Monday, August 8, 2011

switchport protected

If you have an older Switch, which does not support private VLANs, then an alternative can be the protected switch ports. This is roughly like the private VLAN isolated port: ports in protected mode can not communicate with each other, but protected and not protected ports can.

So if you want PCs in a VLAN not to see each other in L2, then the ports should be set to protected mode, and the router's (default gateway) port doesn't change. Then every PC reaches the router, but not each other.

Of course, this only works within a switch and thus two protected ports on different switches can communicate with each other.


Switch(config)# interface GigabitEthernet0/4
Switch(config-if)# switchport protected

Switch#show interface GigabitEthernet0/4 switchport
Name: Gi0/4
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: down
Administrative Trunking Encapsulation: negotiate
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Protected: true
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none

No comments: