Re: Protected switch ports

From: Chuck Church (ccie8776@rochester.rr.com)
Date: Fri Jan 17 2003 - 12:19:35 GMT-3

• Next message: FLCCNP@aol.com: "Re: IPX and OSPF Incompatibility"
• Previous message: Chuck Church: "Re: IPX and OSPF Incompatibility"
• Maybe in reply to: John Tafasi: "Protected switch ports"
• Next in thread: Franck ccie: "Re: Protected switch ports"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I think that the correct behavior for a router receiving a packet that
should be redirected is to send a redirect, but it will also route that
packet. If you turn off redirects, it would route them as well. So with
protected ports, a way around that would be a host route on each of the two
'protected' hosts pointing to the other host, with the router as the next
hop. Since these are protected ports, the switch will not allow direct
communication. Host 'A' might arp, but 'B' would never see it. Even if 'A'
knew 'B's MAC, switch won't switch frames between the two ports. But send
them to the router, and it should work.

Chuck Church
CCIE #8776, MCNE, MCSE

----- Original Message -----
From: "Fadil" <fadiltakipte@hotmail.com>
To: <ccielab@groupstudy.com>
Sent: Friday, January 17, 2003 9:33 AM
Subject: Re: Protected switch ports

> Hi
>
> I could not understand how you can convince the router to route the
packets
> coming from one interface going back again to the same interface. The
router
> will send a redirect. How can you make them to communicate with each other
?
> Also for example we have two servers connected to the protected ports. One
> has an ip address 1.1.1.1/24 and the other one has 1.1.1.2/24.
> 1.1.1.1 wants to send a packet to 1.1.1.2. It will first ARP for that IP.
> And who is gonna reply ? Router's proxy arp has no function here since
they
> are on the same interface.
> Fadil
> ----- Original Message -----
> From: "John Tafasi" <johntafasi@yahoo.com>
> To: "ccielab" <ccielab@groupstudy.com>; "Alavalapati, Abhimanyu V."
> <aalavala@ubspw.com>
> Cc: <lletterm@cisco.com>
> Sent: Thursday, January 16, 2003 6:50 PM
> Subject: Re: Protected switch ports
>
>
> > Well, it might be good idea to assign all the ISP customers to one IP
> subnet
> > while seperating them at layer 2. But the question is: if customer A,
> > connected to port 1, realy needs to communicate with another customer
> > (customer B) that is connected to port 2, how would you make them able
to
> > communicate? The excerpt below implies that customer A can only
> communicate
> > with customer B through a router, but why? they are on the same
subnet!!!
> >
> > ----- Original Message -----
> > From: "Alavalapati, Abhimanyu V." <aalavala@ubspw.com>
> > To: "'John Tafasi'" <johntafasi@yahoo.com>; "ccielab"
> > <ccielab@groupstudy.com>
> > Sent: Thursday, January 16, 2003 6:45 PM
> > Subject: RE: Protected switch ports
> >
> >
> > > Was designed for ISP's where they did not want to burn up a subnet per
> > > customer, so they had all their customers on one logical subnet and
> > > seperated them at layer 2. We do this in our extranet environment,
> > >
> > > -----Original Message-----
> > > From: John Tafasi [mailto:johntafasi@yahoo.com]
> > > Sent: Thursday, January 16, 2003 4:45 PM
> > > To: ccielab
> > > Subject: Protected switch ports
> > >
> > >
> > > Hi, group,
> > >
> > >
> > >
> > > the following is an excerpt from the ipexpert catalyst 3550 tutorial.
> > > Although
> > > the configuration is very simple and understandable, I can not imagine
a
> > > situation where you would want to deny two hosts in the same lan from
> > seeing
> > > each other. Can some one give an example of a situation where you
would
> > want
> > > to configure protected ports.
> > >
> > >
> > >
> > > Thanks
> > >
> > > =============================
> > >
> > >
> > >
> > > Protected Ports (Similar to Private VLANs)
> > >
> > > Some applications require that no traffic be forwarded between ports
on
> > the
> > > same
> > >
> > > switch so that one neighbor does not see the traffic generated by
> another
> > > neighbor. In
> > >
> > > such an environment, the use of protected ports ensures that there is
no
> > > exchange of
> > >
> > > unicast, broadcast, or multicast traffic between these ports on the
> > switch.
> > >
> > > Protected ports have these features:
> > >
> > > A protected port does not forward any traffic (unicast, multicast, or
> > > broadcast) to any
> > >
> > > other port that is also a protected port. Traffic cannot be forwarded
> > > between
> > > protected
> > >
> > > ports at Layer 2; all traffic passing between protected ports must be
> > > forwarded through a
> > >
> > > Layer 3 device.
> > >
> > > Forwarding behavior between a protected port and a nonprotected port
> > > proceeds
> > > as
> > >
> > > usual.
> > >
> > > Switch# configure terminal
> > >
> > > Switch(config)# interface gigabitethernet0/1
> > >
> > > Switch(config-if)# switchport protected
> > >
> > > Switch(config-if)# end
> > >
> > > You can also disable unknown multicasts and unicasts from being
flooded
> to
> > a
> > >
> > > protected port with the "switchport block unicast," and "switchport
> block
> > > multicast"
> > >
> > > commands.
> > > .
> > .
> .
.

• Next message: FLCCNP@aol.com: "Re: IPX and OSPF Incompatibility"
• Previous message: Chuck Church: "Re: IPX and OSPF Incompatibility"
• Maybe in reply to: John Tafasi: "Protected switch ports"
• Next in thread: Franck ccie: "Re: Protected switch ports"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Feb 01 2003 - 07:33:52 GMT-3