From: John Tafasi (johntafasi@yahoo.com)
Date: Fri Jan 17 2003 - 01:19:02 GMT-3
I could understand from your answer that because the 3550 catalyst switch
WILL NOT switch frames between two protected ports, the switch will send the
packet from customer A out the trunk port (which is not a protected port) to
the router and when the packet comes back to the switch trunk port (which is
not protected) it can be switched to customer B port (protected port). Thus
the rule of not switching between two protected ports is still preserved. Is
that correct?
----- Original Message -----
From: "Larry Letterman" <lletterm@cisco.com>
To: "John Tafasi" <johntafasi@yahoo.com>
Cc: "ccielab" <ccielab@groupstudy.com>; "Alavalapati, Abhimanyu V."
<aalavala@ubspw.com>
Sent: Thursday, January 16, 2003 8:01 PM
Subject: Re: Protected switch ports
> because the layer 2 security blocks all communication in the local
broadcast
> domain and allows connection only with the router for that subnet....
>
> in the catalyst family its called PVID or private vlans...
>
> John Tafasi wrote:
>
> > Well, it might be good idea to assign all the ISP customers to one IP
subnet
> > while seperating them at layer 2. But the question is: if customer A,
> > connected to port 1, realy needs to communicate with another customer
> > (customer B) that is connected to port 2, how would you make them able
to
> > communicate? The excerpt below implies that customer A can only
communicate
> > with customer B through a router, but why? they are on the same
subnet!!!
> >
> > ----- Original Message -----
> > From: "Alavalapati, Abhimanyu V." <aalavala@ubspw.com>
> > To: "'John Tafasi'" <johntafasi@yahoo.com>; "ccielab"
> > <ccielab@groupstudy.com>
> > Sent: Thursday, January 16, 2003 6:45 PM
> > Subject: RE: Protected switch ports
> >
> >
> >
> >>Was designed for ISP's where they did not want to burn up a subnet per
> >>customer, so they had all their customers on one logical subnet and
> >>seperated them at layer 2. We do this in our extranet environment,
> >>
> >>-----Original Message-----
> >>From: John Tafasi [mailto:johntafasi@yahoo.com]
> >>Sent: Thursday, January 16, 2003 4:45 PM
> >>To: ccielab
> >>Subject: Protected switch ports
> >>
> >>
> >>Hi, group,
> >>
> >>
> >>
> >>the following is an excerpt from the ipexpert catalyst 3550 tutorial.
> >>Although
> >>the configuration is very simple and understandable, I can not imagine a
> >>situation where you would want to deny two hosts in the same lan from
> >>
> > seeing
> >
> >>each other. Can some one give an example of a situation where you would
> >>
> > want
> >
> >>to configure protected ports.
> >>
> >>
> >>
> >>Thanks
> >>
> >>=============================
> >>
> >>
> >>
> >>Protected Ports (Similar to Private VLANs)
> >>
> >>Some applications require that no traffic be forwarded between ports on
> >>
> > the
> >
> >>same
> >>
> >>switch so that one neighbor does not see the traffic generated by
another
> >>neighbor. In
> >>
> >>such an environment, the use of protected ports ensures that there is no
> >>exchange of
> >>
> >>unicast, broadcast, or multicast traffic between these ports on the
> >>
> > switch.
> >
> >>Protected ports have these features:
> >>
> >>A protected port does not forward any traffic (unicast, multicast, or
> >>broadcast) to any
> >>
> >>other port that is also a protected port. Traffic cannot be forwarded
> >>between
> >>protected
> >>
> >>ports at Layer 2; all traffic passing between protected ports must be
> >>forwarded through a
> >>
> >>Layer 3 device.
> >>
> >>Forwarding behavior between a protected port and a nonprotected port
> >>proceeds
> >>as
> >>
> >>usual.
> >>
> >>Switch# configure terminal
> >>
> >>Switch(config)# interface gigabitethernet0/1
> >>
> >>Switch(config-if)# switchport protected
> >>
> >>Switch(config-if)# end
> >>
> >>You can also disable unknown multicasts and unicasts from being flooded
to
> >>
> > a
> >
> >>protected port with the "switchport block unicast," and "switchport
block
> >>multicast"
> >>
> >>commands.
> >>.
.
This archive was generated by hypermail 2.1.4 : Sat Feb 01 2003 - 07:33:52 GMT-3