Isolate access on a Cisco Switch

Nowadays, network security requirements are getting higher and higher, and a LAN sometimes wants to be inaccessible to each other. I mainly want to introduce how cisco switches can meet your needs.
Implementation Methods in cisco low-end switches:
1. Implemented through Port Protection (Switchitchport protected.
2. Implemented through PVLAN (private vlan.
The main operations are as follows:
The cisco 3550 or 2950 switch is relatively easy to configure and enters the network interface configuration mode:
Switch (config) # int range f0/1-24 # operate ports f0/1 to f0/24 simultaneously. You can select ports as needed.
Switch (config-if-range) # Switchitchport protected # enable Port Protection
OK... so far, Port Protection has been enabled for each interface of the vswitch.
Because vswitches of the 4500 series do not support port protection, they can be implemented through PVLAN.
The main operations are as follows:
First, create two second VLANs
Switch (config) # vlan 101
Switch (config-vlan) # private-vlan community
### Create vlan101 and specify this vlan as a public vlan
Switch (config) vlan 102
Switch (config-vlan) private-vlan isolated
### Create a vlan102 and specify this vlan as an isolated vlan
Switch (config) vlan 200
Switch (config-vlan) private-vlan primary
Switch (config-vlan) private-vlan association 101
Switch (config-vlan) private-vlan association add 102
### Create a vlan200 and specify the vlan as the main vlan. At the same time, set vlan101 and 102 as the second vlan of the vlan200.
Switch (config) # int vlan 200
Switch (config-if) # private-vlan mapping 101,102
### After entering the vlan200 IP address, enable the routes between second vlan101 and 102 so that they can communicate
Switch (config) # int f3/1
Switch (config-if) # Switchitchport private-vlan host-association 200 102
Switch (config-if) # Switchitchport private-vlan mapping 200 102
Switch (config-if) # Switchitchport mode private-vlan host
### Enter the interface mode, configure the interface as the host mode of PVLAN, configure the main vlan and second vlan of Pvlan, and use 102,102 to isolate vlan
At this point, the configuration is complete. After testing, each port cannot communicate with each other, but it can communicate with its own gateway.
Note: The configuration instance on the Cisco website does not seem to be available in this way, but only enables isolation and cannot communicate with the gateway of this vlan. According to the configuration on the Cisco website, the private vlan cannot be up. If multiple VLANs require PVLAN configuration, the second vlan must be added accordingly. A vlan can only be used as a second vlan under a private vlan.