07-02-2014 09:10 AM - edited 03-07-2019 07:54 PM
Hi,
on a ISR platform with HWIC-4ESW or EHWIC-4ESG (4 fast ethernet switched ports),
- with interface fa0/1/0 toward customer #1 using vlanid 100, 101, 102, and 1(native),
- with interface fa0/1/1 toward customer #2 using vlanid 201, 202, 203, and 1(native),
+ can I set the switch mode to "protected" on these interfaces in order to prevent traffic from one customer to be seen by the other one (VLAN 1 or misconfiguration where each customer would use the same VLAN ID) ?
+ basically, is it possible to issue the "switchport protected" command on a interface with multiple VLAN (802.1q encapsulation) traffic ? (Can't see why it wouldn't be possible to do so....)
+ VLAN 1 traffic is used on Cisco routers for handling layer 2 control traffic (CDP, Pagp, STP, ...). Do you know if setting ports in "protected" mode will prevent those trafic from being switched from one interface to the other (it would be very useful for me to restrict this traffic on a per port/per customer basis) ?
Thanks for your advices,
Pascal
07-12-2014 08:26 PM
If the command is there I would assume so.
According to the documentation, switchport protected is supported on dot1q ports.
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2950/software/release/12-1_20_ea2/configuration/guide/2950scg/swtrafc.html#wp1158863
10-21-2014 01:54 AM
Thanks.
Got some testing done by our cisco support.
protected mode + 802.1q works fine, but doesn't prevent layer2 protocol from being switched between protected ports in VLAN 1.
In the configuration I described earlier, spt or layer 2 control traffic will still be switched throughout all the ports, protected mode or not.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: