Hi there, I'm a newbie on cisco switches and routers. My question is: is there a way to temporary block all internal traffic on cisco 2924 without reset ethernet ports? Alternatively, may I create some kind of access list for block UDP traffic?
thanks in advance bye, fabrizio
Well, if you don't want to disable the port, you could always force it to trunk mode with a unique PVID enabled on it that differed from the native PVID for it ;-)
Sorry, 2924's are before my time.
No, turning off the port is about the only way, or to make it block some otherway, such as putting it into trunk mode or something.
Not on a 2924XL. Its a pretty barebones basic Layer-2 switch.
Hi Walter, may you explain better?
tnx, fabrizio
A port which is configured as a trunk will only pass traffic for the VLANs (Virtual LANs) that have been specified to pass over it. Each VLAN is identified by a number, known as the PVID (Private VLAN ID or something like that.)
If you configure a port as a trunk and you set it up so that the only PVID attached to it (allowed to pass over it) is one that is used for nothing else at all, then there will be no data packets sent to the port. (You might still get link management packets sent to the port, such as BDPU or CDP).
The bit about "native PVID" is that each 802.1Q trunk port must have a PVID associated with it, and any packets that happen to be part of the VLAN identified by that PVID, will be sent across the link with -no- VLAN tag, just as if the port were an access port instead. Often the native VLAN for a trunk defaults to PVID 1 -- which is often used for other things, and is probably what all the other ports defaulted to as well. So you should change the "native" VLAN (the PVID number) associated with the port as well, to something -different- than the unique PVID mentioned earlier, but which is also unique. That way there won't be any sourced packets to go out "native", and if any packets happen to come in in "native" (untagged format) from the other side, then because no other ports have that PVID, the packets will be discarded.
You can see that this is all a bit of a "cheat": you don't actually block the port from sending any traffic, but what you do instead is set it up so that no traffic is eligable to go out over the port, and that any traffic that comes in from the port is thrown away. It's sort of like changing your telephone to an unlisted number and then not telling *anyone* what the new number is.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.