This post is more than 5 years old
22 Posts
0
40151
Private VLAN Edge / Protected Port
Hello!
I have question regarding Protected Ports on Dell Powerconnect 6248.
What I want to achieve - two devices one connected to port39 and other to 40 can not talk to each other. I assumed that this can be done straight forward with "Protected Ports" feature.
So I created:
switchport protected 0 name "A"
switchport protected 1 name "B"
interface ethernet 1/g39
switchport access vlan 3
switchport protected 0
exit
!
interface ethernet 1/g40
switchport access vlan 3
switchport protected 1
exit
Some testing - connected one device with IP 192.168.7.10 (random IP from local IP address range) to port39 and another device with IP 192.168.7.11 to port40. When I perform PINGs these devices can ping each other.
What is wrong with my configuration or "Protected Ports" works in different way?
And why there is groups (in example I created A and B) - in manual I cant find any explanation on them.
Anonymous
5 Practitioner
5 Practitioner
•
274.2K Posts
1
July 29th, 2013 13:00
Did some testing on this, and we were able to get it working as you described where they are not able to ping one another. What you will need to do is place the ports in the same group. So ports 39 and 40 will need to be placed on the same group and then they should not be able to communicate with each other.
Anonymous
5 Practitioner
5 Practitioner
•
274.2K Posts
0
July 26th, 2013 09:00
Private VLAN Edge (PVE) ports are a Layer 2 security feature. A ping will send a ICMP echo request packet which operates at layer 3. Which may explain why you are seeing the pings go through.
You can run the following command to ensure protected port is enabled on the specific port.
show switchport protected
If you want to block all traffic, you may be able to use an ACL to block the traffic from one device to another.
Here are some great white pages to look over.
www.dell.com/.../app_note_10.pdf
www.dell.com/.../pwcnt_IP_ACLs.pdf
www.dell.com/.../app_note_3.pdf
jurism
22 Posts
0
July 29th, 2013 07:00
Thank you for your response regarding ACL. My goal likely can be done with ACL, but with protected ports it could be much easier (as I need separate many ports). Private VLAN could be desirable (but unfortunately there is no such thing on Powerconnect 6200 series switches).
Therefore I would like to get more information about "Protected Port" feature.
This command
show switchport protected
shows that my test ports are protected
You wrote that:
"A ping will send a ICMP echo request packet which operates at layer 3. Which may explain why you are seeing the pings go through."
Yes, ICMP echo requests operates at L3, but as all 3 involved devices operates at L2 (both tested devices are L2 managed DLink switches) and there is no L3 device between them (no one knows about routing and there is no Gateway at all) - in this situation both protected ports first needs to "talk" with each other at L2 to get ICMP echo requests to work (or am I wrong?). Additionally I checked MAC address tables on both L2 DLink switches and there are entries with each other MAC.
If this is a supposed behavior - what is purpose of protected ports? And I still do not understand group idea (why these groups are needed)?
On DLinks there is similar feature, which is called "Traffic Segmentation" and works the way I supposed "Protected Port" feature on Dell should work.
Could you help me regarding these questions?
jurism
22 Posts
0
August 1st, 2013 07:00
Yes, it works as it was supposed! Thank you! Protected ports group description is a little bit confusing in manual.
Anonymous
5 Practitioner
5 Practitioner
•
274.2K Posts
0
August 1st, 2013 07:00
We put in a request to have the documentation updated. Thanks for keeping us updated.