11-20-2012 05:30 AM - edited 03-07-2019 10:09 AM
We have recently started as Internet service provider in an open metropolitan.
We use a Cisco 3560G Layer 3 switch, where we have all our vlan where we have konfiguerat ex. Switch (config) # interface vlan 150, an interface for each VLAN capabilities such as int vlan 1 - 10/10 int vlan 2 to 30/10, int vlan 3 100/10 and so on.
Our int vlan is configured as follows:
dhcp relay information trusted
ip address <x.x.x.x> <x.x.x.x>
ip helper-address <x.x.x.x>
Ports (ex. int Gigabit Ethernet 0/1) are configured as follows:
description Uplink
switchport access vlan x
spanning-tree bpdufilter enable
The interface where we trunks to the energy company looks as follows:
description Uplink
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1, 2, 3
switchport mode trunk
load-interval 30
spanning-tree port the trunk
spanning-tree bpdufilter enablement
Other configuration in our 3560G:
vtp transparent mode
ip routing
spanning-tree mode rapid-pvst
spanning-tree logging
no spanning tree bpdu optimize transmission
spanning-tree extend system id
no spanning-tree vlan 1-1000
vlan internal allocation policy ascending
vlan 1, 2, 3
Now the problem; we have a customer in ex. vlan 3 who needs to access a server provided by another customer in the same vlan (vlan 3), and access to each other in the same vlan is not possible. You can access the server from any other vlan, but when it comes to access to another host in the same vlan, you will not reach it.
We suspect that the energy company has configured with pvlan isolated. If we use the command ip local-proxy-arp on each vlan, it works to reach each other, but it seems that our 3560 becomes overloaded when ip local-proxy-arp is enabled and it streaming and use IP telephony it doesn't work. The response time at ping is longer and the loss of packets increase with ip local-proxy-arp enabled. The other operators in the metropolitan also uses Cisco 3560G so the hardware should be sufficient.
We have also tried to add no split-horizon, but it made no difference.
How do we get around this without negative consequences? Probably need something that makes you allow to send out the same interface that it came from, because it works as long as you are in another vlan. Can anyone have a solution for this problem or can post a example config to solve this problem?
Rebecka, Sweden
11-20-2012 10:44 AM
Hi,
If the server is located on an isolated private vlan, by doing proxy-arp, you are negating the security in place. If the server need to be accessed by other host in the same vlan, configuring a isolated private vlan might no be the best idea. You chould use a share private vlan instead.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide