12-5
Catalyst 3550 Multilayer Switch Software Configuration Guide
78-11194-03
Chapter12 Configuring Port-Based Tra ffic Control Configuring Protected Ports
Configuring Protected Ports
Some applications require that no traffic be forwarded between ports on the same switch so that one
neighbor does not see the traffic generated by another neighbor. In such an environment, the use of
protected ports ensures that there is no exchange of unic ast, bro adcast, o r multi cast tra ffi c between th ese
ports on the switch.
Protected ports have these features:
A protected port does not forward any traffic (unicast, multic ast, or broadcast) to any other port that
is also a protected port. Traffic cannot be forwarded between protected ports at Layer 2; all tr affic
passing between protected ports must be forwarded through a Layer 3 device.
Forwarding behavior between a protected port and a nonprotected port proceeds as usual.
The default is to have no protected ports defined.
Note The protected port feature is not compatible with fallback bridging. When fa llback bridgi ng is
enabled, it is possible for packets to be forwarded from one protected port on a switch to anot her
protected port on the same switch if the ports are in different VLANs.
Note There could be times when unknown unicast or multicast traffic from a nonprotected port is flooded
to a protected port because a MAC address has timed out or has not been learned by the switch. Use
the switchport block unicast and switchport block multicast interface configuration comman ds to
guarantee that no unicast or multicast traffic is flooded to the port in such a case.
A protected port cannot be a secure port.
You can configure protected ports on a physical interface (for example, Giga bit E t herne t 0 /1) or an
EtherChannel group (for example, port-channel 5). When you e nabl e pro tec ted por t for a port ch an nel,
it is enabled for all ports in the port channel group.
Beginning in privileged EXEC mode, follow these steps to define a port as a protected port:
To disable protected port, use the no switchport protected interface configuration command.
Command Purpose
Step1 configure terminal Enter global configuration mode.
Step2 interface interface-id Enter interface configuration mode, and enter the type and
number of the switchport interface to configure, for example,
gigabitethernet0/1.
Step3 switchport protected Configure the interface to be a protected port.
Step4 end Return to privileged EXEC mode.
Step5 show interfaces interface-id switchport Verify your entries.
Step6 copy running-config startup-config (Optional) Save your entries in the configuration file.