Good morning all;
I'm configuring a secure VLAN environment when I don't want ports to be able to see, or attempt to communicate with any other port on the VLAN, aside from of course, the Gateway port. I know to use a protected port configuration for that.
My question lies in some verbiage within the Config Guide for the 2960 switches I'm using. After Port Protection in the guide, it mentions Port Blocking. The verbiage says:
By default, the switch floods packets with unknown destination MAC addresses out of all ports. If unknown unicast and multicast traffic is forwarded to a protected port, there could be security issues. To prevent unknown unicast or multicast traffic from being forwarded from one port to another, you can block a port (protected or nonprotected) from flooding unknown unicast or multicast packets to other ports.
In the Port Protection section, it says:
A protected port does not forward any traffic (unicast, multicast, or broadcast) to any other port that is also a protected port. Data traffic cannot be forwarded between protected
ports at Layer 2; only control traffic, such as PIM packets, is forwarded because these packets are processed by the CPU and forwarded in software. All data traffic passing between protected ports must be forwarded through a Layer 3 device.
So, does this infer that the only reason I would need to configure port blocking on ports in this VLAN, where all ports are configured as protected, would be to protect them from a port that is NOT configured as protected? The verbiage seems to imply that a protected port cannot send U/M/B traffic to any other protected port, but it is itself vulnerable if port blocking is not configured. Or would it be advisable to configure port blocking along with the port protection?