?switchport protected between switches

Unanswered Question
Nov 2nd, 2007

Hi,

I have several 2950's and 3550's hung on trunks off a common 3550 EMI.

Configuring switchport protected on interfaces disables L2 communications between these interfaces on the same switch.

Can anyone tell me a sane/simple way to disable L2 between interfaces on the same VLAN on different switches?

Thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Edison Ortiz Fri, 11/02/2007 - 14:16

What exactly are you trying to achieve ?

Are you trying to block a port between switches ?

Switchports default to L2 and can only be changed to L3 if running a 3550 or later, with the no switchport command.

steve.dutky Fri, 11/02/2007 - 14:41

Ref attached jpg

I hope to find a way that restricts workstations (designated A-E on jpg) configured on the same vlan to communicate only to designated servers and the default gateway.

These workstations should get no reply when arping to any other on net address.

I understand that switchport protected does this when configured for workstations residing on the same switch as the server and gateway. (ie. the rightmost 2950)

Thanks,

switchport protected

Edison Ortiz Fri, 11/02/2007 - 17:12

I believe I understand now.

switchport protected works on the same switch while you want to expand this concept over multiple switches,

am I right ?

Well, there is an option, it's called Private Vlans but it's supported on 3560/3750 and other high-end switches.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_35_se/configuration/guide/swpvlan.html

steve.dutky Mon, 11/05/2007 - 09:12

Thanks.

As I understand it then, all hosts connected to associated primary and secondary private vlans occupy the same ip subnet with a gateway configured on the primary vlan's svi.

Short of replacing all switches with 3560/3750's, could I get L2 isolation by

1. replace the 3550 at the root with a 3560 trunked to both 2950's.

2. configure the 3560 with private primary vlan X with associated private isolated vlan Y

3. configure all 2950 ports connected to workstations as switchport access vlan Y and switchport protected.

4. configure the 2950 ports connected to the server as switchport access vlan X and no switchport protected.

Edison Ortiz Mon, 11/05/2007 - 15:11

It might work but just thinking about it, gave me a headache :)

Best to draw it up and play around with that idea in a Lab.

Actions

This Discussion