Switch protected port limitations

The switch protected port feature can be used to prevent devices connected to switchports on the same switch and on the same VLAN from communicating with each other. Although this feature is useful, it has the following limitations and caveats:

  • Devices connected to protected ports on the same VLAN but on different switches will be able to communicate. This is because the feature works at the switch level, not the VLAN level.
  • Each individual port must be configured separately as protected.
  • The feature is useful on small networks typically served by a single switch, but is not very scalable especially on larger enterprise networks with dozens or even hundreds of switches.
  • The feature is not so critical in many implementations because workstations typically have a local software firewall that is implemented by their operating system to protect against unauthorized access.
  • The feature should be used with care since many users may want to share folders on their workstations or may want to communicate using videoconferencing or VoIP services, which would require direct communication.

For larger networks and for a more scalable and manageable deployment, it is recommended to use Private VLANs as an alternative.

Links:

https://forum.networklessons.com/t/protected-port-on-cisco-catalyst-switch/1097/21?u=lagapidis

https://networklessons.com/switching/protected-port-cisco-catalyst-switch/

Links to this page: