From: Scott Morris (swm@emanon.com)
Date: Fri Dec 08 2006 - 01:54:52 ART
Since everything being talked about surrounding this command (including
normal forwarding concepts) talks about frames going OUT a particular port,
I would say that your question would talk about output. Remember, you are
protecting the port with this command, not protecting the switch.
I suppose if you have three ports within a single VLAN and your question
talks about incoming things on fa0/1.... then I'd go to fa0/2 and fa0/3 and
use this command. That way if they came IN from fa0/1, they wouldn't go
anywhere.
Port security, while useful, helps secure the port but is not something I'd
tie together with this.
HTH,
Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, JNCIE
#153, CISSP, et al.
CCSI/JNCI-M/JNCI-J
IPExpert VP - Curriculum Development
IPExpert Sr. Technical Instructor
smorris@ipexpert.com
http://www.ipexpert.com
_____
From: Salman Abbas [mailto:dukelondon@gmail.com]
Sent: Thursday, December 07, 2006 11:15 PM
To: Scott Morris
Cc: Noble; Cisco certification
Subject: Re: Protected Ports
Hi Scott,
Does that mean that if my question is
Interface f0/1 must block input/incoming unknown unicast & multicast
traffic.
I can safely configure the following without affecting my routing protocol
or any other traffic on that port.
int fa0/1
switchport block multicast
switchport block unicast
or would I need to do some additional config, like configuring static
mac-addresses for the devices connected to that port, to meet the question's
requirement.
Thanks in advance,
Cheers!!!
Salman
On 12/7/06, Scott Morris <swm@emanon.com> wrote:
These are two completely different concepts.
The "switchport block" commands have to do with altering the typical
behavior of a bridge/switch. While normally a switch keeps a cam table to
associate MAC addresses to outbound ports, every once and a while a frame
shows up with a MAC not in the list. The behavior is to flood these frames
out every port in the corresponding VLAN to assure delivery.
The "switcport block" commands alter this behavior and tell the switch NOT
to do this for the interface tagged.
"Switchport protected" on the other hand is the private-vlan edge concept
(pre-private-vlan, or 3550 implementation). Any two ports tagged as
"protected" within a single VLAN will never speak with each other via
unicast, broadcast or multicast directly at Layer2.
HTH,
Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, JNCIE
#153, CISSP, et al.
CCSI/JNCI-M/JNCI-J
IPExpert VP - Curriculum Development
IPExpert Sr. Technical Instructor
smorris@ipexpert.com
http://www.ipexpert.com <http://www.ipexpert.com/>
-----Original Message-----
From: nobody@groupstudy.com [mailto: nobody@groupstudy.com
<mailto:nobody@groupstudy.com> ] On Behalf Of
Noble
Sent: Thursday, December 07, 2006 1:49 AM
To: Cisco certification
Subject: Protected Ports
Hi Group,
I am trying to understand the need of adding "switchport block multicast"
and "switchport block unicast" along with "switchport protected".
I understand that traffic arriving on one protected port will not be
forwarded out other protected ports. If this is the case why would we need
to block multicast and unicast using switchport block command.
-- Thank you,-Noble
This archive was generated by hypermail 2.1.4 : Tue Jan 02 2007 - 07:50:37 ART