Protected Port Overview

Protected ports restrict all but CPU–bound or –originated traffic, providing isolation to end hosts.

The protected port feature has wide applicability to access point (AP) aggregator switches used for hospitality, public Wi-Fi, campuses, and condominiums.

Protected port is a port-level, per-device/stack only, security feature that restricts communication with a device connected to the port. As a result, even ports that are in identical broadcast domains, once protected, will not communicate with other protected ports, irrespective of their VLAN membership, and instead access the uplink alone. This provides isolation among hosts connected to the ports by restricting all traffic between those hosts.

The following figure illustrates the use of this feature in, for example, the hospitality sector.

Figure 1. Protected port application

The following configurations are supported with the protected port feature:

  • Port MAC security
  • 802.1x security
  • DHCP snooping
  • Control protocols
  • Aggregated ports (LAGs)

The following should not be configured as protected ports:

  • Uplink ports
  • DHCP server ports
  • ARP inspection trusted ports
  • DHCP snooping trusted ports
  • Ports on an active xSTP path in a device
  • IGMP/MLD snooping router ports
  • IGMP/MLD source ports

Ruckus recommends that multiple interface (MIF) mode is configured when enabling this feature.

The following features are not supported on protected ports:

  • Layer 3 interfaces (Port or LAGs with IP addresses are not supported)
  • Mirror or monitor ports
  • Private VLAN (PVLAN)
  • PVLAN extension to protected-port switches
  • Virtual Ethernet (VE) and group VE interfaces
  • Loopback interfaces
  • Management interfaces
  • OpenFlow ports
  • SPX provider edge (PE) ports
  • SPX ZTP–enabled ports
  • Multi-Chassis Trunk (MCT) ICL and CCEP ports