cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
928
Views
0
Helpful
1
Replies

Hosts can't reach each other in the same VLAN in 3560G

Rebecka90
Level 1
Level 1

We have recently started as Internet service provider in an open metropolitan.

We use a Cisco 3560G Layer 3 switch, where we have all our vlan where we have konfiguerat ex. Switch (config) # interface vlan 150, an interface for each VLAN capabilities such as int vlan 1 - 10/10 int vlan 2 to 30/10, int vlan 3 100/10 and so on.

Our int vlan is configured as follows:

dhcp relay information trusted

ip address <x.x.x.x> <x.x.x.x>

ip helper-address <x.x.x.x>

Ports (ex. int Gigabit Ethernet 0/1) are configured as follows:

description Uplink

switchport access vlan x

spanning-tree bpdufilter enable

The interface where we trunks to the energy company looks as follows:

description Uplink

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1, 2, 3

switchport mode trunk

load-interval 30

spanning-tree port the trunk

spanning-tree bpdufilter enablement

Other configuration in our 3560G:

vtp transparent mode

ip routing

spanning-tree mode rapid-pvst

spanning-tree logging

no spanning tree bpdu optimize transmission

spanning-tree extend system id

no spanning-tree vlan 1-1000

vlan internal allocation policy ascending

vlan 1, 2, 3

Now the problem; we have a customer in ex. vlan 3 who needs to access a server provided by another customer in the same vlan (vlan 3), and access to each other in the same vlan is not possible. You can access the server from any other vlan, but when it comes to access to another host in the same vlan, you will not reach it.

We suspect that the energy company has configured with pvlan isolated. If we use the command ip local-proxy-arp on each vlan, it works to reach each other, but it seems that our 3560 becomes overloaded when ip local-proxy-arp is enabled and it streaming and use IP telephony it doesn't work. The response time at ping is longer and the loss of packets increase with ip local-proxy-arp enabled. The other operators in the metropolitan also uses Cisco 3560G so the hardware should be sufficient.

We have also tried to add no split-horizon, but it made no difference.

How do we get around this without negative consequences? Probably need something that makes you allow to send out the same interface that it came from, because it works as long as you are in another vlan. Can anyone have a solution for this problem or can post a example config to solve this problem?

Rebecka, Sweden

1 Reply 1

dominic.caron
Level 5
Level 5

Hi,

If the server is located on an isolated private vlan, by doing proxy-arp, you are negating the security in place. If the server need to be accessed by other host in the same vlan, configuring a isolated private vlan might no be the best idea. You chould use a share private vlan instead.

Review Cisco Networking for a $25 gift card