From: Larry Letterman (lletterm@cisco.com)
Date: Thu Jan 16 2003 - 22:13:24 GMT-3
We do it here at Cisco to keep the Finance and HR servers from talking to any other
servers or host in the data center and only responding to router request behind a secure
pix that allows only finance and HR people access....
John Tafasi wrote:
> Hi, group,
>
>
>
> the following is an excerpt from the ipexpert catalyst 3550 tutorial. Although
> the configuration is very simple and understandable, I can not imagine a
> situation where you would want to deny two hosts in the same lan from seeing
> each other. Can some one give an example of a situation where you would want
> to configure protected ports.
>
>
>
> Thanks
>
> =============================
>
>
>
> Protected Ports (Similar to Private VLANs)
>
> Some applications require that no traffic be forwarded between ports on the
> same
>
> switch so that one neighbor does not see the traffic generated by another
> neighbor. In
>
> such an environment, the use of protected ports ensures that there is no
> exchange of
>
> unicast, broadcast, or multicast traffic between these ports on the switch.
>
> Protected ports have these features:
>
> A protected port does not forward any traffic (unicast, multicast, or
> broadcast) to any
>
> other port that is also a protected port. Traffic cannot be forwarded between
> protected
>
> ports at Layer 2; all traffic passing between protected ports must be
> forwarded through a
>
> Layer 3 device.
>
> Forwarding behavior between a protected port and a nonprotected port proceeds
> as
>
> usual.
>
> Switch# configure terminal
>
> Switch(config)# interface gigabitethernet0/1
>
> Switch(config-if)# switchport protected
>
> Switch(config-if)# end
>
> You can also disable unknown multicasts and unicasts from being flooded to a
>
> protected port with the "switchport block unicast," and "switchport block
> multicast"
>
> commands.
> .
.
This archive was generated by hypermail 2.1.4 : Sat Feb 01 2003 - 07:33:51 GMT-3