[c-nsp] RELATED: Feedback on: Security Advice for Routers and Switches
A.L.M.Buxey at lboro.ac.uk
A.L.M.Buxey at lboro.ac.uk
Sun May 6 11:28:19 EDT 2007
hi,
related to this issue - and raised by myself as an option
regarding securing the network. I have been checking out
some of the L2 isolation methods and the obvious is
'port protected'
so, I turned it on, et voila, hosts on the same switch can no longer
talk to each other. if i use Host A and Host B as examples.....
host B moves onto another switch daisy-chained to the first switch..
host A can then reach it. okay. I then set the trunk link that feeds
down to the other switch ALSO as port protected. et voila, once
again, ost a and host b can no longer talk. HOWEVER, i want them to
be able to do some talking. so, the docs say that once you use port
protected then the traffic must get to Layer 3 before then can talk.
however, these devices should have an L3 path via the router which
feeds their VLAN and the link to the switch...but there seems to be a
magical command I need on that router interface or VLAN to allow
the devices to talk to each other...and I'm a little wary/confused
as the way i see it is that the router interface will see a packet
from Host A to Host B coming from interface X... but it knows that both
A and B are DOWN that interface X link - and from basic network
memory I would say that the router SHOULD just throw that packet
away as it 'knows' that since both hosts are on that broadcast
domain, then they will/should already have received that packet.
so, where has my logic gone wrong - or what is the incantation to get
port protected clienbts talking to each other. (which I want them to do
barring certain activities and , in the case of requiring a day-0
worm lockdown, i want to control ;-) )
many thanks
alan
More information about the cisco-nsp
mailing list