[c-nsp] Switchport protected trunk links

Adam Piasecki apiasecki at midatlanticbb.com
Wed Apr 13 10:34:05 EDT 2011 

It's for internet, i need to keep all internet traffic from seeing each 
other, but i also have Cisco Voip phones.. So on the two remote switches 
I have voip phones and guest internet traffic.. When the two switches 
uplink to the main switch. the internet vlan will be able to 
communicate  via the two trunk links. I don't want that, only the phones 
to pass between the two trunks.. I've been looking at private vlans, but 
i don't think that will even do this, though i'm just learning about 
them. I have cisco 2960 switches.

FYI Switchport protected does work on trunk links just fine.

Adam

>     If i have switch with two trunk ports. I want to switchport
>     protect both the trunk links.. I have another trunk port for the
>     uplink.
>
>
> It's kind of hard to answer without any background info.  It seems 
> like you want to keep traffic coming in one trunk link from going out 
> another if I had to guess.  I've never used sw protect on a trunk 
> link.  Assuming it's supported I would be concerned with blocking 
> spanning-tree bpdu's and other control traffic.  There could also be 
> additional issues based on your topology.
>
>
>     However, i only want to switch port protect a certain vlan on the
>     trunk ports, for example. VLAN 32 is on both of the remote
>     switches at the other end of the trunk port.. Vlan32 would be
>     protected between the trunk ports on the main switch and all other
>     vlans would be able to pass.
>
>
> you would need private vlans to do something like this.  Even then it 
> wouldn't be clean and only supported on certain platforms. Sw protect 
> is only at the port level though.
>
>
>     I don't think Cisco has a solution for this right now. I think i
>     have to create two separate vlans (vlan 32,vlan 33) on the two
>     switches connected to the trunk ports.
>
>     I wish there was a command like.. "switchport protect vlan 32"
>
>
> You could do vlan acl's depending on what you're trying to accomplish.
>


-- 
Adam M Piasecki
MidAtlanticBroadband
Office: 410-727-8250 x 123
Cell: 940-224-4837
Fax: 410-727-8245

More information about the cisco-nsp mailing list