Is this possible. and if so, any guide on how to set it up? What I need to accomplish is to block/drop a set of TCP/UDP ports from one switch port to the other (NV1531), but they have have to remain on the same vlan/subnet so I cannot use a firewall or nat, unless the firewall can be setup to filter local traffic. Situation is I have a device that must stay on a pubic address, no exceptions, but need to block the admin and sip ports as servers keep trying to hack into it and causing it to reset. I cannot use 1:1 nat, or nat at all, it must be on a public address. The manufacture is no longer in business so I can get no help from them. Can I setup some kind of rule that if a specified traffic matches it is dropped, but through the internal switch on a subnet, not through the router or firewall. Hope I made what I need to do clear enough, thanks!