[c-nsp] Private VLANs for customer isolation on sup720/12.2(33)
Phil Mayers
p.mayers at imperial.ac.uk
Tue Apr 19 09:38:27 EDT 2011
All,
We've got a pair of Cisco 6500/sup720 serving as our datacentre
collapsed routing/distribution.
Servers are attached to downstream Foundry/Brocade devices, and possibly
other dumb/cheap devices in future.
Can I use private VLANs in this case to isolate customers and avoid
burning 5 IPs (network, broadcast, HSRP master, slave & vip)
per-customer? I do *not* want to stop customers talking to each other at
layer3 - just get some degree of isolation (including the "sticky arp").
I think I can't, because 12.2(33)SXI seems to lack "switchport mode
private-vlan trunk". Is this correct?
What I want to do is:
vlan 600
name customer-1
private-vlan community
vlan 601
name customer-2
private-vlan community
vlan 60
name all-customers
private-vlan primary
private-vlan assoc 600,601
int Te1/1
switchport mode trunk
switchport trunk allowed vlan 600,601
int Vl60
ip address ...
private-vlan mapping ... 600,601
ip local-proxy-arp
Cheers,
Phil
More information about the cisco-nsp
mailing list