Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Protoced Port feature in Catalyst 3550 24 EMI Switches

We purchase one catalyst 3550 switch in assumption that we can implement Private-VLAN and layer 3 features on it as it is mentioned below URL:

we created several protected ports and VLANs and assign IP address to this vlans but could not able to make static route between them as it is mentioned that

"Traffic cannot be forwarded between protected ports at L2, all traffic passing between protected ports must be forwarded through a Layer 3 (L3) device. "

Is't my Cisco Catalyst 3550 24 EMI Switch is not layer 3 switch or what. How can I implement routing between vlans on the same switch.

Can any body help me to solve this problem.

Thanks in Advance.

2 REPLIES
Silver

Re: Protoced Port feature in Catalyst 3550 24 EMI Switches

I'm not familiar with the 3550 features very well, but I am with PVLANs on the 6000s. If you're using PVLANS, remember that your hosts will be separated at layer 2 yet on the same Layer 3 subnet. This means that your host assumes he can speak directly with the other host and won't send his traffic to the default gateway. The hosts will broadcast ARP requests to find the MAC address of the other device. Of course the other device will never see or respond to the request due to the Layer 2 isolation. Therefore, you must use proxy-arp so that the router will respond to ARP requests to hosts on the same interface. Note that the use of HSRP on a Layer 3 interface disables proxy-arp by default and may be problematic in some configurations.

On the 3550 Protected ports can only talk to unprotected ports. So you layer 3 interface (SVI) on the switch will be your unprotected port that you protected ports will talk to provide communications between protected ports.

Note that you aren't trying to route between VLANs but rather within the same VLAN when we're talking about protected ports. If two ports are already in different VLANs, it's layer 2 isolation and Layer 3 routing as usual. You won't need to do anything special outside of having an SVI for each VLAN for the hosts to talk to each other.

interface vlan 1

ip address 192.168.1.1 255.255.255.0

interface vlan 2

ip address 192.168.2.1 255.255.255.0

interface f0/0

switchport access vlan 1

interface f0/1

switchport access vlan 2

This small config is an example of routing from one vlan to another. Any device plugged into port 0/0 will need to be routed to get to a host on 0/1 which is a differnet VLAN and subnet. Of course ACLs can now be applied to the Layer 3 SVI interfaces.

If you can provide more info about what you're trying to accomplish and what the goals are, maybe I could help more.

Community Member

Re: Protoced Port feature in Catalyst 3550 24 EMI Switches

First of all I would like to thankyou to make me more clear about Private-VLAN.

As I understant about your explanation and configuration is that intervlan routing between vlan are no problem even if there are protected ports in different vlans.

But I am looking the configuration of inter communication between same vlan protected ports. For some reason I want to protect ports as well as control the traffic between them through access list. Can it be possible.

For more clearficaton :

I have 4 servers + Router in the same Vlan (This is just for explanation I put all together) :

1 Private WEB 192.168.1.5

2. Public WEB 192.168.1.2 NATed with legal IP

3. AAA Server 192.168.1.3

4. Domain Server 192.168.1.4

5. Dialulp Router 192.168.1.1

I want to protect my dialup clents or Dialup Router to go to Private WEB but I want them to go to all other servers. For protecting from other server I make my Private WEB Connection Port "Protected" as well as Dialup Router Port Protected as well as AAA Server Protect. then how I can communicated this two ports through layer 3. (Please note this senario I make just to explain you more detail, don't consider as actual setup)

Thanks in Advance.

151
Views
0
Helpful
2
Replies
CreatePlease to create content