Hi

I have been tasked with deploying PVLANs on a cat3750 switch running layer 2 to provide secure multi tenant  isolation for customer firewalls and routers. The plan is to give our customers a static address from our /24 PI range and use PVLANs separate the broadcast domains. I have deployed this and setup multiple customer PLVANs which  are working well however here's the major issue I have. Let's say customer 2 changes or adds a nat rule to thier firewall using customer 1s external IP address, this takes down customer 1 as customers 2s firewall sends out a GARP to the primary router on the primary vlan/promiscuous port which updates the arp caches and sends traffic to customer 2. I have tried adding a PACL on the port facing the customer only allowing IP traffic from the allocate/legit Source IP but this blocks IP traffic but not the GARP. I have also tried creating a Mac access list to block ARPs which works while the firewall has a cached ARP entry for the primary router but after a reboot this fails. I've also tried a number of VCALs with little success. I'm sure there is a way to protect the source IP from being taken by a different device, my main requirement is to allow arp on a per port basis from a specified source IP, this combined with a PACL should be enough to protect each customer.