I was reading the documentation and found the protected ports option. It looks like it could help slow down/stop some viruses and worms breakouts. However does this feature work across switches?
Does any one out there use portected ports? Why/why not? How much protection does it really give?
here is the significance of protected port(PrivateVLAN edge port) :
The PVLAN edge (protected port) is a feature that has only local significance to the switch, and there is no isolation provided between two protected ports located on different switches. A protected port does not forward any traffic (unicast, multicast, or broadcast) to any other port that is also a protected port in the same switch and hence providing isolation. Traffic cannot be forwarded between protected ports at L2, all traffic passing between protected ports must be forwarded through a Layer 3 (L3) device.
private vlan includes 2 type of vlans : isolated vlan and community vlans.
Isolated vlan`s port cant talk to each other and they are generally used to connect to l3 devices like routers and we asssign IP address to these ports. Isolated ports are contacted by community vlan ports.
Community Vlans ports are connected with workstations which you want to isolate with rest of PCs on that switch. 2 community vlan ports can talk to each other and they can also communicate with isolate vlan ports.
protected ports are used when u want to have a confidential server and dont want anybody to contact that except some specified users. then u can connect that server to isolated vlan port and . and special users can be connected to comunity vlan ports so that only they can contact server.
Protected ports are not used for protection from viruses. they actually dont give protection, rather they give isolation from the local network on the switch.
kindly let me know if any further queries you have.
"Lets switchit" ;)
If you have a 2900XL or 3500XL series switches, the "port protected" command stops any L2 communication between this two ports. In this scenario, the only mac-addresses available fot that special ports are the ones learned via a non-protected (standard) port.
This behavior is only for ports of this box, so if you would like a port protected on another switch of your network, then you have to configure "port protected" on every trunk of this switch, but this configuration disable the communication of the protected ports of that swtich to another boxes !!!
Yes, protected port is PVLAN port.as previously I mentioned its not a standard port, and will not communicate with any Normal L2 port.
community-to-community = possible
community -to-isolated = possible (vice-versa)
isolated-to-isolated = not possible
Kindly update me if you need any further clarification.