Cisco’s 3560 is a multilayer switch, designed to operate well at both layer 2 and layer 3. Due to its dual nature, however, Cisco had to allocate memory in a way that wouldn’t hinder operation in either mode out-of-the-box.
Today I came across the command ‘switchport protected.’ I didn’t know what that meant, so I looked it up. Cisco’s documentation can be found here. To put it simply, protected ports are a poor man’s isolated private VLAN. Two (or more) protected ports cannot speak to each other at Layer 2 on the same switch. However, they can speak to unprotected ports without a problem, and if traffic from one port bounces off a L3 device it can then reach other protected ports. Also, the protection status is local to a switch. Host A on SwitchA’s protected port 1 can still talk to Host B on SwitchB’s protected port 1 as long as there’s a trunk between the switches.
I’ve been playing with Dynamips/GNS3 quite a bit lately. My current topology has 16 routers, some serving as Frame Relay routers, other as SP backbone routers, and others as switches via the NM-16ESW module. I found it easier to logically separate the connections to routers from the connections to other switches by using two EtherSwitch modules. I used the first one (Fa1/0 – 15) to connect to routers, and the second one (Fa2/0 – 15) to connect to the other switches. For some reason, I could never get the switches to talk to each other.
Do you have too many VLANs? Are your Cisco 2950s running out of memory? You need to move away from VTP.