Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

?switchport protected between switches

Hi,

I have several 2950's and 3550's hung on trunks off a common 3550 EMI.

Configuring switchport protected on interfaces disables L2 communications between these interfaces on the same switch.

Can anyone tell me a sane/simple way to disable L2 between interfaces on the same VLAN on different switches?

Thanks.

5 REPLIES
Hall of Fame Super Bronze

Re: ?switchport protected between switches

What exactly are you trying to achieve ?

Are you trying to block a port between switches ?

Switchports default to L2 and can only be changed to L3 if running a 3550 or later, with the no switchport command.

New Member

Re: ?switchport protected between switches

Ref attached jpg

I hope to find a way that restricts workstations (designated A-E on jpg) configured on the same vlan to communicate only to designated servers and the default gateway.

These workstations should get no reply when arping to any other on net address.

I understand that switchport protected does this when configured for workstations residing on the same switch as the server and gateway. (ie. the rightmost 2950)

Thanks,

switchport protected

Hall of Fame Super Bronze

Re: ?switchport protected between switches

I believe I understand now.

switchport protected works on the same switch while you want to expand this concept over multiple switches,

am I right ?

Well, there is an option, it's called Private Vlans but it's supported on 3560/3750 and other high-end switches.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_35_se/configuration/guide/swpvlan.html

New Member

Re: ?switchport protected between switches

Thanks.

As I understand it then, all hosts connected to associated primary and secondary private vlans occupy the same ip subnet with a gateway configured on the primary vlan's svi.

Short of replacing all switches with 3560/3750's, could I get L2 isolation by

1. replace the 3550 at the root with a 3560 trunked to both 2950's.

2. configure the 3560 with private primary vlan X with associated private isolated vlan Y

3. configure all 2950 ports connected to workstations as switchport access vlan Y and switchport protected.

4. configure the 2950 ports connected to the server as switchport access vlan X and no switchport protected.

Hall of Fame Super Bronze

Re: ?switchport protected between switches

It might work but just thinking about it, gave me a headache :)

Best to draw it up and play around with that idea in a Lab.

630
Views
0
Helpful
5
Replies