Используя PVLANS в сочетании со стандартными VLAN

The way that PVLAN operates is that traffic transmitted into an isolated port is actually mapped into another VLAN (the aux VLAN). The promiscuous port, in turn, transmits frames from both the primary and aux VLAN's to its connected host. Frames received on the promiscuous port go into the primary VLAN.

What this means is that the promiscuous port and the normal ports can communicate normally, the normal ports can send traffic -to- the isolated ports but will receive no traffic back and traffic sent from the isolated ports will only be seen at the promiscuous port. The normal ports will continue to operate as expected.

So - if you're OK with the normal ports being able to send traffic to the isolated ports (but not vice-versa) then the rest of the setup should work.

The use of community ports (instead of normal/non-PVLAN ports) would insure that traffic sent from said ports would never be seen on the isolated ports while still allowing full communication otherwise. This would generally be the way to go if you want the isolated hosts truly isolated.