Solved: Can switchport protected port ping another vlan in intervlan environment?

Maivoko · ‎10-14-2017

Can switchport protected port ping another vlan in another switch or different vlan in same switch in intervlan environment?

I think the answer is yes, it can use layer 3 by go further to router instead of layer 2 in current switch

Is it correct?

if not intervlan routing , the route in firewall which route back to core switch, can switchport protected still ping another port?

if so, why need switchport protected?

just for layer 2?

Georg Pauwen · ‎10-14-2017

Hello,

the 'switchport protected' concept is local to the switch and local to the VLAN. Which means your assumptions are correct: a protected port can ping any other port on another switch, and any other port in a different VLAN. The only port it cannot ping is another protected port on the same switch, in the same VLAN.

View solution in original post

Georg Pauwen · ‎10-14-2017

Hello,

the 'switchport protected' concept is local to the switch and local to the VLAN. Which means your assumptions are correct: a protected port can ping any other port on another switch, and any other port in a different VLAN. The only port it cannot ping is another protected port on the same switch, in the same VLAN.

Flavio Miranda · ‎10-14-2017

Hello,

You are correct. Switchport protected port is meant to isolate protected ports to do not receive unicast, broadcast or multicast from any other protected port on the same switch or stack switch at Layer 2 only.

Layer 3 communication happen normally.

The objective here is avoid for example packets sniffer on the same layer 2 domain thus offering protection.

By allowing only layer 3 traffic you have much more control.

An useful utilization would be for example two different company sharing the same switch in a building or a service provider isolating their clients on the same infrastructure.

-If I helped you somehow, please, rate it as useful.-

Maivoko · ‎10-14-2017

you said that
The only port it cannot ping is another protected port on the same switch, in the same VLAN.
but in layer 3 , it still can ping

Georg Pauwen · ‎10-14-2017

Hello,

in order to avoid confusion, can you post the configuration of your switch ?

Maivoko · ‎10-16-2017

Actually i do not have config
But I am curious that
What measure taken in layer 3 as said in previous reply?

Flavio Miranda · ‎10-16-2017

It look at Layer 2 protocol and not Layer 3. It is just a matter of desncapsulation.

Georg Pauwen · ‎10-17-2017

Hello,

think about the layers as being hierarchical. If you cannot communicate at layer 2, you automatically cannot communicate at any of the higher layers (3 thru 7). Similarly, if you unplug the cable (layer 1), you cannot communicate at any of the other higher layers either.

Does that make sense ?

Maivoko · ‎10-17-2017

Which corresponding protection in layer 3 which equivalent to switchport protected command at layer 2?

Georg Pauwen · ‎10-17-2017

For L3 control, access lists (or Vlan Access Lists) would be used.

What are you after ? Is there a specific scenario you are looking at ?

Maivoko · ‎10-17-2017

Not have scenario,
just curious about switchport protected,
and confirm that it can ping under scenario of inter vlan routing and firewall routing