Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Intra-VLAN filtering with protected ports

Can the SG500 filter intra-VLAN traffic, with protected ports? 


VLAN_30_Clients (
Clients = 10.20.30.{1-100} ( ports 1-5, trunked, protected [VM's])
Clients should be ACL'ed (e.g., tcp 80 only, between each other).


[similar to , which doesn't appear to be applicable.]

Everyone's tags (4)

Re: Intra-VLAN filtering with protected ports

Hi jason

Can't see how what you want is possible, below in Blue was cut and pasted  from the the SG500X built in help text.

Protected PortSelect to make this a protected port. (A protected port is also referred as a Private VLAN Edge (PVE).) The features of a protected port are as follows:

    • Protected Ports provide Layer 2 isolation between interfaces (Ethernet ports and LAGs) that share the same VLAN.
    • Packets received from protected ports can be forwarded only to unprotected egress ports. Protected port filtering rules are also applied to packets that are forwarded by software, such as snooping applications.

    • Port protection is not subject to VLAN membership. Devices connected to protected ports are not allowed to communicate with each other, even if they are members of the same VLAN.

    Are you just better off having a access list that allows traffic to destination port 80 of members of that subnet ?

    regards Dave.

    Community Member

    Intra-VLAN filtering with protected ports

    With Proxy ARP and a couple of beers, anything is possible...

    Ports trunk VLAN containing VM's on backup network, and I only want them to have access to/from backup server (not view each other).  Easy enough: make sure the backup server (same VLAN) is using an unprotected port.  Problem is those client ports also trunk a different VLAN for the VMKernels, which do need to talk to each other.  (Protection is per physical port, not per VLAN per port.)

    I'm trying to avoid re-IP'ing, but it's not that much of a problem.  I wanted to see if there was a quicker way around it.


    Re: Intra-VLAN filtering with protected ports

    Hi Jason,

    Sounds like you now understand PVE or protected ports..

    One mistake I made in my original response was to say that IPv4 access list might achieve the same thing,  Well it doesn't.

    I think you realize from your discussion above,  that PVE or protected ports secures a port at layer 2 .

    So it segregates and secures a host from other hosts on other protected ports from protocols such as IP as well as other ethernet based protocols.

    The application, as I originally saw it was for use in a MDU or hotel environment, whereby client PCs were segregated, almost like on a private VLAN  from other PC connected on other protected ports. Hence the term Private Vlan Edge (PVE)

    regards Dave

    Community Member

    Re: Intra-VLAN filtering with protected ports

    I was looking for an equivalent option to segregate and filter intra-VLAN traffic, like VACLs or ACL via SVI. 


    For future inquiries, then, would it be safe to say that the SG series has no native way to filter intra-VLAN traffic (with or without protected ports)?


    CreatePlease to create content