Re: A secure port cannot be a protected port from S Malik on 2009-04-20 (Ccielab archives 04/2009)

From: S Malik <ccie.09_at_gmail.com>
Date: Mon, 20 Apr 2009 18:14:24 -0400

I tested it and it seems that switchport port-security & switchport
protected both together work fine.

I configured two ports with security&protected and sent continous ping from
host1 to host2 (hosts connected to configured ports), Request timed out.

Then I removed protected statement from one port and ping worked. I tried it
several times by taking protected statement out and putting it back and it
worked as I thought.

While ping is not getting reply due to protected line under both ports, I
connected both cables from Host1&2 to a HUB and ping is working (as two
hosts are on hub), the moment I connect one of Hub's port to one of the two
ports on 3550, it goes into err-disable. Same thing happened with port 2.

I repeated it with continous ping from host1 to host2, and configured
protected statement on both ports, ping fails, tooks statement out from one
port then ping is successfull, then connected two hosts to a HUB while ping
is going on and ping is again successfull (there was break until two hosts
are on hub), Then I connected one port of hub to switch and it goes into
err-disable mode, same for the second port on switch.

Conclusion, In my case both port-security & protected together worked fine.

On Sun, Apr 19, 2009 at 9:42 AM, S Malik <ccie.09_at_gmail.com> wrote:

> Jared,
> Table refers Private-vlans not protected ports, therefore, 3550 of course
> is not supported, however, I like to use 3550 with protected port and port
> security together. Thanks for your time.
>
> On Sun, Apr 19, 2009 at 9:27 AM, Jared Scrivener <
> jscrivener_at_ipexpert.com> wrote:
>
>> Support for port security on private vlans on private vlan interfaces on
>> the
>> 3560 switch was added in 12.2(37)SE.
>>
>>
>> http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps6969/ps5012/ps7
>> 347/prod_bulletin0900aecd8064772c.html
>>
>> Cheers,
>>
>> Jared Scrivener CCIE3 #16983 (R&S, Security, SP), CISSP
>> Sr. Technical Instructor - IPexpert, Inc.
>> Telephone: +1.810.326.1444
>> Fax: +1.810.454.0130
>> Mailto: jscrivener_at_ipexpert.com
>>
>> -----Original Message-----
>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
>> Carlos G Mendioroz
>> Sent: Sunday, 19 April 2009 7:49 AM
>> To: S Malik
>> Cc: Ryan West; Cisco certification
>> Subject: Re: A secure port cannot be a protected port
>>
>> I guess this (the doc being wrong) might come from some architectures
>> not being able to handle both fns at once.
>> Don't assume that because it works in one, it works everywhere.
>> It might even depend on IOS version...
>>
>> -Carlos
>>
>> S Malik @ 19/04/2009 2:05 -0200 dixit:
>> > As per table, secure port & protected are compatible. Thanks for the
>> > reference and to every one for taking time to answer my question.
>> >
>> >
>> > On Sun, Apr 19, 2009 at 12:39 AM, Ryan West <rwest_at_zyedge.com> wrote:
>> >
>> >> Malik,
>> >>
>> >> I don't think you should have any problem configuring it. I wasn't
>> able
>> to
>> >> find the text you're referring to, but I was able to find this table
>> for
>> >> 12.2(25)SEB and 12.2(44)SE:
>> >>
>> >>
>> >>
>>
>> http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/1
>> 2.2_44_se/configuration/guide/swtrafc.html#wp1184775
>> >>
>> >> -ryan
>> >>
>> >> -----Original Message-----
>> >> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf
>> Of S
>> >> Malik
>> >> Sent: Saturday, April 18, 2009 9:15 PM
>> >> To: Cisco certification
>> >> Subject: A secure port cannot be a protected port
>> >>
>> >> As per Cisco's documentation "A secure port cannot be a protected
>> port",
>> >> However, I could configure port-security & switchport protected on an
>> >> interface on 3550 switch.
>> >>
>> >> Can any explain please?
>> >>
>> >> Thanks
>> >> Malik
>> >>
>> >>
>> >> Blogs and organic groups at http://www.ccie.net
>> >>
>> >> _______________________________________________________________________
>> >> Subscription information may be found at:
>> >> http://www.groupstudy.com/list/CCIELab.html
>> >
>> >
>> > Blogs and organic groups at http://www.ccie.net
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>>
>> --
>> Carlos G Mendioroz <tron_at_huapi.ba.ar> LW7 EQI Argentina
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Mon Apr 20 2009 - 18:14:24 ART

This archive was generated by hypermail 2.2.0 : Mon May 04 2009 - 07:39:12 ART