[c-nsp] Private VLANs for customer isolation on sup720/12.2(33)

Jon Harald Bøvre jon at bovre.no
Tue Apr 19 13:22:51 EDT 2011


Done similar to this with SXF (for FTTH rollout):

interface vlan xxx (might be possible to use loopback intf)
ip address x.x.x.x 255.255.252.0
ip local-proxy-arp

interface vlan xxx+1
desc server1
ip unnumbered vlan xxx (or ip unnumbered loopback xxx)
ip local-proxy-arp

interface vlan xxx+2
desc server2
ip unnumbered vlan xxx (or ip unnumbered loopback xxx)
ip local-proxy-arp

to avoid burning av vlan for each server(customer), consider using 
switchport protected on access switch (if feature exists)


Configuration from my head, might contain errors.

Jon H Bøvre



On 19.04.2011 15:38, Phil Mayers wrote:
> All,
>
> We've got a pair of Cisco 6500/sup720 serving as our datacentre 
> collapsed routing/distribution.
>
> Servers are attached to downstream Foundry/Brocade devices, and 
> possibly other dumb/cheap devices in future.
>
> Can I use private VLANs in this case to isolate customers and avoid 
> burning 5 IPs (network, broadcast, HSRP master, slave & vip) 
> per-customer? I do *not* want to stop customers talking to each other 
> at layer3 - just get some degree of isolation (including the "sticky 
> arp").
>
> I think I can't, because 12.2(33)SXI seems to lack "switchport mode 
> private-vlan trunk". Is this correct?
>
> What I want to do is:
>
> vlan 600
>   name customer-1
>   private-vlan community
> vlan 601
>   name customer-2
>   private-vlan community
> vlan 60
>   name all-customers
>   private-vlan primary
>   private-vlan assoc 600,601
>
> int Te1/1
>   switchport mode trunk
>   switchport trunk allowed vlan 600,601
>
> int Vl60
>   ip address ...
>   private-vlan mapping ... 600,601
>   ip local-proxy-arp
>
>
> Cheers,
> Phil
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list