Traffic Segmentation-Protected Port
The protected port is a feature that does not forward any traffic (unicast, multicast, or broadcast) to any other port that is also a protected port. However, a protected port can communicate with an unprotected port and vice-versa.
The protected port is a feature that does not forward any traffic (unicast, multicast, or broadcast) to any other port that is also a protected port. However, a protected port can communicate with an unprotected port and vice-versa.
• Protected port(isolated) to protected port(isolated) - communication is not allowed.
• Protected port(isolated) to protected port(community) - communication is not allowed.
• Protected port(isolated) to protected port(promiscuous) - communication is allowed.
• Protected port(community) to protected port(community) - communication is allowed.
• Protected port(community) to protected port(promiscuous) - communication is allowed.
• Protected port(promiscuous) to protected port(promiscuous) - communication is allowed.
• Unprotected port to protected port(any type) - communication is allowed.
The protected port configuration is local to the switch. This information is not propagated outside the switch. Protected ports across switches can still be able to communicate with each other.
The use of protected ports ensures that there is no exchange of unicast, broadcast, or multicast data traffic between ports on the same switch so that one neighbor does not see the traffic generated by another neighbor.
Topology
Figure 24-44 displays Traffic Segmentation-Protected Port Topology
Traffic Segmentation-Protected Port Topology
Isolated-Promiscuous Configuration
RTR1
Bridge Configuration:
#configure terminal | Enter configure mode. |
(config)#bridge 1 protocol ieee vlan-bridge | Configure bridge |
VLAN Configuration:
#configure terminal | Enter configterminal mode |
(config)#vlan database | Enter into the vlan database |
(config-vlan)# vlan 30 bridge 1 state enable | Configure vlan 30 to bridge 1 |
(config-vlan)#Exit | Exit from the vlan database. |
(config)#int xe1 | Enter interface configuration mode for xe1 |
(config-if)#switchport | Configure switchport |
(config-if)#bridge-group 1 | Associate interface with bridge-group 1 |
(config-if)#switchport mode trunk | Set the switching characteristics of this interface as trunk |
(config-if)#switchport trunk allowed vlan add 30 | Configure vlan 30 |
(config-if)#switchport protected isolated | Configure interface as isolated port |
(config-if)#exit | Exit from interface |
(config)#int xe2 | Enter interface configuration mode for xe2 |
(config-if)#switchport | Configure switchport |
(config-if)#bridge-group 1 | Associate interface with bridge-group 1 |
(config-if)#switchport mode trunk | Set the switching characteristics of this interface as trunk |
(config-if)#switchport trunk allowed vlan add 30 | Configure vlan 30 |
(config-if)#switchport protected promiscuous | Configure interface as promiscuous port |
(config-if)#exit | Exit from interface mode |
(config)#commit | Commit the configure on the node. |
Validation
RTR1
#show running-config interface xe1
!
interface xe1
switchport
switchport protected isolated
bridge-group 1
switchport mode trunk
switchport trunk allowed vlan add 30
!
#show running-config interface xe2
!
interface xe2
switchport
switchport protected promiscuous
bridge-group 1
switchport mode trunk
switchport trunk allowed vlan add 30
#show interface xe1
Interface xe1
Flexport: Non Control Port (Active)
Hardware is ETH Current HW addr: 80a2.353f.edb7
Physical:80a2.353f.edb7 Logical:(not set)
Forward Error Correction (FEC) configured is Auto (default)
FEC status is N/A
Port Mode is trunk
Protected Mode is Isolated
Interface index: 5001
Metric 1 mtu 1500 duplex-full link-speed 10g
Debounce timer: disable
<UP,BROADCAST,RUNNING,MULTICAST>
VRF Binding: Not bound
Label switching is disabled
No Virtual Circuit configured
Administrative Group(s): None
Bandwidth 10g
DHCP client is disabled.
Last Flapped: 2022 Jan 06 13:13:42 (00:24:53 ago)
Statistics last cleared: 2022 Jan 06 13:13:42 (00:24:53 ago)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 256 bits/sec, 0 packets/sec
RX
unicast packets 0 multicast packets 7 broadcast packets 0
input packets 7 bytes 814
jumbo packets 0
undersize 0 oversize 0 CRC 0 fragments 0 jabbers 0
input error 0
input with dribble 0 input discard 7
Rx pause 0
TX
unicast packets 0 multicast packets 749 broadcast packets 0
output packets 749 bytes 47944
jumbo packets 0
output errors 0 collision 0 deferred 0 late collision 0
output discard 0
Tx pause 0
#show interface xe2
Interface xe2
Flexport: Non Control Port (Active)
Hardware is ETH Current HW addr: 80a2.353f.edb9
Physical:80a2.353f.edb9 Logical:(not set)
Forward Error Correction (FEC) configured is Auto (default)
FEC status is N/A
Port Mode is trunk
Protected Mode is Promiscuous
Interface index: 5003
Metric 1 mtu 1500 duplex-full link-speed 10g
Debounce timer: disable
<UP,BROADCAST,RUNNING,MULTICAST>
VRF Binding: Not bound
Label switching is disabled
No Virtual Circuit configured
Administrative Group(s): None
Bandwidth 10g
DHCP client is disabled.
Last Flapped: Never
Statistics last cleared: 2022 Jan 06 13:15:32 (00:23:52 ago)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
RX
unicast packets 0 multicast packets 0 broadcast packets 0
input packets 0 bytes 0
jumbo packets 0
undersize 0 oversize 0 CRC 0 fragments 0 jabbers 0
input error 0
input with dribble 0 input discard 0
Rx pause 0
TX
unicast packets 0 multicast packets 4569 broadcast packets 0
input packets 4569 bytes 327802
jumbo packets 0
output errors 0 collision 0 deferred 0 late collision 0
output discard 0
Tx pause 0
Send the vlan 30 tagged traffic from traffic 1 to traffic 2,
#show interface counters rate mbps
+-------------------+--------------+-------------+--------------+-------------+
| Interface | Rx mbps | Rx pps | Tx mbps | Tx pps |
+-------------------+--------------+-------------+--------------+-------------+
Xe1 100.01 20 0.00 0
Xe2 0.00 0 100.01 20
Send the vlan 30 tagged traffic from traffic 1 to traffic 2,
#show interface counters rate mbps
+-------------------+--------------+-------------+--------------+-------------+
| Interface | Rx mbps | Rx pps | Tx mbps | Tx pps |
+-------------------+--------------+-------------+--------------+-------------+
Xe1 0.00 20 100.00 0
Xe2 100.00 0 0.00 20
Isolated-Isolated Configuration
RTR1
Bridge Configuration:
#configure terminal | Enter configure mode. |
(config)#bridge 1 protocol ieee vlan-bridge | Configure bridge |
VLAN Configuration:
#configure terminal | Enter configterminal mode |
(config)#vlan database | Enter into the vlan database |
(config-vlan)# vlan 30 bridge 1 state enable | Configure vlan 30 to bridge 1 |
(config-vlan)#Exit | Exit from the vlan database. |
(config)#int xe1 | Enter interface configuration mode for xe1 |
(config-if)#switchport | Configure switchport |
(config-if)#bridge-group 1 | Associate interface with bridge-group 1 |
(config-if)#switchport mode trunk | Set the switching characteristics of this interface as trunk |
(config-if)#switchport trunk allowed vlan add 30 | Configure vlan 30 |
(config-if)#switchport protected isolated | Configure interface as isolated port |
(config-if)#exit | Exit from interface |
(config)#int xe2 | Enter interface configuration mode for xe2 |
(config-if)#switchport | Configure switchport |
(config-if)#bridge-group 1 | Associate interface with bridge-group 1 |
(config-if)#switchport mode trunk | Set the switching characteristics of this interface as trunk |
(config-if)#switchport trunk allowed vlan add 30 | Configure vlan 30 |
(config-if)#switchport protected isolated | Configure interface as isolated port |
(config-if)#exit | Exit from interface mode |
(config)#commit | Commit the configure on the node. |
Validation
RTR1
#show running-config interface xe1
!
interface xe1
switchport
switchport protected isolated
bridge-group 1
switchport mode trunk
switchport trunk allowed vlan add 30
!
#show running-config interface xe2
!
interface xe2
switchport
switchport protected isolated
bridge-group 1
switchport mode trunk
switchport trunk allowed vlan add 30
#show interface xe1
Interface xe1
Flexport: Non Control Port (Active)
Hardware is ETH Current HW addr: 80a2.353f.edb7
Physical:80a2.353f.edb7 Logical:(not set)
Forward Error Correction (FEC) configured is Auto (default)
FEC status is N/A
Port Mode is trunk
Protected Mode is Isolated
Interface index: 5001
Metric 1 mtu 1500 duplex-full link-speed 10g
Debounce timer: disable
<UP,BROADCAST,RUNNING,MULTICAST>
VRF Binding: Not bound
Label switching is disabled
No Virtual Circuit configured
Administrative Group(s): None
Bandwidth 10g
DHCP client is disabled.
Last Flapped: 2022 Jan 06 13:13:42 (00:24:53 ago)
Statistics last cleared: 2022 Jan 06 13:13:42 (00:24:53 ago)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 256 bits/sec, 0 packets/sec
RX
unicast packets 0 multicast packets 7 broadcast packets 0
input packets 7 bytes 814
jumbo packets 0
undersize 0 oversize 0 CRC 0 fragments 0 jabbers 0
input error 0
input with dribble 0 input discard 7
Rx pause 0
TX
unicast packets 0 multicast packets 749 broadcast packets 0
output packets 749 bytes 47944
jumbo packets 0
output errors 0 collision 0 deferred 0 late collision 0
output discard 0
Tx pause 0
#show interface xe2
Interface xe2
Flexport: Non Control Port (Active)
Hardware is ETH Current HW addr: 80a2.353f.edb9
Physical:80a2.353f.edb9 Logical:(not set)
Forward Error Correction (FEC) configured is Auto (default)
FEC status is N/A
Port Mode is trunk
Protected Mode is Isolated
Interface index: 5003
Metric 1 mtu 1500 duplex-full link-speed 10g
Debounce timer: disable
<UP,BROADCAST,RUNNING,MULTICAST>
VRF Binding: Not bound
Label switching is disabled
No Virtual Circuit configured
Administrative Group(s): None
Bandwidth 10g
DHCP client is disabled.
Last Flapped: Never
Statistics last cleared: 2022 Jan 06 13:15:32 (00:23:52 ago)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
RX
unicast packets 0 multicast packets 0 broadcast packets 0
input packets 0 bytes 0
jumbo packets 0
undersize 0 oversize 0 CRC 0 fragments 0 jabbers 0
input error 0
input with dribble 0 input discard 0
Rx pause 0
TX
unicast packets 0 multicast packets 0 broadcast packets 0
output packets 0 bytes 0
jumbo packets 0
output errors 0 collision 0 deferred 0 late collision 0
output discard 0
Tx pause 0
Send the vlan 30 tagged traffic from traffic 1 to traffic 2,
#show interface counters rate mbps
+-------------------+--------------+-------------+--------------+-------------+
| Interface | Rx mbps | Rx pps | Tx mbps | Tx pps |
+-------------------+--------------+-------------+--------------+-------------+
Xe1 100.01 20 0.00 0
Xe2 0.00 0 0.00 0