07-25-2013 02:21 AM - edited 03-07-2019 02:35 PM
Hi All,
I'm planning to build a small local network with CISCO switches. Our requirements are
* All end machines ( 3~400 PC ) should not see each other.
* All end machines can see host(server) machine(s)
I have searched about port isolation feature ("switchport protected" command?) to solve this problem. I have read some articles about this feature, said "switchport protect" will not work on multiple switches. Of course we need multiple switches to satisfy requirements, so i'm very confusing now.
My idea was
1. Set all ports in slave switches to be protected, except one port. Connect this unprotected port to "root" switch.
2. Set all ports in "root" switch to be protected, except one port. Connect server machine to this unprotected port.
3. On the path from clients to server, packets are come from protected port and go to unprotected port. So they can communicate each other.
4. On the path from any client to another client, all ports are protected. So, all end-hosts would be isolated.
Is this plan possible? I mean, Can any two clients (maybe from different slave switches) see each other in this design?
Thanks,
Junseong Lee
07-25-2013 05:29 AM
Hello,
This is an interesting idea - but it should work. I see no way of how two clients on protected ports, even if on different switches, can communicate directly over Layer2.
This approach has strong limitations, however: the unprotected ports must be located on the "root" switch only, never on the "slave" switches. In addition, this approach becomes inflexible or outright unusable if you interconnect your switches with trunks and run multiple VLANs over them, because a protected port impacts the traffic of all VLANs carried through it.
Have you considered the Private VLAN (PVLAN) feature using isolated secondary PVLANs? This would nicely solve the needs of isolating your clients, yet having none of the disadvantages of your current design.
See more about Private VLANs here:
Best regards,
Peter
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide