21-4
Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide
OL-10101-02
Chapter 21 Configuring Port-Based Traffic Control
Configuring Protected Ports
Configuring Protected Ports
Some applications require that no traffic be forwarded between ports on the same switch so that one
neighbor does not see the traffic generated by another neighbor. In such an environment, the use of
protected ports ensures that there is no exchange of unicast, broadcast, or multicast traffic between these
ports on the switch.
Protected ports have these features:
• A protected port does not forward any traffic (unicast, multicast, or broadcast) to any other port that
is also a protected port. Data traffic cannot be forwarded between protected ports at Layer 2; only
control traffic, such as PIM packets, is forwarded because these packets are processed by the CPU
and forwarded in software. All data traffic passing between protected ports must be forwarded
through a Layer 3 device.
• Forwarding behavior between a protected port and a nonprotected port proceeds as usual.
• Protected ports are supported on IEEE 802.1Q trunks.
The default is to have no protected ports defined.
You can configure protected ports on a physical interface or an EtherChannel group. When you enable
protected ports for a port channel, it is enabled for all ports in the port-channel group.
Both LRE interface ports and CPE device ports can be configured as protected ports. When you use a
Cisco 575 LRE CPE or a Cisco 576 LRE 997 CPE device, the cpe protected interface configuration
command is not available.
When you use a Cisco 585 LRE CPE device (which has multiple Ethernet interfaces), the switchport
protected command allows devices on different ports of the same CPE device to exchange data locally.
In some cases, you might want to protect individual CPE device ports. You can do this with the cpe
protected interface configuration command. Devices connected to different ports on the same CPE
device cannot exchange data directly but must forward it through a Layer 3 device.
Beginning in privileged EXEC mode, follow these steps to define a port as a protected port:
To disable protected port, use the no switchport protected interface configuration command.
This example shows how to configure a port as a protected port:
Switch# configure terminal
Switch(config)# interface fastethernet0/1
Switch(config-if)# switchport protected
Switch(config-if)# end
Command Purpose
Step 1
configure terminal Enter global configuration mode.
Step 2
interface interface-id Specify the interface to configure, and enter interface
configuration mode.
Step 3
switchport protected Configure the interface to be a protected port.
Step 4
end Return to privileged EXEC mode.
Step 5
show interfaces interface-id switchport Verify your entries.
Step 6
copy running-config startup-config (Optional) Save your entries in the configuration file.