Cisco Systems 3550 Configuring Protected Ports

12-5

Catalyst 3550 Multilayer Switch Software Configuration Guide

78-11194-03

Chapter12 Configuring Port-Based Tra ffic Control Configuring Protected Ports

Configuring Protected Ports

Some applications require that no traffic be forwarded between ports on the same switch so that one

neighbor does not see the traffic generated by another neighbor. In such an environment, the use of

protected ports ensures that there is no exchange of unic ast, bro adcast, o r multi cast tra ffi c between th ese

ports on the switch.

Protected ports have these features:

•A protected port does not forward any traffic (unicast, multic ast, or broadcast) to any other port that

is also a protected port. Traffic cannot be forwarded between protected ports at Layer 2; all tr affic

passing between protected ports must be forwarded through a Layer 3 device.

•Forwarding behavior between a protected port and a nonprotected port proceeds as usual.

The default is to have no protected ports defined.

Note The protected port feature is not compatible with fallback bridging. When fa llback bridgi ng is

enabled, it is possible for packets to be forwarded from one protected port on a switch to anot her

protected port on the same switch if the ports are in different VLANs.

Note There could be times when unknown unicast or multicast traffic from a nonprotected port is flooded

to a protected port because a MAC address has timed out or has not been learned by the switch. Use

the switchport block unicast and switchport block multicast interface configuration comman ds to

guarantee that no unicast or multicast traffic is flooded to the port in such a case.

A protected port cannot be a secure port.

You can configure protected ports on a physical interface (for example, Giga bit E t herne t 0 /1) or an

EtherChannel group (for example, port-channel 5). When you e nabl e pro tec ted por t for a port ch an nel,

it is enabled for all ports in the port channel group.

Beginning in privileged EXEC mode, follow these steps to define a port as a protected port:

To disable protected port, use the no switchport protected interface configuration command.

Command Purpose

Step1 configure terminal Enter global configuration mode.

Step2 interface interface-id Enter interface configuration mode, and enter the type and

number of the switchport interface to configure, for example,

gigabitethernet0/1.

Step3 switchport protected Configure the interface to be a protected port.

Step4 end Return to privileged EXEC mode.

Step5 show interfaces interface-id switchport Verify your entries.

Step6 copy running-config startup-config (Optional) Save your entries in the configuration file.