What happens if there is a system or user on a VLAN that is infected by malware or is deliberately running a scanning program? What if you have some public ports on your switches that you only want to have access to the Internet and not each other?
This problem can be easily solved with something called Protected Ports. The way this works is very simple. By enabling the protected port condition on a switch port, you stop traffic/packets from other protected ports on that same VLAN. Unprotected ports can still be accessed (like the port to the Router).
How to Configure Protected Ports
Let’s say I have a switch, that has the Router of port 1, and users on ports 2 and 3. To invoke protected port functionality between the users, we simply make those ports protected and leave the Router port unprotected. This means the users can send information in and out of the router port but not to each other!
Here is an example config matching our simple scenario:
Proper configuration first requires that an already enabled switch port exists and you will enter the port-security Interface Mode command. Here’s an example with the users on ports 2 and 3:
Cell_Switch# configure terminal
Cell_Switch(config)# interface range gig 0/2 , gig 0/3
Cell_Switch(config-if)# switchport mode access
Cell_Switch(config-if)# switchport vlan 100
Cell_Switch(config-if)# switchport protected
Note that we used the interface range command to shorten our command entry. This allows us to enter the commands once and have them implemented on all the prots we specified in the range.
Note also that we made sure the ports were in access mode and in VLAN 100.
Then we simple turned on the switchport protected command! Keep in mind that both user ports need to be in protected mode to prevent them from talking to one another.
To verify that the protected port option is enabled, use the show interfaces switchport command.
We hope this helps you understand this feature and its usage.