Allowing UNI or protected ports on Cisco switch to reach each other using IP

When deploying Metro Ethernet service and Colocated services, best practice it to put the ports in protected mode or uni. This is to prevent customers from causing interference to each other with layer2 protocols. It also allows the user of service provider traffic filtering. The downside is without additional configuration, customer traffic to another customer is blackholed when they exist in the same subnet.
When working with a customer recently I had a situation where customers were unable to reach each other. They were all separate business customers running mail servers. Because the Metro Ethernet service was deployed using one ethernet IP subnet and their switch ports were set to uni for security reasons, I had the following options to allows the customers to talk between each other.

  1. Tell the cusotmers to use a different service providor who had a different subnet……… resume generating event
  2. Have the customers start using PPPoE for Ethernet termination….. painful for customer and providor
  3. Create seperate /30’s for each customer…. again painful and inefficient
  4. Have customers change their subnet masks to /32…. Broken kludge that is painful for customers and not always possible

I had a hunch that I may be able to do somethings using proxy-arp, but adding that did not proxy attempts from the local network. I did some research and found an article talking about private vlans (an enterprise solution similar to uni and protected ports). Reading through that article I found the command that I needed. I entered the following commands in the upstream 7600 and proxy-arp took over routing customers between each other.

interface GigabitEthernet1/1
description To Metro Ethernet
ip address
no ip redirects
ip local-proxy-arp
ip route-cache same-interface
load-interval 30

Leave a Reply

Your email address will not be published.