Block Connectivity Between Hosts in a VLAN by Protected Port Config

This is like a more simple variation of PVLANs. By a single command you can stop communication between 2 hosts in a same VLAN.

Topology is simple, all the Server and the 2 PCs are in one VLAN (one broadcast domain) and have assigned IP address of the same range.

Requirement is to block PC-A from accessing PC-B. But the both PCs must be able to access the Server. This can be achieved by configuring the ports to be protected.

Note that This config is local to the switch..

Concept is that you can configure switch ports to be protected and protected ports cannot communicate with each other. But protected ports can communicate with other unprotected ports.. 

SW(config)#int e0/1
SW(config-if)#switchport protected

SW(config)#int e0/2
SW(config-if)#switchport protected

Now the data traffic will not be forwarded in between  e0/1 and e0/2 ports.


Now let's look at trunk port scenarios..
All ports are in a one VLAN..

Scenario 1

If e0/3 of SW is a protected port; 

all the traffic from SW-2 cannot access PC-A. But they can access the Server..

Reason:- e0/1 and e0/3 are protected ports..

Scenario 2

If e0/3 of SW is an unprotected port & 

If e0/0 of SW-2 is a protected port; 

all the traffic from SW-2 can access any port of SW..

Reason:- protected port configuration is local to the switch..

Scenario 3

If e0/0 of SW-2 is a protected port &

If e0/1 of SW-2 is a protected port;

PC-B cannot access any port in of SW..

Reason:- PC-B and the trunk to SW are protected ports..