There is another scenario where you can use port isolation. The scenario is called Private VLAN. Even though the name includes VLAN, but we are not going to use VLANs at all. The idea is very easy. Let me show it to you with the help of an illustration.

As you can see, if you have many servers and you don’t want them to communicate with each other, you can do port isolations and allow their connected switch port to communicate only with the port connected to the Router so they can be connected to the internet.

So you isolate as following:

• Ether1 and Ether4
• Ether1 and Ether3
• Ether1 and Ether2

For this scenario, I will show you how this can be configured using the command line:

1st you need to put all interface in a bridge with Hw-Offload enabled:

/interface bridge

add name=bridge1

/interface bridge port

add interface=ether1 bridge=bridge1 hw=yes

add interface=ether2 bridge=bridge1 hw=yes

add interface=ether3 bridge=bridge1 hw=yes

add interface=ether4 bridge=bridge1 hw=yes

Then you need to isolate the ports so they can only communicate with Ether1:

/interface ethernet switch port-isolation

set ether2 forwarding-override=ether1

set ether3 forwarding-override=ether1

set ether4 forwarding-override=ether1

As you can see, we didn’t use any VLAN here, so Private VLAN is just a name but VLAN’s aren’t used.