CCIE Routing & Switching v5 Workbook -
CCIE R&S v5 Advanced Technology Labs -
LAN Switching
Protected Ports
A Note On Section Initial Configuration Files: You must load the
initial configuration files for the section, named LAN Switching Initial
Spanning Tree, which can be found in
. Reference the Virtual Routers &
Physical Switches Diagram to complete this task.
Task
Shutdown all Ethernet links from SW4 towards SW2 and SW3.
Shutdown ports Fa0/19 and Fa0/23 on SW1.
Create an SVI for VLAN 10 on SW1, assign it the IP address of 169.254.23.1/24.
Configure Fa0/20 and Fa0/24 on SW1 as access ports in VLAN 10.
Configure port Fa0/20 on SW3 and Fa0/24 on SW2 as Layer 3 ports on with IP
addresses of 169.254.23.Y/24, where Y is the switch number.
Configure port protection on SW1 so that SW2 and SW3 cannot directly
communicate with each other, but can communicate with SW1’s VLAN 10 interface.
Configuration
SW4:
interface range FastEthernet0/19 - 20
shutdown
!
interface range FastEthernet0/23 - 24
shutdown
SW1:
interface range FastEthernet0/19 , FastEthernet0/23
shutdown
!
default interface range FastEthernet0/20 , FastEthernet0/24
!
interface range FastEthernet0/20 , FastEthernet0/24
switchport mode access
switchport access vlan 10
switchport protected
!
interface Vlan10
ip address 169.254.23.1 255.255.255.0
no shutdown
SW2:
interface FastEthernet0/24
no switchport
ip address 169.254.23.2 255.255.255.0
SW3:
interface FastEthernet0/20
no switchport
ip address 169.254.23.3 255.255.255.0
Verification
Protected ports are used to prevent traffic from being directly exchanged at Layer 2
between two or more hosts that are within the same VLAN. Traffic received in a
protected port cannot be sent out another protected port, but traffic received in a
protected port can be sent out a non-protected port. This feature is a much smaller
subset of the Private VLAN feature, and it cannot span between multiple physical
switches; you cannot configure a protected port on SW1 and a protected port on
SW2 and expect traffic between these to be disallowed.
In this particular design, the result of port protection is that SW1 and SW2 can
communicate, SW1 and SW3 can communicate, but SW2 and SW3 cannot
communicate, although are attached to the same VLAN:
SW3#ping 169.254.23.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 169.254.23.1, timeout is 2 seconds:!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
!
!SW3#ping 169.254.23.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 169.254.23.2, timeout is 2 seconds:.....
Success rate is 0 percent (0/5)
!
!SW2#ping 169.254.23.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 169.254.23.1, timeout is 2 seconds:!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms
!
!SW2#ping 169.254.23.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 169.254.23.3, timeout is 2 seconds:.....
Success rate is 0 percent (0/5)
Notice that ARP traffic is also not allowed between protected ports, basically all
traffic is dropped:
SW1#show ip arp
Protocol
Address
Age (min)
Hardware Addr Type
Interface
Internet
169.254.23.1
-
0013.605f.f041 ARPA
Vlan10
Internet
169.254.23.2
0
000a.b832.3ac1 ARPA
Vlan10
Internet
169.254.23.3
9
0022.5627.1fc1 ARPA
Vlan10
!
!SW2#show ip arp
Protocol
Address
Age (min)
Hardware Addr Type
Interface
Internet
169.254.23.1
18
0013.605f.f01a ARPA
FastEthernet0/24
Internet
169.254.23.2
-
000a.b832.3ac1 ARPA
FastEthernet0/24
Internet
169.254.23.3
0
IncompleteARPA
!
!SW3#show ip arp
Protocol
Address
Age (min)
Hardware Addr Type
Interface
Internet
169.254.23.1
18
0013.605f.f016 ARPA
FastEthernet0/20
Internet
169.254.23.2
0
IncompleteARPA
Internet
169.254.23.3
-
0022.5627.1fc1 ARPA
FastEthernet0/20