Get Full Access to our 731 Cisco Lessons Now Start $1 Trial
You are here: Home » Cisco » CCNP SWITCH

Protected Port on Cisco Catalyst Switch

The protected port is a feature on Cisco Catalyst Switches that you can use to prevent interfaces from communicating with each other. Let me show you a picture to explain this:

h1 h2 server switch

Take a look at the picture above. We have two computers, one switch and one server. Nothing fancy here…everything is in one VLAN and the two computers and server can communicate with each other.
What if I want to enhance security and ensure that H1 and H2 can only reach the server but not each other? This makes perfect sense in a client-server network. Normally there is no need for computers to connect to each other (unless Bob and Jane are secretly using shared folders on their computers without permission from the windows administrator).

We can ensure H1 and H2 are unable to communicate with each other by using protected ports. By default all switchports are unprotected. Here’s what it looks like:

cisco protected port states

The interfaces connected to H1 and H2 are protected ports, the interface connected to the server is an unprotected port. Protected ports are unable to communicate with each other. It might also be a good idea to protect your servers with protected ports:

cisco protected port servers

If a freedom fighter hacker takes over your web server you can reduce the attack surface by preventing them from connecting to other servers in your network.

This should give you an idea of what a protected port does, let’s look at the actual configuration!

Configuration

To demonstrate this, we will use 3 computers connected to a single switch:

  • All computers are in the same subnet (192.168.1.0 /24)
  • All computers are in the same VLAN.
  • Switch has a default configuration.

protected port configuration example

With the default configuration on the switch, all computers are in the same VLAN so they can ping each other:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You’ve Ever Spent on Your Cisco Career!
  • Full Access to our 731 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)
Give Membership a try - it's just $1 ►

511 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: ,

Forum Replies

  3. Hi Zaman,

    That’s right. It will work for the VLAN that the interface is assigned to.

    Rene

  4. Hello Rene/ Laz,
    I have a question and I am going to use the below topology as a reference for the question.

    //cdn-forum.networklessons.com/uploads/default/original/2X/6/646d6ee54209c228d9e8363ee320abbde21f5abf.png

    As you see in the diagram, all the PCs are in VLAN 10. The access switch is hosting other VLANs as well. All the SVIs are located in the Distribution switch as you see in the diagram. The link between access switch and the distribution switch is a Trunk link to carry multiple VLANs.
    Now my requirement is to block access for PC3 and PC4 so they can no

    ... Continue reading in our forum

  5. Hello Azm,

    If you want to restrict PC3 and PC4 but not PC1 and PC2 then I would probably just create a new VLAN, let’s say VLAN 11. Add PC3 and PC4 to VLAN 11.

    You can either create VLAN 11 without an SVI so there is no gateway or create an SVI and add an access-list to define to which other subnets they can go or not.

    Rene

9 more replies! Ask a question or join the discussion by visiting our Community Forum