The new SF/SG 300 series can quickly do what you want. The old term of it was Private Vlan Edge (PVE), the new term, on this range of low cost product is Protected port. I have copied a link to the product comparison page below so you can see the extensive range of product that we offer than can perform that task. But every managed Small Business switch has that functionality.
Here's how protected or PVE works on this switch family,(taken from Admin guide)
Protected Port— A protected port is also referred as a Private VLAN Edge (PVE). The characteristics of a protected port are as follows:
Protected Ports provide Layer 2 isolation between interfaces (Ethernet ports and Link Aggregation Groups (LAGs)) that share the same Broadcast domain (VLAN).
Packets received from protected ports can be forwarded only to unprotected egress ports. Protected port filtering rules are also applied to packets that are forwarded by software, such as snooping applications.
Port protection is not subject to VLAN membership. Devices connected to protected ports are not allowed to communicate with each other, even if they are members of the same VLAN.
-Both ports and LAGs can be defined as protected or unprotected.
So where can protected ports or PVE be used, as an example,
student in a dorm or
Multiple dwelling Units (MDU)
reduce broadcast storm damage by limiting the broadcast storm traffic to a single switch port and uplink. Makes diagnosis pretty easy
Here 's a screen capture below, taken from SKU ordering p/n SRW248G4P-K9-NA, click on the picture to see my setup
Note also that I am managing this device via IPv6.
For port forwarding from the WAN router, you could use different port forward port addresses from the WAN router (Port address translation) so that remote folks can access local PC via RDC. As far as the router is concerned all clients could be in the same VLAN, or vlan the switch and use a router like the SR520 or SA500 , ASA5500 that supports Multiple VLANs.
Cool stuff. It took me longer to write this post than configure the settings, but i wrote some extra stuff that tested the functionality on one of the new small business switch range.. see https://supportforums.cisco.com/thread/2053251
Yep that's the way it seems to work. By putting the Cisco Small Business switch ports into protected or unprotected mode, it almost seems like the switch is using some fairly heavy MAC address filtering to precisely stop protected ports from communicating with other protected ports.
So if a small business has a managed or unmanaged switch connected to a protected port, and used the protected port as their uplink to the internet, the members connected on that managed or unmanaged switch would be able to communicate locally but not to PC hosts connected on other or different protected ports.
Article ID:4006 Configure Secure Shell (SSH) Server Authentication
Settings on a Switch Objective Secure Shell (SSH) is a protocol that
provides a secure remote connection to specific network devices. This
connection provides functionality that is similar...
Article ID:4982 Access an SMB Switch CLI using SSH or Telnet Objective
The Cisco Small Business Managed Switches can be remotely accessed and
configured through the Command Line Interface (CLI). Accessing the CLI
allows commands to be entered in a termina...
Article ID:5735 Convert Configuration Files using the Configuration
Migration Tool on Cisco Small Business Switches Introduction The Cisco
Configuration Migration Tool allows you to convert configuration files
from previous generation of Cisco Small Busin...