The protected port is a feature on Cisco Catalyst Switches that you can use to prevent interfaces from communicating with each other. Let me show you a picture to explain this:
Take a look at the picture above. We have two computers, one switch and one server. Nothing fancy here…everything is in one VLAN and the two computers and server can communicate with each other.
What if I want to enhance security and ensure that H1 and H2 can only reach the server but not each other? This makes perfect sense in a client-server network. Normally there is no need for computers to connect to each other (unless Bob and Jane are secretly using shared folders on their computers without permission from the windows administrator).
What if I want to enhance security and ensure that H1 and H2 can only reach the server but not each other? This makes perfect sense in a client-server network. Normally there is no need for computers to connect to each other (unless Bob and Jane are secretly using shared folders on their computers without permission from the windows administrator).
We can ensure H1 and H2 are unable to communicate with each other by using protected ports. By default all switchports are unprotected. Here’s what it looks like:
The interfaces connected to H1 and H2 are protected ports, the interface connected to the server is an unprotected port. Protected ports are unable to communicate with each other. It might also be a good idea to protect your servers with protected ports:
If a freedom fighter hacker takes over your web server you can reduce the attack surface by preventing them from connecting to other servers in your network.
This should give you an idea of what a protected port does, let’s look at the actual configuration!
Configuration
To demonstrate this, we will use 3 computers connected to a single switch:
- All computers are in the same subnet (192.168.1.0 /24)
- All computers are in the same VLAN.
- Switch has a default configuration.
With the default configuration on the switch, all computers are in the same VLAN so they can ping each other:
C:\Documents and Settings\H1>ping 192.168.1.2
Pinging 192.168.1.2 with 32 bytes of data:
Reply from 192.168.1.2: bytes=32 time<1ms TTL=128C:\Documents and Settings\H1>ping 192.168.1.3
Pinging 192.168.1.2 with 32 bytes of data:
Reply from 192.168.1.3: bytes=32 time<1ms TTL=128C:\Documents and Settings\H3>ping 192.168.1.2
Pinging 192.168.1.2 with 32 bytes of data:
Reply from 192.168.1.2: bytes=32 time<1ms TTL=128
By sending a couple of pings we can verify that we have full reachability. Now I’m going to enable protected port on the interface connected to H1 and H3:
SW1(config)#interface fa0/1
SW1(config-if)#switchport protectedSW1(config)#interface fa0/3
SW1(config-if)#switchport protected
The interfaces connected to H1 and H3 are now protected. Interface fa0/2 to H2 is still unprotected. You can verify this by looking at the output of the show switchport command:
SW1#show interfaces fa0/1 switchport
Name: Fa0/1
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: down
Administrative Trunking Encapsulation: negotiate
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: true
Let’s send some more pings to find out what the result is of this configuration:
C:\Documents and Settings\H1>ping 192.168.1.2
Pinging 192.168.1.2 with 32 bytes of data:
Reply from 192.168.1.2: bytes=32 time<1ms TTL=128C:\Documents and Settings\H3>ping 192.168.1.2
Pinging 192.168.1.2 with 32 bytes of data:
Reply from 192.168.1.2: bytes=32 time<1ms TTL=128
H1 and H3 are still able to reach H2…
C:\Documents and Settings\H1>ping 192.168.1.3
Pinging 192.168.1.2 with 32 bytes of data:
Request timed out.
Ping statistics for 192.168.1.2:
Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),C:\Documents and Settings\H3>ping 192.168.1.1
Pinging 192.168.1.2 with 32 bytes of data:
Request timed out.
Ping statistics for 192.168.1.2:
Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),
But H1 and H3 are unable to reach each other now.
The protected port feature is pretty cool but it is also very limited. In another tutorial I will show you how to configure Private VLANS which is basically the protected port on steroids.
hostname SW1
!
interface FastEthernet0/1
switchport protected
!
interface FastEthernet0/3
switchport protected
!
end
Traffic between two protected ports is blocked, traffic between a protected and unprotected port is allowed.
No comments:
Post a Comment