USD ($)
$
United States Dollar
India Rupee
Your cart is empty
Empty notifications

Protected Ports

Lesson 34/41 | Study Time: 60 Min
Course: Advanced Switching Lab for CCNP and CCIE
Protected Ports

Task 

● Shutdown all Ethernet links from SW4 towards SW2 and SW3. 

● Shutdown ports eth3/1 and eth1/2 on SW1. 

● Create an SVI for VLAN 10 on SW1, assign it the IP address of 172.16.1.1/24. 

● Configure eth1/3 and eth2/1on SW1 as access ports in VLAN 10. 

● Configure port eth1/3on SW3 and eth0/2 on SW2 as Layer 3 ports on with IP addresses of172.16.1.1/24, where Y is the switch number. 

● Configure port protection on SW1 so that SW2 and SW3 cannot directly communicate with each other, but can communicate with SW1’s VLAN 10 interface. 

Explanation 

Protected ports are used to prevent traffic from being directly exchanged at Layer 2 between two or more hosts that are within the same VLAN. Traffic received in a protected port cannot be sent out another protected port, but traffic received in a protected port can be sent out a non-protected port.

This feature is a much smaller subset of the Private VLAN feature, and it cannot span between multiple physical switches; you cannot configure aprotected port on SW1 and a protected port on SW2 and expect traffic between these to be disallowed.

In this particular design, the result of port protection is that SW1 and SW2 can communicate, SW1 and SW3 can communicate, but SW2 and SW3 cannot communicate, although they are attached to the same VLAN: 

SW3

ping 172.16.1.1

Type escape sequence to abort. 

Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds: 

!!!!! 

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms 

ping 172.16.1.2

Type escape sequence to abort. 

Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds: 

..... 

Success rate is 0 percent (0/5) 

SW2

ping 172.16.1.1

Type escape sequence to abort. 

Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds: 

!!!!! 

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms

 

ping 172.16.1.3

Type escape sequence to abort. 

Sending 5, 100-byte ICMP Echos to 172.16.1.3, timeout is 2 seconds: 

..... 

Success rate is 0 percent (0/5)


Notice that ARP traffic is also not allowed between protected ports, basically all traffic is dropped: 

SW1

show ip arp

Protocol  Address          Age (min)  Hardware Addr   Type   Interface 

Internet  172.16.1.1            -   0013.605f.f041  ARPA   Vlan10 

Internet  172.16.1.2            0   000a.b832.3ac1  ARPA   Vlan10 

Internet  172.16.1.3            9   0022.5627.1fc1  ARPA   Vlan10 

SW2

show ip arp

Protocol  Address          Age (min)  Hardware Addr   Type   Interface 

Internet  172.16.1.1           18   0013.605f.f01a  ARPA   Ethernet2/1 

Internet  172.16.1.2            -   000a.b832.3ac1  ARPA   Ethernet2/1 

Internet  172.16.1.3            0   Incomplete      ARPA 

SW3

show ip arp

Protocol  Address          Age (min)  Hardware Addr   Type   Interface 

Internet  172.16.1.1           18   0013.605f.f016  ARPA   Ethernet1/3 

Internet  172.16.1.2            0   Incomplete      ARPA 

Internet  172.16.1.3            -   0022.5627.1fc1  ARPA   Ethernet1/3 

Configuration

SW4: 

interface range Ethernet2/2,ethernet2/1 
shutdown 

interface range Ethernet3/1,ethernet3/2 
 shutdown 

SW1: 

interface range Ethernet3/1,Ethernet1/2 
shutdown 
!
default interface range Ethernet1/3,Ethernet2/1
!
interface range Ethernet1/3,Ethernet2/1
switchport mode access 
switchport access vlan 10
switchport protected
!
interface Vlan10
ip address 172.16.1.1 255.255.255.0 
no shutdown 

SW2:

interface Ethernet2/1 
no switchport 
ip address 172.16.1.2 255.255.255.0

SW3:

interface Ethernet1/3 
no switchport
ip address 172.16.1.3 255.255.255.0


Previous Lesson Next Lesson
Gautam Kumar

Gautam Kumar

Product Designer
★★★★★ 4.93
Faithful User
Expert Vendor
Golden Classes
King Seller
Fantastic Support
Loyal Writer
Profile Book a Meeting

Class Sessions

1- Access Switchports 2- Dynamic Switching 3- Dynamic Trunking 4- Native VLAN 5- DTP Negotiation 6- VTP Domain 7- Transparent 8- Pruning 9- Prune-Eligible List 10- Version 3 11- Layer 2 EtherChannel 12- EtherChannel with PAgP 13- EtherChannel with LACP 14- Layer 3 EtherChannel 15- STP Root Bridge Election 16- STP Path Selection with Port Cost 17- Port Priority 18- Tuning STP Convergence Timers 19- STP Port Fast 20- Port Fast Default 21- Uplink Fast 22- Backbone Fast 23- BPDU Guard 24- BPDU Guard Default 25- BPDU Filter 26- BPDU Filter Default 27- Root Guard 28- Loop Guard 29- Unidirectional Link Detection 30- MST Root Bridge Election 31- Path Selection with Port Cost 32- Port Priority 33- MST and Rapid Spanning Tree 34- Protected Ports 35- Storm Control 36- MAC-Address Table Static Entries and Aging 37- SPAN 38- RSPAN 39- Voice VLAN 40- Smart port Macros 41- Private VLANs