Port Protection (switchport protected)

       We will look at the simplest way to prevent a switch port from talking to another. For something that gives you more options, take a look at private vlans. 
       It is all about one command under the switch port and that is: 'switchport protected '.

       We have a L3 switch (in the middle) that has 2 vlans configured: 10 and 20. In vlan 10 we have 3 ports: Gi0/1 (non protected) and Gi1/1 and Gi1/2 (protected ports). In vlan 20, we have port Gi0/2 (not protected) and port Gi1/3 (protected). For testing, we built 2 SVIs : vlan 10 and vlan 20. IP addressing is in the diagram. The theory states that a protected port cannot talk to another protected port at L2, it can only flow through a L3 device. Let's configure and test.

SW
R0x
Test

interface GigabitEthernet0/1        ! interface Gi0/2 has the same config with vlan 200
 switchport access vlan 100
 switchport mode access

interface GigabitEthernet1/1        ! interface Gi1/2 has the same config and interface Gi1/3 uses vlan 200
 switchport access vlan 100
 switchport mode access
 switchport protected

interface Vlan100                   ! interface Vlan200 uses vlan 200
 ip address 10.0.0.254 255.255.255.0

! Validation

SW#sh int status | i 100|200
Gi0/1                        connected    100        a-full   auto RJ45
Gi0/2                        connected    200        a-full   auto RJ45
Gi1/1                        connected    100        a-full   auto RJ45
Gi1/2                        connected    100        a-full   auto RJ45
Gi1/3                        connected    200        a-full   auto RJ45
SW#sh ip int br | i lan
Vlan100                10.0.0.254      YES NVRAM  up                    up
Vlan200                20.0.0.254      YES NVRAM  up                    up
SW#sh int gi1/1 switchport | i rotect
Protected: true
SW#sh int gi1/2 switchport | i rotect
Protected: true
SW#sh int gi1/3 switchport | i rotect
Protected: true
SW#

! for R01, R02, R03

interface FastEthernet0/0
 ip address 10.0.0.[1|2|3] 255.255.255.0
 duplex auto
 speed auto
end

R1#sh ip route static
     20.0.0.0/24 is subnetted, 1 subnets
S       20.0.0.0 [1/0] via 10.0.0.254
R1#


! for R04, R05

interface FastEthernet0/0
 ip address 20.0.0.[1|2] 255.255.255.0
 duplex auto
 speed auto
end

R4#sh ip route static
     10.0.0.0/24 is subnetted, 1 subnets
S       10.0.0.0 [1/0] via 20.0.0.254
R4#

R2#ping 10.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 72/76/84 ms

R2#ping 10.0.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms

R2#ping 10.0.0.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

R2#ping 10.0.0.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.254, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 8/10/12 ms

R2#ping 20.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.0.0.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 20/24/36 ms

R2#ping 20.0.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.0.0.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/12/24 ms

R2#ping 20.0.0.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.0.0.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/9/16 ms
R2#

       Looks like everything went according to plan. R02 sitting behind Gi1/1 was unable to talk to R03 sitting behind Gi1/2 as expected. According to the theory, the devices can talk to each other if the traffic is routed. That is what we are seeing when R02 can successfully ping R04, although they are both behind protected ports.

       What if we actually wanted the protected ports to talk to each other? What if they would be in the same vlan and there is no routing? If you are curious, you can read all about it over here.

Leave a Comment Cancel reply