Port Protection vs Port Blocking

Unanswered Question

Good morning all;

I'm configuring a secure VLAN environment when I don't want ports to be able to see, or attempt to communicate with any other port on the VLAN, aside from of course, the Gateway port. I know to use a protected port configuration for that.

My question lies in some verbiage within the Config Guide for the 2960 switches I'm using. After Port Protection in the guide, it mentions Port Blocking. The verbiage says:

By default, the switch floods packets with unknown destination MAC addresses out of all ports. If unknown unicast and multicast traffic is forwarded to a protected port, there could be security issues. To prevent unknown unicast or multicast traffic from being forwarded from one port to another, you can block a port (protected or nonprotected) from flooding unknown unicast or multicast packets to other ports.

In the Port Protection section, it says:

A protected port does not forward any traffic (unicast, multicast, or broadcast) to any other port that is also a protected port. Data traffic cannot be forwarded between protected

ports at Layer 2; only control traffic, such as PIM packets, is forwarded because these packets are processed by the CPU and forwarded in software. All data traffic passing between protected ports must be forwarded through a Layer 3 device.

So, does this infer that the only reason I would need to configure port blocking on ports in this VLAN, where all ports are configured as protected, would be to protect them from a port that is NOT configured as protected? The verbiage seems to imply that a protected port cannot send U/M/B traffic to any other protected port, but it is itself vulnerable if port blocking is not configured. Or would it be advisable to configure port blocking along with the port protection?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
aghaznavi Fri, 11/07/2008 - 07:40

Yes, you are correct. You can configure port blocking along with port protection. No traffic is forwarded between ports on the same switch so that one neighbor does not see the traffic generated by another neighbor. In such an environment, the use of protected ports ensures that there is no exchange of unicast, broadcast, or multicast traffic between these ports on the switch.


This Discussion