cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
283
Views
0
Helpful
2
Replies

How Communication Possible between protected ports in 3550 on the same VLAN

mtrf
Level 1
Level 1

As I understant about the explanation and configuration of Private-VLAN is that intervlan routing between vlan are no problem even if there are protected ports in different vlans.

But I am looking the configuration of inter communication between same vlan protected ports. For some reason I want to protect ports as well as control the traffic between them through access list. Can it be possible.

For more clearficaton :

I have 4 servers + Router in the same Vlan (This is just for explanation I put all together) :

1 Private WEB 192.168.1.5

2. Public WEB 192.168.1.2 NATed with legal IP

3. AAA Server 192.168.1.3

4. Domain Server 192.168.1.4

5. Dialulp Router 192.168.1.1

I want to protect my dialup clents or Dialup Router to go to Private WEB but I want them to go to all other servers. For protecting from other server I make my Private WEB Connection Port "Protected" as well as Dialup Router Port Protected as well as AAA Server Protect. then how I can communicated this two ports through layer 3. (Please note this senario I make just to explain you more detail, don't consider as actual setup)

Thanks in Advance.

2 Replies 2

donewald
Level 6
Level 6

As long as your PVLAN interfaces are not set up to be "isolated" you should be able to communicate within your PVLAN if you wish by having a Community or promiscuous port setting.

Promiscuous—A promiscuous port can communicate with all interfaces, including the isolated and community ports within a PVLAN.

Isolated—An isolated port has complete Layer 2 separation from the other ports within the same PVLAN, but not from the promiscuous ports. PVLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic from isolated port is forwarded only to promiscuous ports.

Community—Community ports communicate among themselves and with their promiscuous ports. These interfaces are separated at Layer 2 from all other interfaces in other communities or isolated ports within their PVLAN.

I am unsure what type switch you have so I'll send the Catalyst 4000 PVLAN configuration link for more information.

http://www.cisco.com/en/US/partner/products/hw/switches/ps663/products_configuration_guide_chapter09186a00800dde94.html

Hope this helps you,

Don

The 3550 doesn't have full blown PVLAN support like the bigger 6500s, etc. It has a private edge protected port which is very basic.

Protected ports on the same switch can not communicate with one another unless they go through a external router and come back. That means that the other device will need to have multiple IPs so you route to it's other IP to communicate with it through a external router.

If you have EMI feature set on your 3550 why not just put dial-up users in their own VLAN, and route between the VLANs where needed and use ACLs to permit / deny traffic on the SVIs.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: