3550 Protected Port

Unanswered Question
Jun 24th, 2007

I have two servers connected to a 3550 and I want separate these two servers at L2 and make them communicate at L3. So I configured both ports with ?switchport protected?, and I connected the switch to a 2800 router, where I have interface VLAN configured. Since I put the two ports in protected mode they can not ping each other even though I have the L3 router between them, I can ping both servers from the router and I can ping the router from both, but they do not ping each other ,Am I missing anything here? Thanks in advance.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
cnuvo Sun, 06/24/2007 - 06:23

It's VLAN interface and yes I did, in fact it's enabled by default but I added the command again just in case..

Edison Ortiz Sun, 06/24/2007 - 06:33

Can you post the config from each of the interfaces in question ?

The router (2800) is the one serving as L3 device, correct ? So, that's the device that needs to have proxy-arp enabled, not the SVI on the 3560 switch.

cnuvo Sun, 06/24/2007 - 06:47

on the 3550,

interfast 0/1 (connected to server1)

switchport mode access

switchport access vlan 200

switchport protected

!

Same config on interface 0/2 (connected to server2)

!

Interface fast0/4 (to the 2800)

switchport trunk encapsulation dot1q

switchport mode trunk

!

2800

interface fast 1/4 (to the 3550)

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface vlan 200

ip address 10.1.1.1 255.255.255.0

!

Once I remove the protected from one interface I can ping between the two servers (via L2 of course)

Thanks in adavnce..

Edison Ortiz Sun, 06/24/2007 - 10:18

Understood, the router is running one of those switch modules. Not very familiar with those. Are you able to use the regular fast-ethernet modules on the router - configure the port on the 3550 as access mode for vlan 200 and assign a corresponding IP ?

Note.- this is troubleshooting purposes, I don't have a lab to duplicate your environment at the moment.

o_albegov Sun, 06/24/2007 - 10:51

I think the better way to communicate 2 server with ecah other at L3 is to place them in seperate vlans. Is it possible in IP configuration?

cnuvo Sun, 06/24/2007 - 22:43

We can not change the IP's on the servers. We are not allowed to do that.

The question I have, in the protected vlan's setup, why should the router answer the arp request from server1 on behalf of server2, even though the router has no idea about the protected vlan setup? Is there ant configuration needs to be added to the router?

Ahmede Sun, 06/24/2007 - 23:52

There's an easy solution for that,

On server1 add a static ARP entry for server2 IP address and associate it to the router MAC address, and do the same on server2. This way Server1 and 2 won't arp the IP's of each other, and they will send the traffic to the router.

HTH..

Actions

This Discussion