Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Port isolation over multiple switches?

Hi All,

I'm planning to build a small local network with CISCO switches. Our requirements are

* All end machines ( 3~400 PC ) should not see each other.

* All end machines can see host(server) machine(s)

I have searched about port isolation feature ("switchport protected" command?) to solve this problem. I have read some articles about this feature, said "switchport protect" will not work on multiple switches. Of course we need multiple switches to satisfy requirements, so i'm very confusing now.

My idea was

1. Set all ports in slave switches to be protected, except one port. Connect this unprotected port to "root" switch.

2. Set all ports in "root" switch to be protected, except one port. Connect server machine to this unprotected port.

3. On the path from clients to server, packets are come from protected port and go to unprotected port. So they can communicate each other.

4. On the path from any client to another client, all ports are protected. So, all end-hosts would be isolated.

Is this plan possible? I mean, Can any two clients (maybe from different slave switches) see each other in this design?


Junseong Lee

Everyone's tags (3)
Cisco Employee

Port isolation over multiple switches?


This is an interesting idea - but it should work. I see no way of how two clients on protected ports, even if on different switches, can communicate directly over Layer2.

This approach has strong limitations, however: the unprotected ports must be located on the "root" switch only, never on the "slave" switches. In addition, this approach becomes inflexible or outright unusable if you interconnect your switches with trunks and run multiple VLANs over them, because a protected port impacts the traffic of all VLANs carried through it.

Have you considered the Private VLAN (PVLAN) feature using isolated secondary PVLANs? This would nicely solve the needs of isolating your clients, yet having none of the disadvantages of your current design.

See more about Private VLANs here:

Best regards,