The protected port is a feature on Cisco Catalyst Switches that you can use to prevent interfaces from communicating with each other. Let me show you a picture to explain this:
Take a look at the picture above. We have two computers, one switch and one server. Nothing fancy here…everything is in one VLAN and the two computers and server can communicate with each other.
What if I want to enhance security and ensure that H1 and H2 can only reach the server but not each other? This makes perfect sense in a client-server network. Normally there is no need for computers to connect to each other (unless Bob and Jane are secretly using shared folders on their computers without permission from the windows administrator).
We can ensure H1 and H2 are unable to communicate with each other by using protected ports. By default all switchports are unprotected. Here’s what it looks like:
The interfaces connected to H1 and H2 are protected ports, the interface connected to the server is an unprotected port. Protected ports are unable to communicate with each other. It might also be a good idea to protect your servers with protected ports:
If a freedom fighter hacker takes over your web server you can reduce the attack surface by preventing them from connecting to other servers in your network.
This should give you an idea of what a protected port does, let’s look at the actual configuration!
Configuration
To demonstrate this, we will use 3 computers connected to a single switch:
- All computers are in the same subnet (192.168.1.0 /24)
- All computers are in the same VLAN.
- Switch has a default configuration.
With the default configuration on the switch, all computers are in the same VLAN so they can ping each other:
protected port on steroids
I also enjoyed the term
Hi Zaman,
That’s right. It will work for the VLAN that the interface is assigned to.
Rene
Hello Rene/ Laz,
I have a question and I am going to use the below topology as a reference for the question.
//cdn-forum.networklessons.com/uploads/default/original/2X/6/646d6ee54209c228d9e8363ee320abbde21f5abf.png
As you see in the diagram, all the PCs are in VLAN 10. The access switch is hosting other VLANs as well. All the SVIs are located in the Distribution switch as you see in the diagram. The link between access switch and the distribution switch is a Trunk link to carry multiple VLANs.
... Continue reading in our forumNow my requirement is to block access for PC3 and PC4 so they can no
Hello Azm,
If you want to restrict PC3 and PC4 but not PC1 and PC2 then I would probably just create a new VLAN, let’s say VLAN 11. Add PC3 and PC4 to VLAN 11.
You can either create VLAN 11 without an SVI so there is no gateway or create an SVI and add an access-list to define to which other subnets they can go or not.
Rene