Cisco Catalyst Protected Port feature

In this article, we will see the purpose of using the protected port feature and how you can configure it.

The protected port is a cisco catalyst Switch feature that help to prevent interfaces from communicating with each other. This feature is sometimes called the Private VLAN Edge.

Look at the following architecture to understand better why we can use this feature:

1

In this architecture, the 2 types of communications that we can have are the following:

  • A web traffic between the USER and the WEB SERVER.
  • A Mail traffic when the USER is checking or sending an email.

Do you think that the 2 Servers has to communicate with each other? I don’t think that this is necessary. In addition, if a hacker take over the WEB SERVER, he can easily attack your MAIL SERVER… And this is very bad.

2

To obtain this result, we have to configure the protected port feature on the Catalyst Switch. In fact, the 2 servers will be connected to ports that are configured with the protected port feature. Note that protected ports are unable to communicate with each other.

3So as you can see on the picture above, the two ports will be configured as protected. So the 2 servers can’t communicate with each other.

Configuration

We will use the following architecture to configure the protected port feature:

4As you can see in this architecture, we have 3 HOSTS connected to a cisco catalyst switch, with a default configuration. The 3 hosts are in the same VLAN and in the same subnet 192.1681.0/24, thus, it can ping each other:

HOST1>ping 192.168.1.2
Pinging 192.168.1.2 with 32 bytes of data:
Reply from 192.168.1.2: bytes=32 time=0ms TTL=128
Ping statistics for 192.168.1.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 7ms, Average = 1ms
HOST1>ping 192.168.1.3
Pinging 192.168.1.3 with 32 bytes of data:
Reply from 192.168.1.3: bytes=32 time=1ms TTL=128
Ping statistics for 192.168.1.3:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms
HOST3>ping 192.168.1.3
Pinging 192.168.1.3 with 32 bytes of data:
Reply from 192.168.1.3: bytes=32 time=1ms TTL=128
Ping statistics for 192.168.1.3:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms

As you can see, we have full reachability. The next step now is to enable protected port feature on Fa0/2 (connected to HOST2) and fa0/3 (connected to HOST3).

SW (config)#int fa0/2
SW(config-if)#switchport protected
SW (config-if)#exit
SW (config)#int fa0/3
SW (config-if)#switchport protected
SW (config-if)#exit

The 2 interfaces are now protected. The interface connected to HOST 1 still unprotected. We can verify that our interface is now protected by looking to the result of the show int fa0/2 switchport:

SW#show int fa0/2 switchport
Switchport: EnabledAdministrative Mode: static access
Operational Mode: down
Administrative Trunking Encapsulation: negotiate
Negotiation of Trunking: Off
Access Mode VLAN: 600 (IPv6)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: true
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none

Let’s verify the reachability with the protected port feature configured:

HOST2>ping 192.168.1.1
Pinging 192.168.1.1 with 32 bytes of data:
Reply from 192.168.1.1: bytes=32 time=0ms TTL=128
Ping statistics for 192.168.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
HOST2>ping 192.168.1.3
Pinging 192.168.1.3 with 32 bytes of data:
Request timed out.
Ping statistics for 192.168.1.3:
Packets: Sent = 3, Received = 0, Lost = 3 (100% loss),
HOST3>ping 192.168.1.1
Pinging 192.168.1.1 with 32 bytes of data:
Reply from 192.168.1.1: bytes=32 time=1ms TTL=128
Ping statistics for 192.168.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms
HOST3>ping 192.168.1.2
Pinging 192.168.1.2 with 32 bytes of data:
Request timed out.
Ping statistics for 192.168.1.2:
Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

You can see that HOST 2 and HOST 3 cannot reach each other. But they still reach HOST1 which is connected to unprotected port.

To summarize: Traffic between 2 protected ports is not allowed, traffic between a protected port and unprotected port is allowed.

This is all that I have for you about protected VLANs. It is a pretty cool feature, but it is very limited. This is why there is private VLANs, I’ll write an great article on it.

I hope this article was helpful for you, don’t hesitate to ask questions (if you have) in the comment part.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.