cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
519
Views
4
Helpful
6
Replies

Protected Ports?

blittrell
Level 1
Level 1

Hi All,

I had a quick question. When you configure "switchport protected" does this not forward traffic from other switches to this port as well as ports on the local switch?

The issue is this, we have students that like to play LAN games during school hours. Protected port seems ideal in the sense that it does not allow other protected ports from talking to each other. This seems straight forward on one switch but if you have multiple switches, will a protected port on one switch be denied from talking to a protected port on another switch?

Thanks

1 Accepted Solution

Accepted Solutions

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Brett,

>> will a protected port on one switch be denied from talking to a protected port on another switch?

Unfortunately this is not true : the switch uplinks are primary/promiscuous ports so the risk is to allow traffic between ports in different access layer switches

Hope to help

Giuseppe

View solution in original post

6 Replies 6

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Brett,

>> will a protected port on one switch be denied from talking to a protected port on another switch?

Unfortunately this is not true : the switch uplinks are primary/promiscuous ports so the risk is to allow traffic between ports in different access layer switches

Hope to help

Giuseppe

To add on Giuseppe's point, protected port can still talk to each other via layer 3 interface if layer 3 interface is doing local proxy arp. Therefore, if you plan to use this feature, you need make sure "local proxy arp" is disabled (it should be disabled by default).

Thanks guys. I was reading some more up on it and it seems you can do this across switches but it needs to be configured on a private-vlan on the interface. And it just so happens that I have 2960's and 3560's that do not seem to support that option:(

Ahh well, is there any other option for me to help with my issue using the 2960's and 3560's ?

Thanks

Hello BRETT,

As you said PVLAN would have been the best option . You could upgrade your IOS version to allowed it or create a Vlan with ACL to prevent it

HTH

DAK

Hey Dak,

But the ACL's would not affect the packets until they hit the Route point and most LAN games never hit the route point. The Students are already in a separate VLAN, but they do not have a vlan for each individual student, that would be a bit tough with 700+ computers at this site.

I guess I was just looking for a easy way out and there does not seem to be. We have currently implemented client based firewalls to prevent the packets, I will see how that goes. I was hoping to do it at the switch level so the students did not try to get passed the firewall.

you are right , other way could be through Nbar or you define the website on your Firewall (ASA/PIX) you want to prevent.

DAK

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco