Protected switchports

Posted by stretch in Networking on Thursday, 21 Aug 2008 at 12:22 a.m. GMT

Recently I took control of the commercial satellite service some of my colleagues and I use for personal Internet access out here in Iraq. There are about a dozen of us using the service, and the previous owner used a 16-port Linksys switch to provide access to the Ethernet side of the satellite modem. Wanting better visibility and security, I opted (like a good Cisco tool) to upgrade to a Catalyst switch.

I was able to acquire a 3550 for a decent price. Unfortunately, the 3550 does not support private VLANs*, which I had considered using to better isolate users from one another. Luckily my search for an alternate method of securing host connections yielded an ideal solution: protected switchports.

Protected switchports can be thought of as a very basic implementation of the private VLAN concept, available even on older low-end switches. No layer two traffic can be sent between any two protected switchports, only between a protected switchport and a non-protected switchport. This means the modem-facing port can be left unprotected while all user-facing ports are protected. All hosts can communicate with the modem, but not directly with each other.

Protecting a switchport is hardly a complex configuration:

Switch(config)# interface f0/1
Switch(config-if)# switchport protected

Verification of protected operation:

Switch# show interface f0/1 switchport | inc Protected
Protected: true

* Edit: Raven over on Networking Forum pointed out that Cisco's feature navigator shows private VLANs available on the 3550 under IOS 12.2(44) and certain 12.1 releases. I'll have to check if this is accurate (seems to be) when I get my 3550.

Aus commented on 21 Aug 2008 at 3:54 a.m.

that's really a smart and simple approach that does the trick !

Al commented on 21 Aug 2008 at 2:41 p.m.

But what if your colleagues want to share files? I don't trust anyone else's usb in my laptop so the network is the only solution. But you're probably like me.. any excuse to play with technology..

Amr Abu Sair commented on 21 Aug 2008 at 3:32 p.m.

Just 2 quick questions!!

What if I need some ports on local switch within the same VLAN to talk together and still isolated from others,do we need a L3 switch ?

What about same VLAN on differrnet swiches ?Do we still to configure "swichport protected" on both switches to isolate them?

Overall it's a new feature for me!hope anyone can answer my questions?

Robert commented on 21 Aug 2008 at 5:20 p.m.

Very Nice

Neel commented on 22 Aug 2008 at 3:57 a.m.

This is nice , but I would surely love to read a solution to Al's comment , that could be a genuine problem at certain levels and a network sharing might be needed. Thanks for this one, and you have a wonderful blog , extremely informative.

stretch commented on 22 Aug 2008 at 4:51 a.m.

Like I said, protected switchports are very basic. For a more complex setup you'd certainly need private VLANs or a VLAN ACL to restrict traffic at a more granular level.

mb commented on 22 Aug 2008 at 7:55 a.m.

Protected ports won't do their jobs over trunks, right?

ac commented on 22 Aug 2008 at 9:57 a.m.

@mb: By definition trunks carry traffic for multiple VLANs but you can restrict which VLANs an outbound trunk interface will allow.

mb commented on 22 Aug 2008 at 12:35 p.m.

@ac: Ports should reside in the same vlan and ip subnet, being protected, also over trunks/uplinks. I don't think this will work?

Michael L commented on 22 Aug 2008 at 10:38 p.m.

@ac: I think what mb is asking is will the frame traveling over the trunk carry a flag that signifies the source port was 'protected', thus allowing protected ports between switches to be isolated.

This does not appear to be the case. cisco.com says:

"Use the switchport protected interface configuration command to isolate unicast, multicast, and broadcast traffic at Layer 2 from other protected ports on the same switch."

Source

Protected switchports

Leave a comment

Comment Tips