> The point is: Once both external ports are in "forwarding", I see no way > to prevent traffic flowing directly between the external ports.
Generally, there are port vectors. Port X can send frames only to Port
Y.
If you don't have that, there are possibilities with VLANs. Each port
is given a unique VLAN. All incoming untagged traffic is tagged with
the VLAN. You just need to keep the VLAN separated and add/remove the
VLAN tag in the dsa tag driver.
Andrew
