Configuring Protected Port

Configuring Protected Port

This module contains the following topics:

Information About Protected Ports

Protected Ports

Some applications require that no traffic be forwarded at Layer 2 between ports on the same switch so that one neighbor does not see the traffic generated by another neighbor. In such an environment, the use of protected ports ensures that there is no exchange of unicast, broadcast, or multicast traffic between these ports on the switch.

Protected ports have these features:

  • A protected port does not forward any traffic (unicast, multicast, or broadcast) to any other port that is also a protected port. Data traffic cannot be forwarded between protected ports at Layer 2; only control traffic, such as PIM packets, is forwarded because these packets are processed by the CPU and forwarded in software. All data traffic passing between protected ports must be forwarded through a Layer 3 device.
  • Forwarding behavior between a protected port and a nonprotected port proceeds as usual.

Because a switch stack represents a single logical switch, Layer 2 traffic is not forwarded between any protected ports in the switch stack, whether they are on the same or different switches in the stack.

Default Protected Port Configuration

The default is to have no protected ports defined.

Protected Ports Guidelines

You can configure protected ports on a physical interface (for example, Gigabit Ethernet port 1) or an EtherChannel group (for example, port-channel 5). When you enable protected ports for a port channel, it is enabled for all ports in the port-channel group.

How to Configure Protected Ports

Configuring a Protected Port

Before You Begin

Protected ports are not pre-defined. This is the task to configure one.


    1.    configure terminal

    2.    interface interface-id

    3.    switchport protected

    4.    end

    5.    show interfaces interface-id switchport

    6.    copy running-config startup-config

     Command or ActionPurpose
    Step 1configure terminal

    Switch# configure terminal

    Enters global configuration mode.

    Step 2interface interface-id

    Switch(config)# interface gigabitethernet1/0/1

    Specifies the interface to be configured, and enter interface configuration mode.

    Step 3switchport protected

    Switch(config-if)# switchport protected

    Configures the interface to be a protected port.

    Step 4end

    Switch(config-if)# end

    Returns to privileged EXEC mode.

    Step 5show interfaces interface-id switchport

    Switch# show interfaces gigabitethernet1/0/1 switchport

    Verifies your entries.

    Step 6copy running-config startup-config

    Switch# copy running-config startup-config

    (Optional) Saves your entries in the configuration file.


    Monitoring Protected Ports

    Table 1 Commands for Displaying Protected Port Settings



    show interfaces [interface-id] switchport

    Displays the administrative and operational status of all switching (nonrouting) ports or the specified port, including port blocking and port protection settings.