[c-nsp] Private VLANs for customer isolation on sup720/12.2(33)
Pavel Skovajsa
pavel.skovajsa at gmail.com
Tue Apr 19 10:09:55 EDT 2011
In order to make use of this design the downstream switches (where you
connect the customer devices), would need to understand private-vlans in
order to join the primary (downstream) and secondary (upstream) traffic. For
that to work you would need to allow also the primary vlan on the Te1/1
trunk. You would not really need the "private-vlan trunk" feature, you can
transport them on a normal trunk port (and join them on the access switch).
The "private-vlan trunk" feature is useful in a scenario where one port
(Te1/x) belongs to one customer and you are handing over multiple secondary
vlans over that port. This seems like is not your case. BTW I believe it is
supported on latest CatOS...:)
-pavel skovajsa
On Tue, Apr 19, 2011 at 3:38 PM, Phil Mayers <p.mayers at imperial.ac.uk>wrote:
> All,
>
> We've got a pair of Cisco 6500/sup720 serving as our datacentre collapsed
> routing/distribution.
>
> Servers are attached to downstream Foundry/Brocade devices, and possibly
> other dumb/cheap devices in future.
>
> Can I use private VLANs in this case to isolate customers and avoid burning
> 5 IPs (network, broadcast, HSRP master, slave & vip) per-customer? I do
> *not* want to stop customers talking to each other at layer3 - just get some
> degree of isolation (including the "sticky arp").
>
> I think I can't, because 12.2(33)SXI seems to lack "switchport mode
> private-vlan trunk". Is this correct?
>
> What I want to do is:
>
> vlan 600
> name customer-1
> private-vlan community
> vlan 601
> name customer-2
> private-vlan community
> vlan 60
> name all-customers
> private-vlan primary
> private-vlan assoc 600,601
>
> int Te1/1
> switchport mode trunk
> switchport trunk allowed vlan 600,601
>
> int Vl60
> ip address ...
> private-vlan mapping ... 600,601
> ip local-proxy-arp
>
>
> Cheers,
> Phil
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list