Enroll CCNA Live

CCNA Live Demo in Hindi!

Starts NOV 8th @10 AM IST | Hands-On Lab Access | By Gautam Sharma

Day

Min

Sec

Protected Ports

Lesson 34/41 | Study Time: 60 Min

Course: Advanced Switching Lab for CCNP and CCIE

Task

● Shutdown all Ethernet links from SW4 towards SW2 and SW3.

● Shutdown ports eth3/1 and eth1/2 on SW1.

● Create an SVI for VLAN 10 on SW1, assign it the IP address of 172.16.1.1/24.

● Configure eth1/3 and eth2/1on SW1 as access ports in VLAN 10.

● Configure port eth1/3on SW3 and eth0/2 on SW2 as Layer 3 ports on with IP addresses of172.16.1.1/24, where Y is the switch number.

● Configure port protection on SW1 so that SW2 and SW3 cannot directly communicate with each other, but can communicate with SW1’s VLAN 10 interface.

Explanation

Protected ports are used to prevent traffic from being directly exchanged at Layer 2 between two or more hosts that are within the same VLAN. Traffic received in a protected port cannot be sent out another protected port, but traffic received in a protected port can be sent out a non-protected port.

This feature is a much smaller subset of the Private VLAN feature, and it cannot span between multiple physical switches; you cannot configure aprotected port on SW1 and a protected port on SW2 and expect traffic between these to be disallowed.

In this particular design, the result of port protection is that SW1 and SW2 can communicate, SW1 and SW3 can communicate, but SW2 and SW3 cannot communicate, although they are attached to the same VLAN:

SW3

ping 172.16.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms

ping 172.16.1.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

SW2

ping 172.16.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms

ping 172.16.1.3

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.1.3, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

Notice that ARP traffic is also not allowed between protected ports, basically all traffic is dropped:

SW1

show ip arp

Protocol  Address          Age (min)  Hardware Addr   Type   Interface

Internet  172.16.1.1            -   0013.605f.f041  ARPA   Vlan10

Internet  172.16.1.2            0   000a.b832.3ac1  ARPA   Vlan10

Internet  172.16.1.3            9   0022.5627.1fc1  ARPA   Vlan10

SW2

show ip arp

Protocol  Address          Age (min)  Hardware Addr   Type   Interface

Internet  172.16.1.1           18   0013.605f.f01a  ARPA   Ethernet2/1

Internet  172.16.1.2            -   000a.b832.3ac1  ARPA   Ethernet2/1

Internet  172.16.1.3            0   Incomplete      ARPA

SW3

show ip arp

Protocol  Address          Age (min)  Hardware Addr   Type   Interface

Internet  172.16.1.1           18   0013.605f.f016  ARPA   Ethernet1/3

Internet  172.16.1.2            0   Incomplete      ARPA

Internet  172.16.1.3            -   0022.5627.1fc1  ARPA   Ethernet1/3

Configuration

SW4:

interface range Ethernet2/2,ethernet2/1
shutdown
!
interface range Ethernet3/1,ethernet3/2
 shutdown

SW1:

interface range Ethernet3/1,Ethernet1/2
shutdown
!
default interface range Ethernet1/3,Ethernet2/1
!
interface range Ethernet1/3,Ethernet2/1
switchport mode access
switchport access vlan 10
switchport protected
!
interface Vlan10
ip address 172.16.1.1 255.255.255.0
no shutdown

SW2:

interface Ethernet2/1
no switchport
ip address 172.16.1.2 255.255.255.0

SW3:

interface Ethernet1/3
no switchport
ip address 172.16.1.3 255.255.255.0

Previous Lesson Next Lesson