在某些特殊需求下,需要禁止同台交换机上相同VLAN 的主机之间通信,但又不能将这些不能通信的主机划到不同VLAN,因为还需要和VLAN中的其它主机通信,只是不能和部分主机通信。这个特性可以实现这种需求.
Protected ports have these features:
A protected port does not forward any traffic (unicast, multicast, or broadcast) to any other port that is also a protected port. Data traffic cannot be forwarded between protected ports at Layer 2; only control traffic, such as PIM packets, is forwarded because these packets are processed by the CPU and forwarded in software. All data traffic passing between protected ports must be forwarded through a Layer 3 device.
Forwarding behavior between a protected port and a nonprotected port proceeds as usual.
You can configure protected ports on a physical interface (for example, Gigabit Ethernet port 1) or an EtherChannel group (for example, port-channel 5). When you enable protected ports for a port channel, it is enabled for all ports in the port-channel group.
Do not configure a private-VLAN port as a protected port. Do not configure a protected port as a private-VLAN port. A private-VLAN isolated port does not forward traffic to other isolated ports or community ports. For more information about private VLANs
注:这个feature只在单台交换机上有效.
sw1(config-if)#switchport protected 配置了这个特性的端口不能互访.但能与其他端口访问.