Hello Attila
It all depends on what your network requirements are. In general, in enterprise networks, VLANs that serve end users such as desktop workstations, would typically not need to communicate directly with each other. But this must be done carefully. In some environments, some users may share folders directly with each other. Also if you have a network printer, file server, or other shared device on the same subnet connected to the same switch, you must ensure that those too are on unprotected ports.
This feature is useful on small networks that are typically served by a single switch. It is not very scalable as the size of the network grows. Itâs a quick and dirty way of ensuring that employees donât have access to their neighborâs PCs.
This feature isnât so critical, especially because modern PCs typically have a firewall that would block any attempts at direction communication between devices, but it adds one more layer of protection.
As you suggest, this feature would not make sense in a data center environment where direct communication between servers is necessary.
Yes, in such a scenario, those devices would be able to communicate if theyâre on different switches. This is because the protected port feature works at the switch level, not the VLAN level. As far as VSS goes I donât have an answer to that, and I havenât found any documentation that clarifies this. I donât know if VSS will consider both switches as one in such a case. My feeling is that port protection will work on a VSS pair as if they were one physical switch, but unless you actually try it out, thereâs no way to know. I donât currently have access to two switches that support VSS, so I canât test it out, but if someone does, please share your results here.
If you need to prevent communication between devices on different switches in the same VLAN, a more scalable solution is to use private VLANs. Private VLANs will allow you to block communication between multiple devices on the same VLAN even if theyâre on different switches:
I hope this has been helpful!
Laz