Configuring Protected Ports - Cisco WS-C3550-12G Software Configuration Manual

Chapter 12 Configuring Port-Based Traffic Control

Configuring Protected Ports

Some applications require that no traffic be forwarded between ports on the same switch so that one
neighbor does not see the traffic generated by another neighbor. In such an environment, the use of
protected ports ensures that there is no exchange of unicast, broadcast, or multicast traffic between these
ports on the switch.
Protected ports have these features:
•
•
The default is to have no protected ports defined.
Note The protected port feature is not compatible with fallback bridging. When fallback bridging is
enabled, it is possible for packets to be forwarded from one protected port on a switch to another
protected port on the same switch if the ports are in different VLANs.
Note There could be times when unknown unicast or multicast traffic from a nonprotected port is flooded
to a protected port because a MAC address has timed out or has not been learned by the switch. Use
the switchport block unicast and switchport block multicast interface configuration commands to
guarantee that no unicast or multicast traffic is flooded to the port in such a case.
A protected port cannot be a secure port.
You can configure protected ports on a physical interface (for example, Gigabit Ethernet 0/1) or an
EtherChannel group (for example, port-channel 5). When you enable protected port for a port channel,
it is enabled for all ports in the port channel group.
Beginning in privileged EXEC mode, follow these steps to define a port as a protected port:
Command
Step 1 configure terminal
Step 2
interface interface-id
Step 3 switchport protected
Step 4
end
Step 5 show interfaces interface-id switchport
Step 6 copy running-config startup-config
To disable protected port, use the no switchport protected interface configuration command.
78-11194-03
A protected port does not forward any traffic (unicast, multicast, or broadcast) to any other port that
is also a protected port. Traffic cannot be forwarded between protected ports at Layer 2; all traffic
passing between protected ports must be forwarded through a Layer 3 device.
Forwarding behavior between a protected port and a nonprotected port proceeds as usual.
Purpose
Enter global configuration mode.
Enter interface configuration mode, and enter the type and
number of the switchport interface to configure, for example,
gigabitethernet0/1.
Configure the interface to be a protected port.
Return to privileged EXEC mode.
Verify your entries.
(Optional) Save your entries in the configuration file.
Catalyst 3550 Multilayer Switch Software Configuration Guide
Configuring Protected Ports
12-5