[c-nsp] maintaining 'interesting' traffic on a pvlan isolated port

John Kougoulos john.kougoulos at gmail.com
Thu Oct 24 03:19:32 EDT 2013


to be honest, I don't understand why losing the arp entry (btw in 5
minutes?) would make the device unreachable. Perhaps you block somewhere
the broadcasts?

So if you put a static arp on the device, everything works fine?


On Thu, Oct 24, 2013 at 12:18 AM, Jason Lixfeld <jason at lixfeld.ca> wrote:

> Hi all,
> I'm using a combination of port security with static MAC addresses and
> private VLANs on a 4500 in a particular deployment scenario.  Each customer
> facing port on the 4500 is a static mac, port security enabled private vlan
> trunk where all the secondary VLANs on this trunk are isolated VLANs.  One
> of these isolated VLANs is being used as a management VLAN which we use to
> manage the end-devices that hang off of these private vlan trunk ports.
> These end-devices don't generate any traffic on this management VLAN, so
> what winds up happening is after 5 minutes, the ARP entry on these
> end-devices' for it's default gateway (an SVI on the 4500) is expired from
> the ARP table and the end-device becomes unreachable.  Not being able to
> access a device on it's management interface is, well, bad for management.
>  The question is what to do about it.

More information about the cisco-nsp mailing list