Protected switchports

By stretch | Thursday, August 21, 2008 at 12:22 a.m. UTC

Recently I took control of the commercial satellite service some of my colleagues and I use for personal Internet access out here in Iraq. There are about a dozen of us using the service, and the previous owner used a 16-port Linksys switch to provide access to the Ethernet side of the satellite modem. Wanting better visibility and security, I opted (like a good Cisco tool) to upgrade to a Catalyst switch.

I was able to acquire a 3550 for a decent price. Unfortunately, the 3550 does not support private VLANs*, which I had considered using to better isolate users from one another. Luckily my search for an alternate method of securing host connections yielded an ideal solution: protected switchports.

Protected switchports can be thought of as a very basic implementation of the private VLAN concept, available even on older low-end switches. No layer two traffic can be sent between any two protected switchports, only between a protected switchport and a non-protected switchport. This means the modem-facing port can be left unprotected while all user-facing ports are protected. All hosts can communicate with the modem, but not directly with each other.

Protecting a switchport is hardly a complex configuration:

Switch(config)# interface f0/1
Switch(config-if)# switchport protected

Verification of protected operation:

Switch# show interface f0/1 switchport | inc Protected
Protected: true

Edit: Raven over on Networking Forum pointed out that Cisco's feature navigator shows private VLANs available on the 3550 under IOS 12.2(44) and certain 12.1 releases. I'll have to check if this is accurate (seems to be) when I get my 3550.

Long overdue update: They're not. Private VLANs are only available on the Catalyst 3560 and upward.

About the Author

Jeremy Stretch is a network engineer living in the Raleigh-Durham, North Carolina area. He is known for his blog and cheat sheets here at Packet Life. You can reach him by email or follow him on Twitter.

Posted in Security


Aus (guest)
August 21, 2008 at 3:54 a.m. UTC

that's really a smart and simple approach that does the trick !

Al (guest)
August 21, 2008 at 2:41 p.m. UTC

But what if your colleagues want to share files? I don't trust anyone else's usb in my laptop so the network is the only solution. But you're probably like me.. any excuse to play with technology..

Amr Abu Sair (guest)
August 21, 2008 at 3:32 p.m. UTC

Just 2 quick questions!!

What if I need some ports on local switch within the same VLAN to talk together and still isolated from others,do we need a L3 switch ?

What about same VLAN on differrnet swiches ?Do we still to configure "swichport protected" on both switches to isolate them?

Overall it's a new feature for me!hope anyone can answer my questions?

Robert (guest)
August 21, 2008 at 5:20 p.m. UTC

Very Nice

Neel (guest)
August 22, 2008 at 3:57 a.m. UTC

This is nice , but I would surely love to read a solution to Al's comment , that could be a genuine problem at certain levels and a network sharing might be needed. Thanks for this one, and you have a wonderful blog , extremely informative.

August 22, 2008 at 4:51 a.m. UTC

Like I said, protected switchports are very basic. For a more complex setup you'd certainly need private VLANs or a VLAN ACL to restrict traffic at a more granular level.

mb (guest)
August 22, 2008 at 7:55 a.m. UTC

Protected ports won't do their jobs over trunks, right?

ac (guest)
August 22, 2008 at 9:57 a.m. UTC

@mb: By definition trunks carry traffic for multiple VLANs but you can restrict which VLANs an outbound trunk interface will allow.

mb (guest)
August 22, 2008 at 12:35 p.m. UTC

@ac: Ports should reside in the same vlan and ip subnet, being protected, also over trunks/uplinks. I don't think this will work?

Michael L (guest)
August 22, 2008 at 10:38 p.m. UTC

@ac: I think what mb is asking is will the frame traveling over the trunk carry a flag that signifies the source port was 'protected', thus allowing protected ports between switches to be isolated.

This does not appear to be the case. says:

"Use the switchport protected interface configuration command to isolate unicast, multicast, and broadcast traffic at Layer 2 from other protected ports on the same switch."


Kang (guest)
September 3, 2011 at 6:10 p.m. UTC

I find it very helpful that you share your story and scenario and then give us your solution with configuration along with an explanation.

Miguel (guest)
January 24, 2015 at 11:33 p.m. UTC

Switch port protected ports are local to each switch per vlan. If you have, say a printer and some pc's that you want to share layer2 (Mac addresses) you would not protect the printer and pc ports, but protect all others. It requires a layer3 access from the routing element past that. It is useful in keeping rogue DHCP servers from being seen.

Comments have closed for this article due to its age.