Protected ports

在某些特殊需求下，需要禁止同臺(tái)交換機(jī)上相同VLAN 的主機(jī)之間通信，但又不能將這些不能通信的主機(jī)劃到不同VLAN，因?yàn)檫€需要和VLAN中的其它主機(jī)通信，只是不能和部分主機(jī)通信。這個(gè)特性可以實(shí)現(xiàn)這種需求.

Protected ports have these features:

  A protected port does not forward any traffic (unicast, multicast, or broadcast) to any other port that is also a protected port. Data traffic cannot be forwarded between protected ports at Layer 2; only control traffic, such as PIM packets, is forwarded because these packets are processed by the CPU and forwarded in software. All data traffic passing between protected ports must be forwarded through a Layer 3 device.

  Forwarding behavior between a protected port and a nonprotected port proceeds as usual.

You can configure protected ports on a physical interface (for example, Gigabit Ethernet port 1) or an EtherChannel group (for example, port-channel 5). When you enable protected ports for a port channel, it is enabled for all ports in the port-channel group.

Do not configure a private-VLAN port as a protected port. Do not configure a protected port as a private-VLAN port. A private-VLAN isolated port does not forward traffic to other isolated ports or community ports. For more information about private VLANs

注：這個(gè)feature只在單臺(tái)交換機(jī)上有效. 

sw1(config-if)#switchport protected    配置了這個(gè)特性的端口不能互訪.但能與其他端口訪問(wèn).