Configuring Protected Ports; Configuring Port Security - Cisco Catalyst 2950 Software Configuration Manual

Chapter 17 Configuring Port-Based Traffic Control

Configuring Protected Ports

Some applications require that no traffic be forwarded by the Layer 2 protocol between ports on the same
switch. In such an environment, there is no exchange of unicast, broadcast, or multicast traffic between
ports on the switch, and traffic between ports on the same switch is forwarded through a Layer 3 device
such as a router.
To meet this requirement, you can configure Catalyst 2950 ports as protected ports (also referred to as
private VLAN edge ports). Protected ports do not forward any traffic to protected ports on the same
switch. This means that all traffic passing between protected ports—unicast, broadcast, and
multicast—must be forwarded through a Layer 3 device. Protected ports can forward any type of traffic
to nonprotected ports, and they forward as usual to all ports on other switches. Dynamically learnt
addresses are not retained if the switch is reloaded.
Note When both SPAN source and SPAN destination ports are protected ports, traffic is forwarded from the
SPAN source to the SPAN destination. Therefore, do not configure both SPAN source and SPAN
destination as protected ports.
Beginning in privileged EXEC mode, follow these steps to define a port as a protected port:
Command
Step 1
configure terminal
Step 2 interface interface-id
Step 3 switchport protected
Step 4
end
Step 5
show interfaces switchport
Step 6 copy running-config
startup-config
Use the no version of the switchport protected interface configuration command to disable the
protected port option.

Configuring Port Security

Secured ports restrict a port to a user-defined group of stations. When you assign secure addresses to a
secure port, the switch does not forward any packets with source addresses outside the defined group of
addresses. If you define the address table of a secure port to contain only one address, the workstation
or server attached to that port is guaranteed the full bandwidth of the port. As part of securing the port,
you can also define the size of the address table for the port.
Note Port security can only be configured on static access ports.
78-11380-04
Purpose
Enter global configuration mode.
Enter interface configuration mode, and enter the port to be
configured.
Enable protected port on the port.
Return to privileged EXEC mode.
Verify that the protected port option is enabled.
(Optional) Save your entries in the configuration file.
Catalyst 2950 Desktop Switch Software Configuration Guide
Configuring Protected Ports
17-3