[c-nsp] pvlan (Private Vlan) setup question

Bøvre Jon Harald Jon.Harald.Bovre at hafslund.no
Fri Jul 9 09:01:52 EDT 2010 

Had the same problem a few years ago.
Was solved using a separate vlan for each switch (we had 3500XL CPE)
Scale to a few hundred CPE switches
Support for ip unnumbered from SXF

6500

Int vl 100
Ip add 10.10.10.1 255.255.255.0

Int vlan 200
Desc CPE switch 1
Ip unnumbered vlan 100
Ip local proxy-arp (ip proxy-arp local??)

Int vlan 201
Desc CPE switch 2
Ip unnumbered vlan 100
Ip local proxy-arp (ip proxy-arp local??)


3750 
Use ordinary private vlan config, using separate vlan on each switch

Jon Harald Bøvre

-----Opprinnelig melding-----
Fra: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] På vegne av Erik Witkop
Sendt: 9. juli 2010 14:35
Til: cisco-nsp at puck.nether.net
Emne: [c-nsp] pvlan (Private Vlan) setup question

So I have two 3750 (no stackwise) that uplink to a 6509.

I have setup pvlans on both 3750's and they are working as expected. I 
cannot ping servers on the same 3750 switch.
But of course if the servers try to communicate with another server on 
the OTHER 3750 switch, the ping is successful (traveling via the uplink 
to distribution).
I know that pvlans only work local to the switch it is configured on.

So I need a way to block that 3750-to-3750 communication on the 
distribution layer.

My distribution switch is a 6509 (sup720). I was hoping to see if I 
could use 'switchport protected' as a quick one liner so that each 
downlink to the 3750's would not be able to communicate.
But that is only on the 3550, I think.

Any ideas?

3750 config:

!
vlan 666 
 name isolated-vlan
  private-vlan isolated
!
vlan 810
 name promiscous-vlan
  private-vlan primary
  private-vlan association 666
!
interface GigabitEthernet2/0/30
 description xxxxxxx
 switchport private-vlan host-association 810 666
 switchport mode private-vlan host
 spanning-tree portfast
!        
interface GigabitEthernet2/0/31
description xxxxxxx
 switchport private-vlan host-association 810 666
 switchport mode private-vlan host
 spanning-tree portfast
!
interface TenGigabitEthernet2/0/1
 description Uplink to 6509
 switchport private-vlan mapping 810 666
 switchport mode private-vlan promiscuous
 speed nonegotiate
 spanning-tree guard loop

Now if I use pvlans on the 6509, those downlinks would have to be 
promiscous ports I think. And that probably would achieve the 3750-3750 
blocking that I want.

Any thoughts?


p.s. I would rather not use VACL's as that could get administratively 
tiring.
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list