protected port feature for particular VLAN

Question

Hi, I have 62XX switch with latest firmware and I need to do following: Port A - VLAN general mode, PVID is 100, Allowed Trunk is 101 Port B - VLAN general mode, PVID is 100, Allowed Trunk is 101 I want to do is: 1. allow all traffic from Port A to port  B that was untagged (VLAN 100) 2. Do not allow VLAN 101 traffic between these 2 ports. Allow them to send tagged tagged traffic for this VLAN only to particular 'uplink' port. In other words, define it as 'protected port', but only for this particular VLAN.

bh1633 · Answer

You cannot do this directly with protected port feature. You may be able to ACLs if your network is static.

Or you can try this hack:

- Port A - VLAN general mode, PVID is 2100, Allowed Trunk is 101, PROTECTED. Prevents switching between ports A and B in either vlan

- Port B - VLAN general mode, PVID is 3100, Allowed Trunk is 101, PROTECTED. Prevents switching between ports A and B in either vlan

- Uplink link port: vlans 100 and 101. Allows vlan 100 and 101 traffic

- hack port 1 and 2: access port in vlan 2100

- hack port 3 and 4: access port in vlan 3100

- hack port 5: access port in vlan 100

- hack port 6: access port in vlan 100

- connect hack-port 1 to 3. This allows untagged traffic on port A to communicate with port B as untagged.

- connect hack-port 2 to 5: This allows port A untagged traffic to communicate with uplink port as vlan 100 traffic

- connect hack-port 4 to 6: This allows port B untagged traffic to communicate with uplink port as vlan 100 traffic

This will do what you want but will be hard to maintain and does not scale real well (cost 6 extra ports to get behaviour you want on 3 ports). Also, since there is a single STP instance by default on these switch, you will have to disable STP on hack ports 1 - 6 to prevent ports from being blocked.

Networking General

Was this post helpful?