[c-nsp] Private VLANs for customer isolation on sup720/12.2(33)
Jon Harald Bøvre
jon at bovre.no
Tue Apr 19 13:22:51 EDT 2011
Done similar to this with SXF (for FTTH rollout):
interface vlan xxx (might be possible to use loopback intf)
ip address x.x.x.x 255.255.252.0
ip local-proxy-arp
interface vlan xxx+1
desc server1
ip unnumbered vlan xxx (or ip unnumbered loopback xxx)
ip local-proxy-arp
interface vlan xxx+2
desc server2
ip unnumbered vlan xxx (or ip unnumbered loopback xxx)
ip local-proxy-arp
to avoid burning av vlan for each server(customer), consider using
switchport protected on access switch (if feature exists)
Configuration from my head, might contain errors.
Jon H Bøvre
On 19.04.2011 15:38, Phil Mayers wrote:
> All,
>
> We've got a pair of Cisco 6500/sup720 serving as our datacentre
> collapsed routing/distribution.
>
> Servers are attached to downstream Foundry/Brocade devices, and
> possibly other dumb/cheap devices in future.
>
> Can I use private VLANs in this case to isolate customers and avoid
> burning 5 IPs (network, broadcast, HSRP master, slave & vip)
> per-customer? I do *not* want to stop customers talking to each other
> at layer3 - just get some degree of isolation (including the "sticky
> arp").
>
> I think I can't, because 12.2(33)SXI seems to lack "switchport mode
> private-vlan trunk". Is this correct?
>
> What I want to do is:
>
> vlan 600
> name customer-1
> private-vlan community
> vlan 601
> name customer-2
> private-vlan community
> vlan 60
> name all-customers
> private-vlan primary
> private-vlan assoc 600,601
>
> int Te1/1
> switchport mode trunk
> switchport trunk allowed vlan 600,601
>
> int Vl60
> ip address ...
> private-vlan mapping ... 600,601
> ip local-proxy-arp
>
>
> Cheers,
> Phil
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list