[c-nsp] Private VLANs for customer isolation on sup720/12.2(33)

Pavel Skovajsa pavel.skovajsa at gmail.com
Tue Apr 19 10:09:55 EDT 2011


In order to make use of this design the downstream switches (where you
connect the customer devices), would need to understand private-vlans in
order to join the primary (downstream) and secondary (upstream) traffic. For
that to work you would need to allow also the primary vlan on the Te1/1
trunk. You would not really need the "private-vlan trunk" feature, you can
transport them on a normal trunk port (and join them on the access switch).

The "private-vlan trunk" feature is useful in a scenario where one port
(Te1/x) belongs to one customer and you are handing over multiple secondary
vlans over that port. This seems like is not your case. BTW I believe it is
supported on latest CatOS...:)

-pavel skovajsa

On Tue, Apr 19, 2011 at 3:38 PM, Phil Mayers <p.mayers at imperial.ac.uk>wrote:

> All,
>
> We've got a pair of Cisco 6500/sup720 serving as our datacentre collapsed
> routing/distribution.
>
> Servers are attached to downstream Foundry/Brocade devices, and possibly
> other dumb/cheap devices in future.
>
> Can I use private VLANs in this case to isolate customers and avoid burning
> 5 IPs (network, broadcast, HSRP master, slave & vip) per-customer? I do
> *not* want to stop customers talking to each other at layer3 - just get some
> degree of isolation (including the "sticky arp").
>
> I think I can't, because 12.2(33)SXI seems to lack "switchport mode
> private-vlan trunk". Is this correct?
>
> What I want to do is:
>
> vlan 600
>  name customer-1
>  private-vlan community
> vlan 601
>  name customer-2
>  private-vlan community
> vlan 60
>  name all-customers
>  private-vlan primary
>  private-vlan assoc 600,601
>
> int Te1/1
>  switchport mode trunk
>  switchport trunk allowed vlan 600,601
>
> int Vl60
>  ip address ...
>  private-vlan mapping ... 600,601
>  ip local-proxy-arp
>
>
> Cheers,
> Phil
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


More information about the cisco-nsp mailing list