Guest

Cisco IOS Software Releases 12.4 T

Protected Port on EtherSwitch HWICs on Modular Integrated Services Routers

Hierarchical Navigation

Downloads

 Feedback

Table Of Contents

Protected Port on EtherSwitch HWICs on Modular Integrated Services Routers

Contents

Prerequisites for Protected Port on EtherSwitch HWICs on Modular Integrated Services Routers

Restrictions for Protected Port on EtherSwitch HWICs on Modular Integrated Services Routers

Information About Protected Port on EtherSwitch HWICs on Modular Integrated Services Routers

How the Protected Port Feature Works

How to Configure Protected Port on EtherSwitch HWICs on Modular Integrated Services Routers

Restrictions

Configuration Examples for Protected Port on EtherSwitch HWICs on Modular Integrated Services Routers

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Command Reference

switchport protected

Feature Information for Protected Port on EtherSwitch HWICs on Modular Integrated Services Routers


Protected Port on EtherSwitch HWICs on Modular Integrated Services Routers

First Published: June 28, 2007
Last Updated: June 28, 2007

This feature allows you to configure protected port security on all modular platforms with installed 4- or 9-port high-speed WAN interface card (HWIC) modules. Some applications require that no traffic be forwarded between ports on the same device so that one neighbor does not see the traffic generated by another neighbor. In such an environment, the use of protected ports ensures that there is no exchange of unicast, broadcast, or multicast traffic between these ports on the device.

Finding Feature Information in This Module

Your Cisco IOS software release may not support all of the features documented in this module. To reach links to specific feature documentation in this module and to see a list of the releases in which each feature is supported, use the "Feature Information for Protected Port on EtherSwitch HWICs on Modular Integrated Services Routers" section.

Finding Support Information for Platforms and Cisco IOS and Catalyst OS Software Images

Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Contents

Prerequisites for Protected Port on EtherSwitch HWICs on Modular Integrated Services Routers

Restrictions for Protected Port on EtherSwitch HWICs on Modular Integrated Services Routers

Information About Protected Port on EtherSwitch HWICs on Modular Integrated Services Routers

How to Configure Protected Port on EtherSwitch HWICs on Modular Integrated Services Routers

Configuration Examples for Protected Port on EtherSwitch HWICs on Modular Integrated Services Routers

Additional References

Command Reference

Feature Information for Protected Port on EtherSwitch HWICs on Modular Integrated Services Routers

Prerequisites for Protected Port on EtherSwitch HWICs on Modular Integrated Services Routers

The following Integrated Services Routers (ISRs) support the protected port feature:

Cisco 1841ISR

Cisco 2800 series ISRs, including models 2801, 2811, 2821, and 2851

Cisco 3800 series ISRs, including models 3825 and 3845

To support the protected port feature, the Cisco routers listed above must be equipped with one of the following HWICs:

HWIC-4ESW

HWIC-D-9ESW

Restrictions for Protected Port on EtherSwitch HWICs on Modular Integrated Services Routers

The protected port feature can be configured only on the switch ports attached to the specified HWICs installed in a supported Cisco ISR.

Information About Protected Port on EtherSwitch HWICs on Modular Integrated Services Routers

Before configuring the protected port feature on a router, you should understand the following concept:

How the Protected Port Feature Works

How the Protected Port Feature Works

Some applications require that no traffic is forwarded between ports on the same switch so that one neighbor does not see the traffic generated by another neighbor. In such an environment, the use of protected ports ensures that there is no exchange of unicast, broadcast, or multicast traffic between these ports on the switch.

Protected ports have these features:

A protected port does not forward any traffic (unicast, multicast, or broadcast) to any other port that is also a protected port. Traffic cannot be forwarded between protected ports at Layer 2; all traffic passing between protected ports must be forwarded through a Layer 3 device.

Forwarding behavior between a protected port and a nonprotected port proceeds as usual.

The default is to have no protected ports defined.

How to Configure Protected Port on EtherSwitch HWICs on Modular Integrated Services Routers

This section explains how to configure the protected port feature on the 4- and 9-port HWICs in a modular ISR.

Restrictions

The protected port feature can be configured only on the switch ports attached to the specified HWICs in a Cisco ISR.

SUMMARY STEPS

1. enable

2. configure terminal

3. interface [interface id]

4. switchport protected

5. end

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enabCisco IOS Release 12.4(15)Tle

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

interface interface-id

Example:

Router(config)# interface fastethernet 0/1

Enters interface configuration mode.

Enter the type and number of the switchport interface to configure, for example FastEthernet 0/1.

Step 4 

switchport protected

Example:

Router(config-if)# switchport protected

Configures the interface to be a protected port.

Step 5 

end

Example:

Router(config-if)# end

Returns to privileged EXEC mode.

Configuration Examples for Protected Port on EtherSwitch HWICs on Modular Integrated Services Routers

This example shows how to configure Fast Ethernet interface 0/3 as a protected port and verify the configuration: 

Router# configure terminal

Router(config)# interface fastethernet0/3

Router(config-if)# switchport protected

Router(config-if)# end


Router# show interface fastethernet0/3 switchport

Name: Gi0/3

Switchport: Enabled

Administrative Mode: static access

Operational Mode: down

Administrative Trunking Encapsulation: dot1q

Negotiation of Trunking: Disabled

Access Mode VLAN: 1 (default)

Trunking Native Mode VLAN: 1 (default)

Trunking VLANs Enabled: ALL

Trunking VLANs Active: none

Protected: true

Priority for untagged frames: 0

Override vlan tag priority: FALSE

Voice VLAN: none 

Appliance trust: none

Router#


Router# show running interface fastethernet0/3/0

Building configuration...

Current configuration : 57 bytes

!

interface FastEthernet0/3/0

 switchport protected

end

Additional References

The following sections provide references related to the protected port on 4- and 9-Port HWICs on Modular Integrated Services Routers feature.

Related Documents

Related Topic
Document Title

Configuring a EtherSwitch HWICs

"Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch Interface Cards" chapter in the Cisco IOS LAN Switching Configuration Guide, Release 12.4

Cisco IOS Command Reference

Cisco IOS LAN Switching Command Reference


Standards

Standard
Title

No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.


MIBs

MIB
MIBs Link

No new or modified MIBs are supported by this feature, and support for existing MIBs has not been modified by this feature.

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs


RFCs

RFC
Title

No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.


Technical Assistance

Description
Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/techsupport


Command Reference

This section documents only commands that are new or modified.

switchport protected

switchport protected

Use the switchport protected command to isolate unicast, multicast, and broadcast traffic at Layer 2 from other protected ports on the same switch in interface configuration mode. To disable protection on the port, use the no form of the command.

switchport protected

no switchport protected

Syntax Description

This command has no arguments or keywords.

Command Default

No protected port is defined. All ports are nonprotected.

Command Modes

Interface configuration (config-if)

Command History

Release
Modification

12.1(4)EA1

This command was first introduced.

12.4(15)T

This command was implemented on the following platforms: the Cisco 1841 Integrated Services Router (ISR), Cisco 2800 series ISRs, and Cisco 3800 series ISRs.


Usage Guidelines

The switchport protection feature is local to the switch; communication between protected ports on the same switch is possible only through a Layer 3 device. To prevent communication between protected ports on different switches, you must configure the protected ports for unique VLANs on each switch and configure a trunk link between the switches.

Beginning with Cisco IOS Release 12.4(15)T, the following Cisco  ISRs support port protection when an appropriate high-speed WAN interface card (HWIC) is installed:

Cisco 1841 ISR

Cisco 2800 Series ISRs, including models 2801, 2811, 2821, and 2851

Cisco 3800 Series ISRs, including models 3825 and 3845

To support port protection, the Cisco routers listed above must be equipped with one of the following HWICs:

HWIC-4ESW

HWIC-D-9ESW

Note Only the ports attached to the HWICs can be configured with port protection.

A protected port does not forward any unicast, multicast, or broadcast traffic to any other protected port. A protected port continues to forward unicast, multicast, and broadcast traffic to unprotected ports and vice versa.

Port monitoring does not work if both the monitor and monitored ports are protected ports.

A protected port is different from a secure port.

Examples

The following example shows how to enable a protected port on an interface: 

Switch(config)# interface gigabitethernet0/3

Switch(config-if)# switchport protected

You can verify the previous command by entering the show interfaces switchport privileged EXEC command.

Related Commands

Command
Description

show interfaces switchport

Displays the administrative and operational status of a switching (nonrouting) port, including port blocking and port protection settings.

switchport block

Prevents unknown multicast or unicast traffic on the interface.


Feature Information for Protected Port on EtherSwitch HWICs on Modular Integrated Services Routers

Table 1 lists the release history for this feature.

Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.

Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Note Table 1 lists only the Cisco IOS software release that introduced support for a given feature in a given Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS software release train also support that feature.

Table 1 Feature Information for Protected Port on 4- and 9-Port HWICs on Modular Integrated Services Routers 

Feature Name
Releases
Feature Information

Protected Port on EtherSwitch HWICs on Modular Integrated Services Routers

12.4(15)T

This feature allows you to configure protected port security on all modular platforms with installed 4- or 9-port high-speed WAN interface card (HWIC) modules.



Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

© 2007 Cisco Systems, Inc. All rights reserved.