07-31-2007 08:52 AM - edited 03-05-2019 05:36 PM
Hey there all.
I am in the process of purchasing a Catalyst 3550 or 3560 Catalyst and need confirmation on software and capibilities. The switch needs to be able to do Private Vlans, have 2 SPAN Ports, and at least 2 GBIC Ports. I am aware that the 3560 w/12.2(20)SE - EMI
can def. support what we need it for but, I was wondering if a 3550 would be able to support all this as well if it had the proper software. So, what I need to know is can a 3550 do this and if so what software would I need?
Thanks
Shaun
07-31-2007 09:00 AM
Hi Shaun
3550 switch does not fully support private vlans. Attached is a link to private vlan support matrix for catalyst switches.
http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a0080094830.shtml
Even if they did i would strongly recommend you go for the 3560 as this is a newer switch which has replaced the 3550.
HTH
Jon
07-31-2007 09:21 AM
Thanks!
I didn't think the 3550 Series could support it but I wanted confirmation. Though what do you mean by NOT FULLY SUPPORT? What we need to do is block certain ports from seeing each other on the switch. For instance, Eth1 can see 2-10 but not 11-24 or Eth 3 can see Eth1,2,6,10,11 but noting else. Etc. Eveything will be on the same network. 172.16.X.X/24
Again that you
Shaun
07-31-2007 09:32 AM
Shaun
If you have a look at the link i sent you can see that the 3550 only supports PVLAN Edge or protected ports.
Protected ports would actually meet your requirement though in that you an block ports from seeing each other on the same switch.
The EOS/EOL announcement has been made for the 3550 though so it would be better to go with the 3560 - see attached link.
http://www.cisco.com/en/US/products/hw/switches/ps646/index.html
If you still want to pursue the 3550 option let me know and i'll check it against your other requirements.
HTH
Jon
07-31-2007 11:44 AM
I guess what I need know is can Port Security Provide the ability to do this??
Router A - Can see/ping All Routers
Router B - Can see/ping All Routers
Router C - Can see/ping All Routers
Router D - Can see/ping All Routers
Router E - Can see/ping ONLY A,B,C,D
Router F - Can see/ping ONLY A,B,C,D
Router G - Can see/ping ONLY A,B,C,D
Router H - Can see/ping ONLY A,B,C,D
Routers connected to the switch:
Router A - Company Routert can't see clients
Router B - Company Routert can't see clients
Router C - Company Routert can't see clients
Router D - Company Routert can't see clients
Router E - Company Routert can't see clients
Router F - Client Router can't see company
Router G - Client Router can't see company
Router H - Client Router can't see company
We just need to make sure Clients don't see each other.
07-31-2007 12:06 PM
Shaun
A protected port cannot send traffic to another protected port at layer 2. So if all your router interfaces are in the same subnet then you could meet your first set of conditions by
1) leave Router A, B, C, D as unprotected ports.
2) Make router E, F, G, H protected ports.
With this setup A, B, C, D will be able to talk to all routers.
E, F, G, H will only be able to coimmunicate with A, B, C, D.
Not sure i understand your second set of conditions. Is it just another way to explain the first set ?
Jon
07-31-2007 12:32 PM
Sorry Jon,
What I meant was this.
I guess what I need know is can Port Security Provide the ability to do this??
Router A - Can see/ping All Routers
Router B - Can see/ping All Routers
Router C - Can see/ping All Routers
Router D - Can see/ping All Routers
Router E - Can see/ping ONLY A,B,C,D
Router F - Can see/ping ONLY A,B,C,D
Router G - Can see/ping ONLY A,B,C,D
Router H - Can see/ping ONLY A,B,C,D
Routers connected to the switch:
Router A - Company Router - Can see all routers
Router B - Company Router - Can see all routers
Router C - Company Router - Can see all routers
Router D - Company Router - Can see all routers
Router E - Company Router - Can see all routerS
Router F - Client Router - Only see A,B,C,D
Router G - Client Router - Only see A,B,C,D
Router H - Client Router - Only see A,B,C,D
Router F,G, & H CANNOT See each other
We just need to make sure Clients don't see each other.
I.E. F can't see G or H
G can't see F or H
H can;t see F or G
07-31-2007 12:45 PM
Shaun
Based on the docs yes it can do what you need. F, G, H are made protected ports and therefore cannot see each other at layer 2.
Non-protected ports can communciate with both protected and other non-protected ports.
Note that this does imply that all router interfaces are in the same subnet.
HTH
Jon
07-31-2007 09:38 AM
Shaun,
As Jon mentioned that 3550 doesnot support full Private Vlan feature, only the basic feature " protected port " is supported. Ports defined as protected on a switch cannot talk to each other at layer2. They will only be able to talk to each other using a layer3 device.
Protected ports have these features:
?A protected port does not forward any traffic (unicast, multicast, or broadcast) to any other port that is also a protected port. Data traffic cannot be forwarded between protected ports at Layer 2; only control traffic, such as PIM packets, is forwarded because these packets are processed by the CPU and forwarded in software. All data traffic passing between protected ports must be forwarded through a layer 3 device.
?Forwarding behavior between a protected port and a nonprotected port proceeds as usual.
?Protected ports are supported on IEEE 802.1Q trunks.
Please check if it can solve your purpose.
HTH,Please rate if it does.
-amit singh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide