Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Port Protection using with Vlans

Reply
Thread Tools

Port Protection using with Vlans

 
 
Piccalo Clark
Guest
Posts: n/a
 
      09-07-2004
Hi,

I have used Cisco Catalyst 2950 switches in the past which have the
feature to flag ports as 'protected'. This setting prevents any
connection on a protected port communicating with another protected
port. I am however using some new hardware which does not have this
feature. The work around suggested for this is to configure each port
in the network to be on a seperate vlan, thus meaning they cannot talk
to each other.

The problem is I would like them all to use a common gateway.

Consider the following setup

Switch A: Port 1 is the gateway, port 23 trunk to switch B port 1,
port 24 trunk to switch C port 1.

Switch B: Port 1 is a trunk to port 23 on Switch A, with ports 2-16
set as vlans 102-116.

Switch C: Port 1 is a trunk to port 24 on Switch B, with ports 2-16
set as vlans 202-216.


The problem I have is I would like port 1 on Switch A connected to my
gateway to see all this traffic. Does anyone know how to achive this
configuration ?

If I have not made any of this clear, please let me know and I will
provide further details !

Many thanks in advance,

Piccalo
 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      09-07-2004
In article <(E-Mail Removed) >,
Piccalo Clark <(E-Mail Removed)> wrote:
:I have used Cisco Catalyst 2950 switches in the past which have the
:feature to flag ports as 'protected'. This setting prevents any
:connection on a protected port communicating with another protected
ort. I am however using some new hardware which does not have this
:feature. The work around suggested for this is to configure each port
:in the network to be on a seperate vlan, thus meaning they cannot talk
:to each other.

:The problem I have is I would like port 1 on Switch A connected to my
:gateway to see all this traffic.

Do you want port 1 to *route* the traffic [after perhaps having
filtered it to prevent internal fraternization], or do you want port 1
to just pass on all the traffic to the next hop along, or do you just
want port 1 to be able to *monitor* all the traffic [e.g., for accounting
or intrusion detection purposes]?

It's a bit difficult for us to say what is possible or not when you do
not mention the vendor, model, or software revision of the "new
hardware" -- and don't mention any flexibility to replace or augment
that "new hardware" with other hardware if needed to achieve your
aims.
--
"Infinity is like a stuffed walrus I can hold in the palm of my hand.
Don't do anything with infinity you wouldn't do with a stuffed walrus."
-- Dr. Fletcher, Va. Polytechnic Inst. and St. Univ.
 
Reply With Quote
 
 
 
 
Piccalo Clark
Guest
Posts: n/a
 
      09-08-2004
Many thanks for your quick reply !

> Do you want port 1 to *route* the traffic [after perhaps having
> filtered it to prevent internal fraternization], or do you want port 1
> to just pass on all the traffic to the next hop along, or do you just
> want port 1 to be able to *monitor* all the traffic [e.g., for accounting
> or intrusion detection purposes]?


I'd like to be able to plug my gateway into port 1 and have it see the
traffic from all the Vlans, and be able to send traffic back. The only
reason I am using Vlans at all is that the new hardware (mentioned
later) does not have a similar feature to the Cisco's "port
protected".

I can see in linux I can use the vconfig tool, which I have done
successfully - however I would like all the traffic to be able to use
a common gateway, with the same ip address. Using the vconfig tool I
have to set up a new IP address for each virtual interface I create.

I belive what I would like to be able to do is set up port 1 as a
trunk, then have some kind of "Vlan Masqurading" enabled on my
gateway, which abstracts the vlan configuration away from the gateway
- how does this sound to you ?

When the traffic is seen on my gateways network interface, the Vlan
information is stripped, and when data is sent back into the network,
the ethernet frames are encapsulated again with the appropriate Vlan
tags.

> It's a bit difficult for us to say what is possible or not when you do
> not mention the vendor, model, or software revision of the "new
> hardware" -- and don't mention any flexibility to replace or augment
> that "new hardware" with other hardware if needed to achieve your
> aims.


Previous hardware I was using was the Cisco Catalyst 2950. I now
*have* (management deciscion) to work with switches from Teledex, the
NetronixHG218M. I can however still use a 2950 as my base switch,
which i would plug the gateway into, with uplinks to the new hardware.
Basically, there is no flexibility !
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
copy protection / IP protection g Java 69 04-25-2006 04:10 PM
Windows - Browsing across vlans and also DC's on separate vlans punisher Cisco 2 11-17-2005 03:41 PM
question about Mapping 802.1Q VLANs to ISL VLANs ilya@3ka.mipt.ru Cisco 0 01-11-2005 02:42 PM
VLAN Trunking Cisco Cat 5500 switch (multiple vlans per port) help please BG Cisco 4 09-07-2004 01:39 AM



Advertisments