Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

3550 Protected Port

I have two servers connected to a 3550 and I want separate these two servers at L2 and make them communicate at L3. So I configured both ports with ?switchport protected?, and I connected the switch to a 2800 router, where I have interface VLAN configured. Since I put the two ports in protected mode they can not ping each other even though I have the L3 router between them, I can ping both servers from the router and I can ping the router from both, but they do not ping each other ,Am I missing anything here? Thanks in advance.

8 REPLIES
Hall of Fame Super Bronze

Re: 3550 Protected Port

Did you enable Proxy-Arp in the LAN interface at the router ?

New Member

Re: 3550 Protected Port

It's VLAN interface and yes I did, in fact it's enabled by default but I added the command again just in case..

Hall of Fame Super Bronze

Re: 3550 Protected Port

Can you post the config from each of the interfaces in question ?

The router (2800) is the one serving as L3 device, correct ? So, that's the device that needs to have proxy-arp enabled, not the SVI on the 3560 switch.

New Member

Re: 3550 Protected Port

on the 3550,

interfast 0/1 (connected to server1)

switchport mode access

switchport access vlan 200

switchport protected

!

Same config on interface 0/2 (connected to server2)

!

Interface fast0/4 (to the 2800)

switchport trunk encapsulation dot1q

switchport mode trunk

!

2800

interface fast 1/4 (to the 3550)

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface vlan 200

ip address 10.1.1.1 255.255.255.0

!

Once I remove the protected from one interface I can ping between the two servers (via L2 of course)

Thanks in adavnce..

Hall of Fame Super Bronze

Re: 3550 Protected Port

Understood, the router is running one of those switch modules. Not very familiar with those. Are you able to use the regular fast-ethernet modules on the router - configure the port on the 3550 as access mode for vlan 200 and assign a corresponding IP ?

Note.- this is troubleshooting purposes, I don't have a lab to duplicate your environment at the moment.

New Member

Re: 3550 Protected Port

I think the better way to communicate 2 server with ecah other at L3 is to place them in seperate vlans. Is it possible in IP configuration?

New Member

Re: 3550 Protected Port

We can not change the IP's on the servers. We are not allowed to do that.

The question I have, in the protected vlan's setup, why should the router answer the arp request from server1 on behalf of server2, even though the router has no idea about the protected vlan setup? Is there ant configuration needs to be added to the router?

New Member

Re: 3550 Protected Port

There's an easy solution for that,

On server1 add a static ARP entry for server2 IP address and associate it to the router MAC address, and do the same on server2. This way Server1 and 2 won't arp the IP's of each other, and they will send the traffic to the router.

HTH..

296
Views
5
Helpful
8
Replies