[c-nsp] Private VLANs for customer isolation on sup720/12.2(33)
schilling
schilling2006 at gmail.com
Tue Apr 19 10:38:01 EDT 2011
You can just need primary vlan on the catalyst 6500, basically 6500 is
not aware of the private vlans existence. Then private vlans on the
access switch.
The following is one of my old post.
promisc port has to be access port. So you need a loopback cable on
your access switch with two vlan numbers for your primary vlan. For
example vlan 140 and vlan 141, then your link to distribution will
still be vlan 140, other vlans trunk, but one end of loopback cable would be
access vlan 140, the other end of the loopback cable will be access
vlan 141. You can then set vlan 141 to be your primary vlan, and the
end with access vlan 141 to be promisc port. So you have to use a
loopback cable and two ports. Foundry/Brocade is the same way too.
Schilling
On Tue, Apr 19, 2011 at 9:38 AM, Phil Mayers <p.mayers at imperial.ac.uk> wrote:
> All,
>
> We've got a pair of Cisco 6500/sup720 serving as our datacentre collapsed
> routing/distribution.
>
> Servers are attached to downstream Foundry/Brocade devices, and possibly
> other dumb/cheap devices in future.
>
> Can I use private VLANs in this case to isolate customers and avoid burning
> 5 IPs (network, broadcast, HSRP master, slave & vip) per-customer? I do
> *not* want to stop customers talking to each other at layer3 - just get some
> degree of isolation (including the "sticky arp").
>
> I think I can't, because 12.2(33)SXI seems to lack "switchport mode
> private-vlan trunk". Is this correct?
>
> What I want to do is:
>
> vlan 600
> name customer-1
> private-vlan community
> vlan 601
> name customer-2
> private-vlan community
> vlan 60
> name all-customers
> private-vlan primary
> private-vlan assoc 600,601
>
> int Te1/1
> switchport mode trunk
> switchport trunk allowed vlan 600,601
>
> int Vl60
> ip address ...
> private-vlan mapping ... 600,601
> ip local-proxy-arp
>
>
> Cheers,
> Phil
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list