Cisco Catalyst Protected Port feature
In this article, we will see the purpose of using the protected port feature and how you can configure it.
The protected port is a cisco catalyst Switch feature that help to prevent interfaces from communicating with each other. This feature is sometimes called the Private VLAN Edge.
Look at the following architecture to understand better why we can use this feature:
In this architecture, the 2 types of communications that we can have are the following:
- A web traffic between the USER and the WEB SERVER.
- A Mail traffic when the USER is checking or sending an email.
Do you think that the 2 Servers has to communicate with each other? I don’t think that this is necessary. In addition, if a hacker take over the WEB SERVER, he can easily attack your MAIL SERVER… And this is very bad.
To obtain this result, we have to configure the protected port feature on the Catalyst Switch. In fact, the 2 servers will be connected to ports that are configured with the protected port feature. Note that protected ports are unable to communicate with each other.
So as you can see on the picture above, the two ports will be configured as protected. So the 2 servers can’t communicate with each other.
Configuration
We will use the following architecture to configure the protected port feature:
As you can see in this architecture, we have 3 HOSTS connected to a cisco catalyst switch, with a default configuration. The 3 hosts are in the same VLAN and in the same subnet 192.1681.0/24, thus, it can ping each other:
HOST1>ping 192.168.1.2 Pinging 192.168.1.2 with 32 bytes of data: Reply from 192.168.1.2: bytes=32 time=0ms TTL=128 Ping statistics for 192.168.1.2: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 7ms, Average = 1ms |
HOST1>ping 192.168.1.3 Pinging 192.168.1.3 with 32 bytes of data: Reply from 192.168.1.3: bytes=32 time=1ms TTL=128 Ping statistics for 192.168.1.3: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 1ms, Average = 0ms |
HOST3>ping 192.168.1.3 Pinging 192.168.1.3 with 32 bytes of data: Reply from 192.168.1.3: bytes=32 time=1ms TTL=128 Ping statistics for 192.168.1.3: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 1ms, Average = 0ms |
As you can see, we have full reachability. The next step now is to enable protected port feature on Fa0/2 (connected to HOST2) and fa0/3 (connected to HOST3).
SW (config)#int fa0/2 SW(config-if)#switchport protected SW (config-if)#exit SW (config)#int fa0/3 SW (config-if)#switchport protected SW (config-if)#exit |
The 2 interfaces are now protected. The interface connected to HOST 1 still unprotected. We can verify that our interface is now protected by looking to the result of the show int fa0/2 switchport:
SW#show int fa0/2 switchport Switchport: EnabledAdministrative Mode: static access Operational Mode: down Administrative Trunking Encapsulation: negotiate Negotiation of Trunking: Off Access Mode VLAN: 600 (IPv6) Trunking Native Mode VLAN: 1 (default) Administrative Native VLAN tagging: enabled Voice VLAN: none Administrative private-vlan host-association: none Administrative private-vlan mapping: none Administrative private-vlan trunk native VLAN: none Administrative private-vlan trunk Native VLAN tagging: enabled Administrative private-vlan trunk encapsulation: dot1q Administrative private-vlan trunk normal VLANs: none Administrative private-vlan trunk associations: none Administrative private-vlan trunk mappings: none Operational private-vlan: none Trunking VLANs Enabled: ALL Pruning VLANs Enabled: 2-1001 Capture Mode Disabled Capture VLANs Allowed: ALL Protected: true Unknown unicast blocked: disabled Unknown multicast blocked: disabled Appliance trust: none |
Let’s verify the reachability with the protected port feature configured:
HOST2>ping 192.168.1.1 Pinging 192.168.1.1 with 32 bytes of data: Reply from 192.168.1.1: bytes=32 time=0ms TTL=128 Ping statistics for 192.168.1.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms |
HOST2>ping 192.168.1.3 Pinging 192.168.1.3 with 32 bytes of data: Request timed out. Ping statistics for 192.168.1.3: Packets: Sent = 3, Received = 0, Lost = 3 (100% loss), |
HOST3>ping 192.168.1.1 Pinging 192.168.1.1 with 32 bytes of data: Reply from 192.168.1.1: bytes=32 time=1ms TTL=128 Ping statistics for 192.168.1.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 1ms, Average = 0ms |
HOST3>ping 192.168.1.2 Pinging 192.168.1.2 with 32 bytes of data: Request timed out. Ping statistics for 192.168.1.2: Packets: Sent = 1, Received = 0, Lost = 1 (100% loss), |
You can see that HOST 2 and HOST 3 cannot reach each other. But they still reach HOST1 which is connected to unprotected port.
To summarize: Traffic between 2 protected ports is not allowed, traffic between a protected port and unprotected port is allowed.
This is all that I have for you about protected VLANs. It is a pretty cool feature, but it is very limited. This is why there is private VLANs, I’ll write an great article on it.
I hope this article was helpful for you, don’t hesitate to ask questions (if you have) in the comment part.