config:

!
vlan 666 
 name isolated-vlan
  private-vlan isolated
!
vlan 810
 name promiscous-vlan
  private-vlan primary
  private-vlan association 666
!
interface GigabitEthernet2/0/30
 description xxxxxxx
 switchport private-vlan host-association 810 666
 switchport mode private-vlan host
 spanning-tree portfast
!        
interface GigabitEthernet2/0/31
description xxxxxxx
 switchport private-vlan host-association 810 666
 switchport mode private-vlan host
 spanning-tree portfast
!
interface TenGigabitEthernet2/0/1
 description Uplink to 6509
 switchport private-vlan mapping 810 666
 switchport mode private-vlan promiscuous
 speed nonegotiate
 spanning-tree guard loop

Now if I use pvlans on the 6509, those downlinks would have to be 
promiscous ports I think. And that probably would achieve the 3750-3750 
blocking that I want.

Any thoughts?


p.s. I would rather not use VACL's as that could get administratively 
tiring.