Highlighted
jurism
2 Bronze

Private VLAN Edge / Protected Port

Jump to solution

Hello!

I have question regarding Protected Ports on Dell Powerconnect 6248.

What I want to achieve - two devices one connected to port39 and other to 40 can not talk to each other. I assumed that this can be done straight forward with "Protected Ports" feature.

So I created:
switchport protected 0 name "A"
switchport protected 1 name "B"

interface ethernet 1/g39
switchport access vlan 3
switchport protected 0
exit
!
interface ethernet 1/g40
switchport access vlan 3
switchport protected 1
exit

Some testing - connected one device with IP 192.168.7.10 (random IP from local IP address range) to port39 and another device with IP 192.168.7.11 to port40. When I perform PINGs these devices can ping each other.
What is wrong with my configuration or "Protected Ports" works in different way?
And why there is groups (in example I created A and B) - in manual I cant find any explanation on them.

0 Kudos
1 Solution

Accepted Solutions
Anonymous
Not applicable

Re: Private VLAN Edge / Protected Port

Jump to solution

Did some testing on this, and we were able to get it working as you described where they are not able to ping one another. What you will need to do is place the ports in the same group. So ports 39 and 40 will need to be placed on the same group and then they should not be able to communicate with each other.

5 Replies
Anonymous
Not applicable

Re: Private VLAN Edge / Protected Port

Jump to solution

Private VLAN Edge (PVE) ports are a Layer 2 security feature.  A ping will send a ICMP echo request packet which operates at layer 3. Which may explain why you are seeing the pings go through.

You can run the following command to ensure protected port is enabled on the specific port.

show switchport protected

If you want to block all traffic, you may be able to use an ACL to block the traffic from one device to another.

Here are some great white pages to look over.

www.dell.com/.../app_note_10.pdf

www.dell.com/.../pwcnt_IP_ACLs.pdf

www.dell.com/.../app_note_3.pdf

0 Kudos
jurism
2 Bronze

Re: Private VLAN Edge / Protected Port

Jump to solution

Thank you for your response regarding ACL. My goal likely can be done with ACL, but with protected ports it could be much easier (as I need separate many ports). Private VLAN could be desirable (but unfortunately there is no such thing on Powerconnect 6200 series switches).

Therefore I would like to get more information about "Protected Port" feature.

This command
show switchport protected <group id>
shows that my test ports are protected

You wrote that:
"A ping will send a ICMP echo request packet which operates at layer 3. Which may explain why you are seeing the pings go through."

Yes, ICMP echo requests operates at L3, but as all 3 involved devices operates at L2 (both tested devices are L2 managed DLink switches) and there is no L3 device between them (no one knows about routing and there is no Gateway at all) - in this situation both protected ports first needs to "talk" with each other at L2 to get ICMP echo requests to work (or am I wrong?). Additionally I checked MAC address tables on both L2 DLink switches and there are entries with each other MAC.
If this is a supposed behavior - what is purpose of protected ports? And I still do not understand group idea (why these groups are needed)?

On DLinks there is similar feature, which is called "Traffic Segmentation" and works the way I supposed "Protected Port" feature on Dell should work.

Could you help me regarding these questions?

0 Kudos
Anonymous
Not applicable

Re: Private VLAN Edge / Protected Port

Jump to solution

Did some testing on this, and we were able to get it working as you described where they are not able to ping one another. What you will need to do is place the ports in the same group. So ports 39 and 40 will need to be placed on the same group and then they should not be able to communicate with each other.

jurism
2 Bronze

Re: Private VLAN Edge / Protected Port

Jump to solution

Yes, it works as it was supposed! Thank you! Protected ports group description is a little bit confusing in manual.

0 Kudos
Anonymous
Not applicable

Re: Private VLAN Edge / Protected Port

Jump to solution

We put in a request to have the documentation updated. Thanks for keeping us updated.

0 Kudos