Protected switchports
Recently I took control of the commercial satellite service some of my colleagues and I use for personal Internet access out here in Iraq. There are about a dozen of us using the service, and the previous owner used a 16-port Linksys switch to provide access to the Ethernet side of the satellite modem. Wanting better visibility and security, I opted (like a good Cisco tool) to upgrade to a Catalyst switch.
I was able to acquire a 3550 for a decent price. Unfortunately, the 3550 does not support private VLANs*, which I had considered using to better isolate users from one another. Luckily my search for an alternate method of securing host connections yielded an ideal solution: protected switchports.
Protected switchports can be thought of as a very basic implementation of the private VLAN concept, available even on older low-end switches. No layer two traffic can be sent between any two protected switchports, only between a protected switchport and a non-protected switchport. This means the modem-facing port can be left unprotected while all user-facing ports are protected. All hosts can communicate with the modem, but not directly with each other.
Protecting a switchport is hardly a complex configuration:
Switch(config)# interface f0/1 Switch(config-if)# switchport protected
Verification of protected operation:
Switch# show interface f0/1 switchport | inc Protected Protected: true
* Edit: Raven over on Networking Forum pointed out that Cisco's feature navigator shows private VLANs available on the 3550 under IOS 12.2(44) and certain 12.1 releases. I'll have to check if this is accurate (seems to be) when I get my 3550.
Comments
But what if your colleagues want to share files? I don't trust anyone else's usb in my laptop so the network is the only solution. But you're probably like me.. any excuse to play with technology..
Just 2 quick questions!!
What if I need some ports on local switch within the same VLAN to talk together and still isolated from others,do we need a L3 switch ?
What about same VLAN on differrnet swiches ?Do we still to configure "swichport protected" on both switches to isolate them?
Overall it's a new feature for me!hope anyone can answer my questions?
Very Nice
This is nice , but I would surely love to read a solution to Al's comment , that could be a genuine problem at certain levels and a network sharing might be needed. Thanks for this one, and you have a wonderful blog , extremely informative.
Like I said, protected switchports are very basic. For a more complex setup you'd certainly need private VLANs or a VLAN ACL to restrict traffic at a more granular level.
Protected ports won't do their jobs over trunks, right?
@mb: By definition trunks carry traffic for multiple VLANs but you can restrict which VLANs an outbound trunk interface will allow.
@ac: Ports should reside in the same vlan and ip subnet, being protected, also over trunks/uplinks. I don't think this will work?
@ac: I think what mb is asking is will the frame traveling over the trunk carry a flag that signifies the source port was 'protected', thus allowing protected ports between switches to be isolated.
This does not appear to be the case. cisco.com says:
"Use the switchport protected interface configuration command to isolate unicast, multicast, and broadcast traffic at Layer 2 from other protected ports on the same switch."
that's really a smart and simple approach that does the trick !