Showing results for 
Search instead for 
Did you mean: 

Isolating intra vlan communication

Fazil Haneefa

Hi Guys,


I need your expert advice on the below,


The client requires isolation between the same vlan, ie, none of the PC on a particular VLAN should be able to talk to other PC on the same VLAN.

I know that I can use Private Vlans to achieve this purpose.

Have any one of you come across with any other method to accomplish the same, apart from Private VLANs?



6 Replies 6

Mark Malone

you can use switchport protected instead of private vlan much easier to setup 1 command or use layer 2 mac acls if your switch supports it

Hi Mark,


Thank you for that info. that's definitely new to me.

But what confuses me is, if I have both voice and Data Vlan on the port, will it affect the voice traffic too since the rtp traffic would  flow between phones on the same vlan. this question is there even in the case of private Vlans.

Yes thats a bit of an issue , 1 thing to to remeber protected ports only work on local switch unlike private vlans work between switches , its a very basic command if you dont wnat to setup pvs


Have a look at this


I would get the phones split to their own VLAN if at all possible.  Then, you can consider port based IP ACL's or VLAN maps assuming your switch is using code and or licensing that supports each of those features.  Very powerful and flexible but can get trickier to manage so template and document your config well.  Would still prefer Private VLANs at the end of the day though...


Please rate helpful posts!


- Be sure to rate all helpful posts

Hi schaef,


As you put it, managing that would be trickier. 

Now, is it recommended to use Private Vlans on access ports, does it work with voice vlan and data vlan on the same port? 


As per the documentation on the 3750 you cannot mix voice and private VLANs:


Or on the the 3560-X:


If security is a big issue would the customer be open to 802.1X authentication?  This would give you some options with downloadable ACLs (that you can manage centrally) or could at least manage on each switch and asign with 802.1x.  Again, big project to get 802.1x implemented.

As far as an ACL goes You might start like this:


 ! Allow IP traffic to the default gateway for troubleshooting, etc

     permit ip host

! Deny access to other hosts in the same subnet
     deny ip

!Allow connectivity to any other host
    permit ip any any


Inevitably your going to be adding an ACL rule to allow hosts to a printer or something in the near future... ;-)




- Be sure to rate all helpful posts
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers