Protected ports

The basic security feature available in a switch.

The protected ports are used for isolating ports within same vlan and this work within a single switch. 

For example if a switch has 3 ports i.e fa0/0, fa0/1 and fa1/1, all in a same vlan 100. If "switchport protected" command is configured in fa0/0 and fa0/1 that means host on f0/0 and host on f0/1 can not send frames to each other while both hosts on fa0/0 and fa0/1 can still send and receive frames to or from  host on fa1/1. 

Configuration on switch ports fa0/0 and fa0/1

#interface range fa0/0 , fa0/1

#switchport access vlan 100

#switchport protected

Configuration on switch port fa1/1

#interface fa1/1
#switchport access vlan 100

Cisco IOS caveat

Cisco IOS Software, C2600 Software (C2600-ADVENTERPRISEK9-M), Version 12.4(10), RELEASE SOFTWARE (fc1)

If this IOS is being used, it can behave a bit differently than others for the below case


RIPv2 is running with "passive-interface default" command on R2, now if you create a tunnel interface then this tunnel interface will not fall under passive-interface default. For example


R2#sh ver | in IOS
Cisco IOS Software, C2600 Software (C2600-ADVENTERPRISEK9-M), Version 12.4(10), RELEASE SOFTWARE (fc1)

R2#sh run | se router rip
router rip
 version 2
 passive-interface default
 no passive-interface FastEthernet0/0
 network 204.12.3.0
 no auto-summary
R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#int tunnel 1
R2(config-if)#ip add 1.1.1.1 255.255.255.0
R2(config)#end
R2#
Jan 24 23:58:06.524: %SYS-5-CONFIG_I: Configured from console by console
R2#sh run | se router rip
router rip
 version 2
 passive-interface default
 no passive-interface FastEthernet0/0
 no passive-interface Tunnel1
 network 204.12.3.0
 no auto-summary
R2#

Side note:
The same IOS  does not support "show ipv6 ospf interface brief" while it does support "show ipv6 ospf interface"