Access lists can be used to do this; if the access-list doesn't permit traffic to other addresses on the same LAN (VLAN), the traffic will be blocked. If your guest network is 192.168.10.0/24, for example, you can put an explicit 'drop' rule in the access-list for that destination address, and IP traffic between the ports will be blocked. Non-IP traffic won't be blocked, but that's very rare.Is there a simple way to block communication on ICX between port 1/1/2 and 1/1/3?
Or is PVLAN the only option to achieve this?
You'll need a rule *ahead* of the drop rule which permits traffic to the gateway (your firewall) for that LAN, as well as a catch-all rule which allows traffic to all other addresses.