Sunday, 7 February 2010

Configure Port Protection

Port Protection can be utilised to protect hosts from malware and abuse. By placing ports into protected mode the connected hosts are unable to talk to other hosts connected to ports that are also in protected mode.

Hosts connected to ports in protected mode can communicate with hosts on non-protected ports. Typically hosts offering services should not be connected to ports that have been placed in protected mode.


Below I configure ports 9 to 16 as protected ports. I use a show command to view the running config.


switch2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
switch2(config)#interface range fastEthernet 0/9 - 16
switch2(config-if-range)#switchport protected
switch2(config-if-range)#end


switch2#show run | begin interface FastEthernet0/9
interface FastEthernet0/9
switchport protected
no ip address
spanning-tree portfast
!
interface FastEthernet0/10
switchport protected
no ip address
spanning-tree portfast
!
interface FastEthernet0/11
switchport protected
no ip address
spanning-tree portfast
!
interface FastEthernet0/12
switchport protected
no ip address
spanning-tree portfast
!
interface FastEthernet0/13
switchport protected
no ip address
spanning-tree portfast
!
interface FastEthernet0/14
switchport protected
no ip address
spanning-tree portfast
!
interface FastEthernet0/15
switchport protected
no ip address
spanning-tree portfast
!
interface FastEthernet0/16
switchport protected
no ip address
spanning-tree portfast
!


Using ping I verify that hosts on protected ports cannot communicate with each other but can still access services on non-protected ports.