22-7
Cisco ME 3400 Ethernet Access Switch Software Configuration Guide
OL-9639-06
Chapter 22 Configuring Port-Based Traffic Control Configuring Port Blocking

Protected Port Configuration Guidelines

You can configure protected ports on a physical interface that is configured as an NNI (for example,
Gigabit Ethernet port 1) or an EtherChannel group (for example, port-channel 5). When you enable
protected ports for a port channel, it is enabled for all ports in the port-channel group.
Do not configure a private-VLAN port as a protected port. Do not configure a protected port as a
private-VLAN port. A private-VLAN isolated port does not forward traffic to other isolated ports or
community ports. For more information about private VLANs, see Chapter 12, “Configuring Private
VLANs.”

Configuring a Protected Port

Beginning in privileged EXEC mode, follow these steps to define a port as a protected port:
To disable protected port, use the no switchport protected interface configuration command.
This example shows how to configure a port as a protected port:
Switch# configure terminal
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# switchport protected
Switch(config-if)# end
This example shows how to configure a FastEthernet port as a protected port.
Switch# configure terminal
Switch(config)# interface fastethernet 0/1
Switch(config-if)# port-type NNI
Switch(config-if)# no shutdown
Switch(config-if)# switchport protected
Switch(config-if)# end
Configuring Port Blocking
By default, the switch floods packets with unknown destination MAC addresses out of all ports. If
unknown unicast and multicast traffic is forwarded to a protected port, there could be security issues. To
prevent unknown unicast or multicast traffic from being forwarded from one port to another, you can
block a port (protected or nonprotected) from flooding unknown unicast or multicast packets to other
ports.
Command Purpose
Step 1 configure terminal Enter global configuration mode.
Step 2 interface interface-id Specify the interface to configure, and enter interface
configuration mode. The interface must be an NNI.
Note By default, UNIs and ENIs are protected ports.
Step 3 switchport protected Configure the interface to be a protected port.
Step 4 end Return to privileged EXEC mode.
Step 5 show interfaces interface-id switchport Verify your entries.
Step 6 copy running-config startup-config (Optional) Save your entries in the configuration file.