Cisco Port isolation and shared phone/PC drops

tintisfadda · ‎10-25-2025

I'm an not a network guy, understand some but the advanced stuff is above me and I know that. So I ask questions to help my understanding.

We would like to block east-west traffic, and I believe that port isolation, private vlans would help with that. The question is that we have Cisco phones and PCs sharing a drop. Is that something that can be done using port isolation - private vlans? The phones would need to be able to call a desk there in the game building on the same segment.

I'm sure there is a lot more to it, probably way over my head. We don't have a switch and licenses to test this and play with it. Would like to know if it is feasible before going that route.

Where is the Star Trek computer that I in my Scotty accent, can just say, Computer - block east-west traffic but let phone calls through...?

10.0.0.0.1 192.168.1.254

vishalbhandari · ‎10-26-2025

You can use technologies like Private VLANs (PVLANs) or port isolation to limit east-west traffic (that is, traffic between devices on the same VLAN). However, in your specific case — where phones and PCs share the same physical port — things become a bit tricky.

pieterh · ‎10-27-2025

in below document yo can read
Do not configure private-VLAN ports on interfaces configured for these other features:
• Dynamic-access port VLAN membership
• Dynamic Trunking Protocol (DTP)
• IPv6 Security Group (SG)
• Port Aggregation Protocol (PAgP)
• Link Aggregation Control Protocol (LACP)
• Multicast VLAN Registration (MVR)
• Voice VLAN
• Web Cache Communication Protocol (WCCP)
so private vlans is not the way to go!

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960cx_3650cx/software/release/15-2_3_e/configuration/guide/b_1523e_consolidated_2960cx_3560cx_cg/1523e_consolidated_2960cx_3560cx_cg_chapter80.pdf

(documents for other switch models and IOS versions will probably sat the same)