04-02-2009 12:12 PM - edited 03-06-2019 04:58 AM
Hi All,
I had a quick question. When you configure "switchport protected" does this not forward traffic from other switches to this port as well as ports on the local switch?
The issue is this, we have students that like to play LAN games during school hours. Protected port seems ideal in the sense that it does not allow other protected ports from talking to each other. This seems straight forward on one switch but if you have multiple switches, will a protected port on one switch be denied from talking to a protected port on another switch?
Thanks
Solved! Go to Solution.
04-02-2009 02:47 PM
Hello Brett,
>> will a protected port on one switch be denied from talking to a protected port on another switch?
Unfortunately this is not true : the switch uplinks are primary/promiscuous ports so the risk is to allow traffic between ports in different access layer switches
Hope to help
Giuseppe
04-02-2009 02:47 PM
Hello Brett,
>> will a protected port on one switch be denied from talking to a protected port on another switch?
Unfortunately this is not true : the switch uplinks are primary/promiscuous ports so the risk is to allow traffic between ports in different access layer switches
Hope to help
Giuseppe
04-02-2009 03:05 PM
To add on Giuseppe's point, protected port can still talk to each other via layer 3 interface if layer 3 interface is doing local proxy arp. Therefore, if you plan to use this feature, you need make sure "local proxy arp" is disabled (it should be disabled by default).
04-02-2009 03:33 PM
Thanks guys. I was reading some more up on it and it seems you can do this across switches but it needs to be configured on a private-vlan on the interface. And it just so happens that I have 2960's and 3560's that do not seem to support that option:(
Ahh well, is there any other option for me to help with my issue using the 2960's and 3560's ?
Thanks
04-03-2009 03:52 AM
Hello BRETT,
As you said PVLAN would have been the best option . You could upgrade your IOS version to allowed it or create a Vlan with ACL to prevent it
HTH
DAK
04-03-2009 07:16 AM
Hey Dak,
But the ACL's would not affect the packets until they hit the Route point and most LAN games never hit the route point. The Students are already in a separate VLAN, but they do not have a vlan for each individual student, that would be a bit tough with 700+ computers at this site.
I guess I was just looking for a easy way out and there does not seem to be. We have currently implemented client based firewalls to prevent the packets, I will see how that goes. I was hoping to do it at the switch level so the students did not try to get passed the firewall.
04-03-2009 02:24 PM
you are right , other way could be through Nbar or you define the website on your Firewall (ASA/PIX) you want to prevent.
DAK
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: