Protected Port & Voice VLAN

Dear Experts,

I am using Cisco Layer 3 Switches and I want to stop Host-to-Host communication. Each Port is configured as Data and Voice Port.
when I use "switchport protected" then I were able to stop host to host traffic but my telephone extension to extension communication were stopped as well.
How I can solve this issue that voice communication will not stop with protected ports.

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You can't configure all port as protected and have communication between them.
 Protected ports have these features:
•A protected port does not forward any traffic (unicast, multicast, or broadcast) to any other port that is also a protected port. Data traffic cannot be forwarded between protected ports at Layer 2; only control traffic, such as PIM packets, is forwarded because these packets are processed by the CPU and forwarded in software. All data traffic passing between protected ports must be forwarded through a Layer 3 device.
•Forwarding behavior between a protected port and a nonprotected port proceeds as usual.
•Protected ports are supported on 802.1Q trunks.
You will have to create ACLs and apply ACL to interface vlan to get result that you want.
If you need to isolate hosts you can achieve that on other ways - VACL or isolate VLANs if it is supported on your device.
nainasipraAuthor Commented:
Dear Predrag,

my switches are not supporting private vlan and if I use VACL then I can block/allow vlan to vlan communication. I want to block host to host communication in same vlan but as each port connected with PC and IP Phone. I want to stop PC to PC communication on same vlan on same switch but allow IP phones can talk each other on same vlan and same switch.
VACL can do the job in your case.
Lets say that is your network to block inter host traffic, and is your default gateway, and your hosts are in vlan 25

(config)# ip access-list extended FILTER1
(config-ext-nacl)# permit ip host
(config)# ip access-list extended FILTER2
(config-ext-nacl)# permit ip

SwitchA(config)# vlan access-map DENY_HOST_TALK 10
SwitchA(config-access-map)# match ip address FILTER1
SwitchA(config-access-map)# action forward
SwitchA(config)# vlan access-map DENY_HOST_TALK 20
SwitchA(config-access-map)# match ip address FILTER2
SwitchA(config-access-map)# action drop
SwitchA(config)# vlan access-map DENY_HOST_TALK 30
SwitchA(config-access-map)# action forward

vlan filter DENY_HOST_TALK vlan-list 25

So, first you permit forwarding of all hosts to talk to default gateway, then you permit that all other traffic between hosts is dropped for inter vlan traffic. All other traffic is allowed to be forwarded by third vlan access-map statement - no match statement - so it matches all traffic that did not match to first two statements. And then you just apply it to vlan 25 only.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Switches / Hubs

From novice to tech pro — start learning today.