Hang internal network traffic on Cisco Catalyst C2924-XL.

Discussion in 'Cisco' started by Fabrizio, Sep 13, 2006.

  1. Fabrizio

    Fabrizio Guest

    Hi there, I'm a newbie on cisco switches and routers.
    My question is: is there a way to temporary block all internal traffic
    on cisco 2924 without reset ethernet ports?
    Alternatively, may I create some kind of access list for block UDP
    traffic?

    thanks in advance
    bye, fabrizio
     
    Fabrizio, Sep 13, 2006
    #1

    1. Advertisements

  2. Fabrizio

    Walter Roberson Guest

    Well, if you don't want to disable the port, you could always force
    it to trunk mode with a unique PVID enabled on it that differed
    from the native PVID for it ;-)

    Sorry, 2924's are before my time.
     
    Walter Roberson, Sep 13, 2006
    #2

    1. Advertisements

  3. Fabrizio

    Doug McIntyre Guest

    No, turning off the port is about the only way, or to make it block
    some otherway, such as putting it into trunk mode or something.
    Not on a 2924XL. Its a pretty barebones basic Layer-2 switch.
     
    Doug McIntyre, Sep 14, 2006
    #3
  4. Fabrizio

    Fabrizio Guest

    Hi Walter, may you explain better?
    tnx, fabrizio
     
    Fabrizio, Sep 14, 2006
    #4
  5. Fabrizio

    Walter Roberson Guest

    A port which is configured as a trunk will only pass traffic for
    the VLANs (Virtual LANs) that have been specified to pass over it.
    Each VLAN is identified by a number, known as the PVID (Private VLAN
    ID or something like that.)

    If you configure a port as a trunk and you set it up so that the only
    PVID attached to it (allowed to pass over it) is one that is
    used for nothing else at all, then there will be no data packets sent
    to the port. (You might still get link management packets sent to
    the port, such as BDPU or CDP).

    The bit about "native PVID" is that each 802.1Q trunk port must have
    a PVID associated with it, and any packets that happen to be
    part of the VLAN identified by that PVID, will be sent across the
    link with -no- VLAN tag, just as if the port were an access port
    instead. Often the native VLAN for a trunk defaults to PVID 1 --
    which is often used for other things, and is probably what all the
    other ports defaulted to as well. So you should change the
    "native" VLAN (the PVID number) associated with the port as well,
    to something -different- than the unique PVID mentioned earlier,
    but which is also unique. That way there won't be any sourced
    packets to go out "native", and if any packets happen to come in
    in "native" (untagged format) from the other side, then because no
    other ports have that PVID, the packets will be discarded.


    You can see that this is all a bit of a "cheat": you don't actually
    block the port from sending any traffic, but what you do instead
    is set it up so that no traffic is eligable to go out over the port,
    and that any traffic that comes in from the port is thrown away.
    It's sort of like changing your telephone to an unlisted number and
    then not telling *anyone* what the new number is.
     
    Walter Roberson, Sep 14, 2006
    #5

    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.
Similar Threads

  1. mrtg, snmp and cisco C2924 resets

  2. Dead Cicso Catalyst WS-C2924-XL-EN

  3. outside initiated traffic to access internal network range through pix firewall with translation

  4. Cisco PIX 501 - Port forwarded to an internal host via Static NAT doesn't work from internal host

  5. WS-C2924-XL-EN switch

  6. Cisco 515 VPN Traffic can not ping internal hosts

  7. cisco ios nat from internal->external->internal

  8. Cisco Nat Internal > External > Internal

Loading...