[nsp] Protected Ports

Terry Baranski tbaranski at mail.com
Tue Apr 8 22:26:13 EDT 2003 

> Here is what I would like to do.  
>  
> I have a pix with a DMZ.  I have my server farm on that DMZ.  
> We will be hosting someone elses server and would like to 
> place it on the same DMZ. I don't want them to be able to see 
> our server farm.  
>  
> So, with that said. I've been reading about protected ports 
> on the 3550 (which is what is connected to the DMZ of the pix).
>  
> I understand that Protected ports don't talk( un, multi, or 
> broad Casts) between ports.  The article I read said "Forwarding 
> behavior between a protected port and a nonprotected port proceeds 
> as usual."  Does this mean that unportected ports can talk to the
> protected ones??

Correct.  This is somewhat of a pain because it means (your case is a
perfect illustration of this) that you can't just isolate one host by
making its port protected -- you have to make all the other host ports 
protected as well which results in *all* hosts being isolated from each 
other. The "protected port" feature is essentially a cut-down version of
PVLANs for the lower-end versions of the product line.  The more you try
to do with it, the more you yearn for PVLAN functionality on your
switch. 
 
> It also said that between protected ports you need a layer 3 device. 
> So, will the pix work for that?  and do I just put an ACL on the DMZ 
> interface as to what device can talk to which one?  I'm also assuming
> that they will all be in the same subnet, right?  

Right -- protected ports are used when you don't want traffic passing 
between a set of ports at layer 2.  This either means that 1) you don't
want any traffic at all flowing between them, or 2) you want all traffic
flowing between them to go through a layer 3 device (such as a firewall)
for security reasons.  I've only used them in the former case, and have 
wondered how people who use them for the latter reason get the traffic
to
the layer 3 device in the first place being that the hosts are on the
same
subnet.  (The usual case, of course, is that the hosts just ARP for each

other and that's the end of it -- no layer 3 device involved.)  Can 
anyone who has done this before shed some light?  Does it work to
put a static host route on a given host telling it to send traffic to 
the other "protected" hosts to the firewall?  Does this override the 
default behavior?

-Terry

More information about the cisco-nsp mailing list