switchport protected on a 802.1q interface ?

pascalfr0 · ‎07-02-2014

Hi,

on a ISR platform with HWIC-4ESW or EHWIC-4ESG (4 fast ethernet switched ports),

- with interface fa0/1/0 toward customer #1 using vlanid 100, 101, 102, and 1(native),

- with interface fa0/1/1 toward customer #2 using vlanid 201, 202, 203, and 1(native),

+ can I set the switch mode to "protected" on these interfaces in order to prevent traffic from one customer to be seen by the other one (VLAN 1 or misconfiguration where each customer would use the same VLAN ID) ?

+ basically, is it possible to issue the "switchport protected" command on a interface with multiple VLAN (802.1q encapsulation) traffic ? (Can't see why it wouldn't be possible to do so....)

+ VLAN 1 traffic is used on Cisco routers for handling layer 2 control traffic (CDP, Pagp, STP, ...). Do you know if setting ports in "protected" mode will prevent those trafic from being switched from one interface to the other (it would be very useful for me to restrict this traffic on a per port/per customer basis) ?

Thanks for your advices,

Pascal

LA-Engineer · ‎07-12-2014

If the command is there I would assume so.

According to the documentation, switchport protected is supported on dot1q ports.

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2950/software/release/12-1_20_ea2/configuration/guide/2950scg/swtrafc.html#wp1158863

pascalfr0 · ‎10-21-2014

Thanks.

Got some testing done by our cisco support.

protected mode + 802.1q works fine, but doesn't prevent layer2 protocol from being switched between protected ports in VLAN 1.

In the configuration I described earlier, spt or layer 2 control traffic will still be switched throughout all the ports, protected mode or not.