Port Protection using with Vlans

Discussion in 'Cisco' started by Piccalo Clark, Sep 7, 2004.

  1. Hi,

    I have used Cisco Catalyst 2950 switches in the past which have the
    feature to flag ports as 'protected'. This setting prevents any
    connection on a protected port communicating with another protected
    port. I am however using some new hardware which does not have this
    feature. The work around suggested for this is to configure each port
    in the network to be on a seperate vlan, thus meaning they cannot talk
    to each other.

    The problem is I would like them all to use a common gateway.

    Consider the following setup

    Switch A: Port 1 is the gateway, port 23 trunk to switch B port 1,
    port 24 trunk to switch C port 1.

    Switch B: Port 1 is a trunk to port 23 on Switch A, with ports 2-16
    set as vlans 102-116.

    Switch C: Port 1 is a trunk to port 24 on Switch B, with ports 2-16
    set as vlans 202-216.


    The problem I have is I would like port 1 on Switch A connected to my
    gateway to see all this traffic. Does anyone know how to achive this
    configuration ?

    If I have not made any of this clear, please let me know and I will
    provide further details !

    Many thanks in advance,

    Piccalo
    Piccalo Clark, Sep 7, 2004
    #1
    1. Advertising

  2. In article <>,
    Piccalo Clark <> wrote:
    :I have used Cisco Catalyst 2950 switches in the past which have the
    :feature to flag ports as 'protected'. This setting prevents any
    :connection on a protected port communicating with another protected
    :port. I am however using some new hardware which does not have this
    :feature. The work around suggested for this is to configure each port
    :in the network to be on a seperate vlan, thus meaning they cannot talk
    :to each other.

    :The problem I have is I would like port 1 on Switch A connected to my
    :gateway to see all this traffic.

    Do you want port 1 to *route* the traffic [after perhaps having
    filtered it to prevent internal fraternization], or do you want port 1
    to just pass on all the traffic to the next hop along, or do you just
    want port 1 to be able to *monitor* all the traffic [e.g., for accounting
    or intrusion detection purposes]?

    It's a bit difficult for us to say what is possible or not when you do
    not mention the vendor, model, or software revision of the "new
    hardware" -- and don't mention any flexibility to replace or augment
    that "new hardware" with other hardware if needed to achieve your
    aims.
    --
    "Infinity is like a stuffed walrus I can hold in the palm of my hand.
    Don't do anything with infinity you wouldn't do with a stuffed walrus."
    -- Dr. Fletcher, Va. Polytechnic Inst. and St. Univ.
    Walter Roberson, Sep 7, 2004
    #2
    1. Advertising

  3. Many thanks for your quick reply !

    > Do you want port 1 to *route* the traffic [after perhaps having
    > filtered it to prevent internal fraternization], or do you want port 1
    > to just pass on all the traffic to the next hop along, or do you just
    > want port 1 to be able to *monitor* all the traffic [e.g., for accounting
    > or intrusion detection purposes]?


    I'd like to be able to plug my gateway into port 1 and have it see the
    traffic from all the Vlans, and be able to send traffic back. The only
    reason I am using Vlans at all is that the new hardware (mentioned
    later) does not have a similar feature to the Cisco's "port
    protected".

    I can see in linux I can use the vconfig tool, which I have done
    successfully - however I would like all the traffic to be able to use
    a common gateway, with the same ip address. Using the vconfig tool I
    have to set up a new IP address for each virtual interface I create.

    I belive what I would like to be able to do is set up port 1 as a
    trunk, then have some kind of "Vlan Masqurading" enabled on my
    gateway, which abstracts the vlan configuration away from the gateway
    - how does this sound to you ?

    When the traffic is seen on my gateways network interface, the Vlan
    information is stripped, and when data is sent back into the network,
    the ethernet frames are encapsulated again with the appropriate Vlan
    tags.

    > It's a bit difficult for us to say what is possible or not when you do
    > not mention the vendor, model, or software revision of the "new
    > hardware" -- and don't mention any flexibility to replace or augment
    > that "new hardware" with other hardware if needed to achieve your
    > aims.


    Previous hardware I was using was the Cisco Catalyst 2950. I now
    *have* (management deciscion) to work with switches from Teledex, the
    NetronixHG218M. I can however still use a 2950 as my base switch,
    which i would plug the gateway into, with uplinks to the new hardware.
    Basically, there is no flexibility !
    Piccalo Clark, Sep 8, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. BG
    Replies:
    4
    Views:
    12,422
  2. Replies:
    0
    Views:
    550
  3. Jack Taugher
    Replies:
    2
    Views:
    4,535
  4. punisher
    Replies:
    2
    Views:
    2,052
    Charles Deling
    Nov 17, 2005
  5. JF Mezei

    VLANs and Port Monitor on switches

    JF Mezei, Jan 5, 2009, in forum: Cisco
    Replies:
    1
    Views:
    1,642
    Trendkill
    Jan 5, 2009
Loading...

Share This Page