Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Protected Ports?

Hi All,

I had a quick question. When you configure "switchport protected" does this not forward traffic from other switches to this port as well as ports on the local switch?

The issue is this, we have students that like to play LAN games during school hours. Protected port seems ideal in the sense that it does not allow other protected ports from talking to each other. This seems straight forward on one switch but if you have multiple switches, will a protected port on one switch be denied from talking to a protected port on another switch?

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Re: Protected Ports?

Hello Brett,

>> will a protected port on one switch be denied from talking to a protected port on another switch?

Unfortunately this is not true : the switch uplinks are primary/promiscuous ports so the risk is to allow traffic between ports in different access layer switches

Hope to help

Giuseppe

6 REPLIES
Hall of Fame Super Silver

Re: Protected Ports?

Hello Brett,

>> will a protected port on one switch be denied from talking to a protected port on another switch?

Unfortunately this is not true : the switch uplinks are primary/promiscuous ports so the risk is to allow traffic between ports in different access layer switches

Hope to help

Giuseppe

Re: Protected Ports?

To add on Giuseppe's point, protected port can still talk to each other via layer 3 interface if layer 3 interface is doing local proxy arp. Therefore, if you plan to use this feature, you need make sure "local proxy arp" is disabled (it should be disabled by default).

Community Member

Re: Protected Ports?

Thanks guys. I was reading some more up on it and it seems you can do this across switches but it needs to be configured on a private-vlan on the interface. And it just so happens that I have 2960's and 3560's that do not seem to support that option:(

Ahh well, is there any other option for me to help with my issue using the 2960's and 3560's ?

Thanks

Community Member

Re: Protected Ports?

Hello BRETT,

As you said PVLAN would have been the best option . You could upgrade your IOS version to allowed it or create a Vlan with ACL to prevent it

HTH

DAK

Community Member

Re: Protected Ports?

Hey Dak,

But the ACL's would not affect the packets until they hit the Route point and most LAN games never hit the route point. The Students are already in a separate VLAN, but they do not have a vlan for each individual student, that would be a bit tough with 700+ computers at this site.

I guess I was just looking for a easy way out and there does not seem to be. We have currently implemented client based firewalls to prevent the packets, I will see how that goes. I was hoping to do it at the switch level so the students did not try to get passed the firewall.

Community Member

Re: Protected Ports?

you are right , other way could be through Nbar or you define the website on your Firewall (ASA/PIX) you want to prevent.

DAK

168
Views
4
Helpful
6
Replies
CreatePlease to create content