Cisco Support Community
Community Member

Using Protected Ports...


We need to offer broadband to customers in a serviced office. About 8 users.

If we had a switch that offered PVE (Protected Ports) could we use this to stop each office from seeing each other and only see the router.

Also would each office be able to have a unmanaged switch so that they could network a couple of computers in each room.

Finally would port forwarding work for example remote desktop to a particular machine on one of the networks.

Many thanks for your help


Everyone's tags (3)

Re: Using Protected Ports...

Hi Edward,

The new SF/SG 300 series can quickly do what you want.  The old term of it was Private Vlan Edge (PVE), the new term,  on this range of low cost product is Protected port.  I have copied a link to the product comparison page below so you can see the extensive range of product that we offer than can perform that task. But every managed Small Business switch has that functionality.

Here's how protected or PVE works on this switch family,(taken from Admin guide)

  • Protected Port— A protected port is also referred as a Private VLAN Edge (PVE). The characteristics of a protected port are as follows:
  • Protected Ports provide Layer 2 isolation between interfaces (Ethernet ports and Link Aggregation Groups (LAGs)) that share the same Broadcast domain (VLAN).
  • Packets received from protected ports can be forwarded only to unprotected egress ports. Protected port filtering rules are also applied to packets that are forwarded by software, such as snooping applications.
  • Port protection is not subject to VLAN membership. Devices connected to protected ports are not allowed to communicate with each other, even if they are members of the same VLAN.
  • -Both ports and LAGs can be defined as protected or unprotected.

So where can protected ports or PVE be used, as an example,

  1. student in a dorm or
  2. Multiple dwelling Units (MDU)
  3. reduce broadcast storm  damage by limiting the broadcast storm traffic to a single  switch port and uplink. Makes diagnosis pretty easy

Here 's a screen capture below,  taken from SKU ordering  p/n SRW248G4P-K9-NA, click on the picture to see my setup

Note also that I am managing this device via IPv6.

For port forwarding from the WAN router, you could use different port forward port addresses from the WAN router (Port address translation) so that remote folks can access local PC via RDC. As far as the router is concerned all clients could be in the same VLAN, or vlan the switch and use a router like the SR520 or SA500 , ASA5500 that supports Multiple VLANs.

Cool stuff.  It took me longer to write this post than configure the settings, but i wrote some extra stuff that tested the functionality on one of the new small business switch range.. see

Hope this helps.

regards Dave

Community Member

Re: Using Protected Ports...


Many thanks for the reply.

Just to confirm, if one company wanted to setup a small network using a switch which was plugged into a protected port would the  be able to network and other not see them?


Re: Using Protected Ports...

Hi Edward,

Yep that's the way it seems to work. By putting the Cisco Small Business  switch ports into protected or unprotected mode, it almost seems like the switch is using some fairly heavy MAC address filtering to precisely stop protected ports from communicating with other protected ports.

So if a small business has a managed or unmanaged switch connected to a protected port, and used the protected port as their uplink to the internet,  the members connected on that managed or unmanaged switch would be able to communicate locally but not to PC hosts connected on other or different protected ports.

regards Dave

CreatePlease to create content