Hi Guys,
I found myself an interesting scenario that I would like to test and I
thought maybe someone here has some thoughts on it :
I have two L2 nodes (switches) connecting to separate trunk ports on an
ES+ linecard on 7600. Behind the swicthes I have end users (test PCs).
Users on both switches are in the same VLAN, which is passed on the
trunk to the 7600, and finaly there is an SVI on the 7600. Within the
same VLAN, there is also one "shared" node (PC) which should be L2
accessible by all users.
What I'm trying to accomplish is to block L2 traffic between users on
Switch1 and Switch2 (obviosly without putting them in separate vlans)
while they can still reach the shared PC.
The goals in this setup are to keep the end users within the same Vlan,
and do not change any config on Switch1 and Switch2 (just as it is not
under my management).
As to my research, I came up with few possible solutions :
- VLAN Access Lists - Concerned about performance impact in case of
big number of mac addresses
- Private VLANs - I think it's impossible in this scenario because I
can't put trunk ports as isolated
- Service Instances - most promising
I plan to re-work the trunk ports with EVCs and manipulate the
"split-horizon" option on the bridge-domain command :
int gig0/1
description SW-1
service instance 400 ethernet
encapsulation dot1q 400
rewrite ingress tag pop 1 symmetric
bridge-domain 400 split-horizon
!
!
int gig0/2
description SW-2
service instance 400 ethernet
encapsulation dot1q 400
rewrite ingress tag pop 1 symmetric
bridge-domain 400 split-horizon
!
!
Does anyone have a comment on this, weather I'm going in the right
direction, or maybe share another idea ?
Thanks
Blogs and organic groups at http://www.ccie.net
Received on Tue May 11 2010 - 13:38:35 ART
This archive was generated by hypermail 2.2.0 : Tue Jun 01 2010 - 07:09:52 ART