Chapter 26 Configuring Port-Based Traffic Control

Configuring Port Blocking

Protected Port Configuration Guidelines

You can configure protected ports on a physical interface (for example, Gigabit Ethernet port 1) or an EtherChannel group (for example, port-channel 5). When you enable protected ports for a port channel, it is enabled for all ports in the port-channel group.

Do not configure a private-VLAN port as a protected port. Do not configure a protected port as a private-VLAN port. A private-VLAN isolated port does not forward traffic to other isolated ports or community ports. For more information about private VLANs, see Chapter 16, “Configuring Private VLANs.”

Configuring a Protected Port

Beginning in privileged EXEC mode, follow these steps to define a port as a protected port:

 

Command

Purpose

Step 1

 

 

configure terminal

Enter global configuration mode.

Step 2

 

 

interface interface-id

Specify the interface to be configured, and enter interface

 

 

configuration mode.

Step 3

 

 

switchport protected

Configure the interface to be a protected port.

Step 4

 

 

end

Return to privileged EXEC mode.

Step 5

 

 

show interfaces interface-idswitchport

Verify your entries.

Step 6

 

 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

 

 

 

To disable protected port, use the no switchport protected interface configuration command.

This example shows how to configure a port as a protected port:

Switch# configure terminal

Switch(config)# interface gigabitethernet1/0/1

Switch(config-if)#switchport protected

Switch(config-if)# end

Configuring Port Blocking

By default, the switch floods packets with unknown destination MAC addresses out of all ports. If unknown unicast and multicast traffic is forwarded to a protected port, there could be security issues. To prevent unknown unicast or multicast traffic from being forwarded from one port to another, you can block a port (protected or nonprotected) from flooding unknown unicast or multicast packets to other ports.

These sections contain this configuration information:

Default Port Blocking Configuration, page 26-7

Blocking Flooded Traffic on an Interface, page 26-7

Catalyst 3750-E and 3560-E Switch Software Configuration Guide

26-6

OL-9775-02

 

 

Page 602
Image 602
Cisco Systems 3750E Configuring Port Blocking, Protected Port Configuration Guidelines, Configuring a Protected Port, 26-6