Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Anyone using the Cisco Edge (Protected) PVLAN port feature?

Anyone using the Cisco Edge (Protected) PVLAN port feature? I am considering deploying a managed backup network using protected ports.

I am wondering if anyone has used this before and what their experiences are?

The basic design idea is one core switch, several access switches. One VLAN and one IP subnet. A backup server connects to the core switch, customer backup clients connect to the access switches. All customer-facing ports on the access switches are put into protected mode, and the uplinks from the core switch to the access switches. In some basic testing I did, this effectively prevents any two customer backup clients from talking to each other; either on the same switch or different switches. I was able to get from any customer server to the managed backup server, and the MBU server could hit every client.

The MBU server will not be doing any routing, and we control all switches and the MBU server (most of the clients as well) so there will not be any routers on this VLAN. I can think of some possible attack scenarios where the MBU server is doing a data restore (server -> client) and a malicious client either ARP poisons the MBU server or poisons the CAM table on the switch.

But really my main question is, is anyone actually using protected ports in a medium scale (250 stations) environment?

  • LAN Switching and Routing
This widget could not be displayed.