[c-nsp] Private VLANs for customer isolation on sup720/12.2(33)
Pavel Skovajsa
pavel.skovajsa at gmail.com
Tue Apr 19 11:49:19 EDT 2011
On Tue, Apr 19, 2011 at 4:38 PM, Phil Mayers <p.mayers at imperial.ac.uk>wrote:
> On 19/04/11 15:09, Pavel Skovajsa wrote:
>
>> In order to make use of this design the downstream switches (where you
>> connect the customer devices), would need to understand private-vlans in
>>
>
> Well, they don't understand private vlans.
>
>
> order to join the primary (downstream) and secondary (upstream) traffic.
>> For that to work you would need to allow also the primary vlan on the
>> Te1/1 trunk. You would not really need the "private-vlan trunk" feature,
>> you can transport them on a normal trunk port (and join them on the
>> access switch).
>>
>
>
>
>
>> The "private-vlan trunk" feature is useful in a scenario where one port
>> (Te1/x) belongs to one customer and you are handing over multiple
>> secondary vlans over that port. This seems like is not your case. BTW I
>> believe it is supported on latest CatOS...:)
>>
>
> Really? Because the IOS docs for Cat4500 imply that it is used when the
> downstream switch does not support private vlans:
>
>
> http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/54sg/configuration/guide/pvlans.html#wp1181903
>
> Yes, you are right, the isolated private-vlan trunk would help in this case
as well. Try to look into the latest CatOS 8, I vaguely remember seeing this
feature there.
Otherwise it seems like the option you are left with is either do a SVI per
customer or doing the loopack cable trick (described above by shilling) on
the edge devices.
-pavel
More information about the cisco-nsp
mailing list