From: Scott Morris (smorris@ipexpert.com)
Date: Sun Apr 08 2007 - 22:32:24 ART
Those two options certainly seem to be the best ideas.
The answer to which one may depend on what switch you are on! 3550's will
only support the "switchport protected" command set, so that pretty well
narrows it down!
Otherwise, on a 3560, I would think the answer would depend on whether I was
allowed to create any extra VLANs or not.
Keep it simple!
HTH,
Scott Morris, CCIE4 (R&S/ISP-Dial/Security/Service Provider) #4713, JNCIE
#153, CISSP, et al.
CCSI/JNCI-M/JNCI-J
IPexpert VP - Curriculum Development
IPexpert Sr. Technical Instructor
smorris@ipexpert.com
http://www.ipexpert.com
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Navin MS
Sent: Sunday, April 08, 2007 7:22 PM
To: ccielab@groupstudy.com
Subject: Blocking any traffic between two switchports
Hello GS,
Have a question asking "not to allow ANY traffic b/n two workstations which
are connected two ports on VLAN 30 but should freely communicate with the
rest of the network". What is the correct approach ?
Should I use "switchport protected" or use the Private VLAN concept as below
?
vlan 30
private-vlan primary
private-vlan association 33
!
vlan 33
private-vlan isolated
!
interface FastEthernet0/10
switchport private-vlan host-association 30 33 switchport mode
private-vlan host !
interface FastEthernet0/11
switchport private-vlan host-association 30 33 switchport mode
private-vlan host !
Now, all ports in secondary Isolated VLAN (vlan 33) are isolated from each
other. But the confusion is which is best solution and is there something
that suggests one is more favored than the other ?
Does either of them stops all L2 and L3 traffic from and to each other ?
TIA,
Naveen.
This archive was generated by hypermail 2.1.4 : Tue May 01 2007 - 08:28:35 ART