Re: [c-nsp] Private VLANs for customer isolation on sup720/12.2(33)
On 04/24/2011 08:25 PM, Anton Kapela wrote: 2011/4/19 Jon Harald Bøvrej...@bovre.no: Done similar to this with SXF (for FTTH rollout): [snip] this modem works quite well for hosting, FTTx/wan-edge, etc. I make substantial use of it, too, in similar (hosting, etc) situations too. It certainly is a promising idea for my use-case. To be honest though, I'm a little surprised it works on hardware-based platforms. I assume that it's basically driven by the adjacency table, i.e. it's equivalent to doing: ip route x.x.x.x VlanYYY ...when IP x.x.x.x is learned via ARP on un-numbered vlan YYY. Thanks for the pointers all! Have *not* tried with IPv6, so cannot comment re: outcomes there. I'll have to test this, but I'm assuming since they're separate SVIs, you could run un-numbered from the shared IPv4 range, but give each SVI its own IPv6. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Private VLANs for customer isolation on sup720/12.2(33)
On 4/25/11 2:28 AM, Phil Mayers wrote: I'll have to test this, but I'm assuming since they're separate SVIs, you could run un-numbered from the shared IPv4 range, but give each SVI its own IPv6. I've done that with IPv6 and can confirm that it works. (But not on a Sup720.) ~Seth ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Private VLANs for customer isolation on sup720/12.2(33)
2011/4/19 Jon Harald Bøvre j...@bovre.no: Done similar to this with SXF (for FTTH rollout): [snip] this modem works quite well for hosting, FTTx/wan-edge, etc. I make substantial use of it, too, in similar (hosting, etc) situations too. http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtunvlan.html Confirmed working/scaleableish on 3550, 3560, 4900m, every cpu-based box (duh), OSM, flexwan, and SX/SR on sup2/32/720. Have *not* tried with IPv6, so cannot comment re: outcomes there. -Tk ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Private VLANs for customer isolation on sup720/12.2(33)
All, We've got a pair of Cisco 6500/sup720 serving as our datacentre collapsed routing/distribution. Servers are attached to downstream Foundry/Brocade devices, and possibly other dumb/cheap devices in future. Can I use private VLANs in this case to isolate customers and avoid burning 5 IPs (network, broadcast, HSRP master, slave vip) per-customer? I do *not* want to stop customers talking to each other at layer3 - just get some degree of isolation (including the sticky arp). I think I can't, because 12.2(33)SXI seems to lack switchport mode private-vlan trunk. Is this correct? What I want to do is: vlan 600 name customer-1 private-vlan community vlan 601 name customer-2 private-vlan community vlan 60 name all-customers private-vlan primary private-vlan assoc 600,601 int Te1/1 switchport mode trunk switchport trunk allowed vlan 600,601 int Vl60 ip address ... private-vlan mapping ... 600,601 ip local-proxy-arp Cheers, Phil ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Private VLANs for customer isolation on sup720/12.2(33)
In order to make use of this design the downstream switches (where you connect the customer devices), would need to understand private-vlans in order to join the primary (downstream) and secondary (upstream) traffic. For that to work you would need to allow also the primary vlan on the Te1/1 trunk. You would not really need the private-vlan trunk feature, you can transport them on a normal trunk port (and join them on the access switch). The private-vlan trunk feature is useful in a scenario where one port (Te1/x) belongs to one customer and you are handing over multiple secondary vlans over that port. This seems like is not your case. BTW I believe it is supported on latest CatOS...:) -pavel skovajsa On Tue, Apr 19, 2011 at 3:38 PM, Phil Mayers p.may...@imperial.ac.ukwrote: All, We've got a pair of Cisco 6500/sup720 serving as our datacentre collapsed routing/distribution. Servers are attached to downstream Foundry/Brocade devices, and possibly other dumb/cheap devices in future. Can I use private VLANs in this case to isolate customers and avoid burning 5 IPs (network, broadcast, HSRP master, slave vip) per-customer? I do *not* want to stop customers talking to each other at layer3 - just get some degree of isolation (including the sticky arp). I think I can't, because 12.2(33)SXI seems to lack switchport mode private-vlan trunk. Is this correct? What I want to do is: vlan 600 name customer-1 private-vlan community vlan 601 name customer-2 private-vlan community vlan 60 name all-customers private-vlan primary private-vlan assoc 600,601 int Te1/1 switchport mode trunk switchport trunk allowed vlan 600,601 int Vl60 ip address ... private-vlan mapping ... 600,601 ip local-proxy-arp Cheers, Phil ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Private VLANs for customer isolation on sup720/12.2(33)
You can just need primary vlan on the catalyst 6500, basically 6500 is not aware of the private vlans existence. Then private vlans on the access switch. The following is one of my old post. promisc port has to be access port. So you need a loopback cable on your access switch with two vlan numbers for your primary vlan. For example vlan 140 and vlan 141, then your link to distribution will still be vlan 140, other vlans trunk, but one end of loopback cable would be access vlan 140, the other end of the loopback cable will be access vlan 141. You can then set vlan 141 to be your primary vlan, and the end with access vlan 141 to be promisc port. So you have to use a loopback cable and two ports. Foundry/Brocade is the same way too. Schilling On Tue, Apr 19, 2011 at 9:38 AM, Phil Mayers p.may...@imperial.ac.uk wrote: All, We've got a pair of Cisco 6500/sup720 serving as our datacentre collapsed routing/distribution. Servers are attached to downstream Foundry/Brocade devices, and possibly other dumb/cheap devices in future. Can I use private VLANs in this case to isolate customers and avoid burning 5 IPs (network, broadcast, HSRP master, slave vip) per-customer? I do *not* want to stop customers talking to each other at layer3 - just get some degree of isolation (including the sticky arp). I think I can't, because 12.2(33)SXI seems to lack switchport mode private-vlan trunk. Is this correct? What I want to do is: vlan 600 name customer-1 private-vlan community vlan 601 name customer-2 private-vlan community vlan 60 name all-customers private-vlan primary private-vlan assoc 600,601 int Te1/1 switchport mode trunk switchport trunk allowed vlan 600,601 int Vl60 ip address ... private-vlan mapping ... 600,601 ip local-proxy-arp Cheers, Phil ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Private VLANs for customer isolation on sup720/12.2(33)
On 19/04/11 15:09, Pavel Skovajsa wrote: In order to make use of this design the downstream switches (where you connect the customer devices), would need to understand private-vlans in Well, they don't understand private vlans. order to join the primary (downstream) and secondary (upstream) traffic. For that to work you would need to allow also the primary vlan on the Te1/1 trunk. You would not really need the private-vlan trunk feature, you can transport them on a normal trunk port (and join them on the access switch). The private-vlan trunk feature is useful in a scenario where one port (Te1/x) belongs to one customer and you are handing over multiple secondary vlans over that port. This seems like is not your case. BTW I believe it is supported on latest CatOS...:) Really? Because the IOS docs for Cat4500 imply that it is used when the downstream switch does not support private vlans: http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/54sg/configuration/guide/pvlans.html#wp1181903 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Private VLANs for customer isolation on sup720/12.2(33)
On Tue, Apr 19, 2011 at 4:38 PM, Phil Mayers p.may...@imperial.ac.ukwrote: On 19/04/11 15:09, Pavel Skovajsa wrote: In order to make use of this design the downstream switches (where you connect the customer devices), would need to understand private-vlans in Well, they don't understand private vlans. order to join the primary (downstream) and secondary (upstream) traffic. For that to work you would need to allow also the primary vlan on the Te1/1 trunk. You would not really need the private-vlan trunk feature, you can transport them on a normal trunk port (and join them on the access switch). The private-vlan trunk feature is useful in a scenario where one port (Te1/x) belongs to one customer and you are handing over multiple secondary vlans over that port. This seems like is not your case. BTW I believe it is supported on latest CatOS...:) Really? Because the IOS docs for Cat4500 imply that it is used when the downstream switch does not support private vlans: http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/54sg/configuration/guide/pvlans.html#wp1181903 Yes, you are right, the isolated private-vlan trunk would help in this case as well. Try to look into the latest CatOS 8, I vaguely remember seeing this feature there. Otherwise it seems like the option you are left with is either do a SVI per customer or doing the loopack cable trick (described above by shilling) on the edge devices. -pavel ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] Private VLANs for customer isolation on sup720/12.2(33)
Done similar to this with SXF (for FTTH rollout): interface vlan xxx (might be possible to use loopback intf) ip address x.x.x.x 255.255.252.0 ip local-proxy-arp interface vlan xxx+1 desc server1 ip unnumbered vlan xxx (or ip unnumbered loopback xxx) ip local-proxy-arp interface vlan xxx+2 desc server2 ip unnumbered vlan xxx (or ip unnumbered loopback xxx) ip local-proxy-arp to avoid burning av vlan for each server(customer), consider using switchport protected on access switch (if feature exists) Configuration from my head, might contain errors. Jon H Bøvre On 19.04.2011 15:38, Phil Mayers wrote: All, We've got a pair of Cisco 6500/sup720 serving as our datacentre collapsed routing/distribution. Servers are attached to downstream Foundry/Brocade devices, and possibly other dumb/cheap devices in future. Can I use private VLANs in this case to isolate customers and avoid burning 5 IPs (network, broadcast, HSRP master, slave vip) per-customer? I do *not* want to stop customers talking to each other at layer3 - just get some degree of isolation (including the sticky arp). I think I can't, because 12.2(33)SXI seems to lack switchport mode private-vlan trunk. Is this correct? What I want to do is: vlan 600 name customer-1 private-vlan community vlan 601 name customer-2 private-vlan community vlan 60 name all-customers private-vlan primary private-vlan assoc 600,601 int Te1/1 switchport mode trunk switchport trunk allowed vlan 600,601 int Vl60 ip address ... private-vlan mapping ... 600,601 ip local-proxy-arp Cheers, Phil ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
