Protected ports

在某些特殊需求下，需要禁止同臺交換機上相同VLAN 的主機之間通信，但又不能將這些不能通信的主機劃到不同VLAN，因為還需要和VLAN中的其它主機通信，只是不能和部分主機通信。這個特性可以實現這種需求.

Protected ports have these features:

  A protected port does not forward any traffic (unicast, multicast, or broadcast) to any other port that is also a protected port. Data traffic cannot be forwarded between protected ports at Layer 2; only control traffic, such as PIM packets, is forwarded because these packets are processed by the CPU and forwarded in software. All data traffic passing between protected ports must be forwarded through a Layer 3 device.

  Forwarding behavior between a protected port and a nonprotected port proceeds as usual.

You can configure protected ports on a physical interface (for example, Gigabit Ethernet port 1) or an EtherChannel group (for example, port-channel 5). When you enable protected ports for a port channel, it is enabled for all ports in the port-channel group.

Do not configure a private-VLAN port as a protected port. Do not configure a protected port as a private-VLAN port. A private-VLAN isolated port does not forward traffic to other isolated ports or community ports. For more information about private VLANs

注：這個feature只在單臺交換機上有效. 

sw1(config-if)#switchport protected    配置了這個特性的端口不能互訪.但能與其他端口訪問.