diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
index 4be751461d..c00ace7d9c 100644
--- a/docs/schemas/domaincommon.rng
+++ b/docs/schemas/domaincommon.rng
@@ -3178,6 +3178,9 @@
       <optional>
         <ref name="vlan"/>
       </optional>
+      <optional>
+        <ref name="portOptions"/>
+      </optional>
       <optional>
         <element name="teaming">
           <choice>
diff --git a/docs/schemas/network.rng b/docs/schemas/network.rng
index 677ec77724..60453225d6 100644
--- a/docs/schemas/network.rng
+++ b/docs/schemas/network.rng
@@ -332,6 +332,9 @@
         <optional>
           <ref name="vlan"/>
         </optional>
+        <optional>
+          <ref name="portOptions"/>
+        </optional>
 
         <!-- <ip> element -->
         <zeroOrMore>
diff --git a/docs/schemas/networkcommon.rng b/docs/schemas/networkcommon.rng
index fd1aac6485..ad3f590c91 100644
--- a/docs/schemas/networkcommon.rng
+++ b/docs/schemas/networkcommon.rng
@@ -280,4 +280,15 @@
       </attribute>
     </element>
   </define>
+
+  <define name="portOptions">
+    <element name="port">
+      <optional>
+        <attribute name="isolated">
+          <ref name="virYesNo"/>
+        </attribute>
+      </optional>
+    </element>
+  </define>
+
 </grammar>
diff --git a/docs/schemas/networkport.rng b/docs/schemas/networkport.rng
index ea43c03d41..031c5241f0 100644
--- a/docs/schemas/networkport.rng
+++ b/docs/schemas/networkport.rng
@@ -32,6 +32,9 @@
         <optional>
           <ref name="vlan"/>
         </optional>
+        <optional>
+          <ref name="portOptions"/>
+        </optional>
         <optional>
           <ref name="plug"/>
         </optional>
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index dcd070d2ad..e34e6ad372 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -11534,6 +11534,9 @@ virDomainActualNetDefParseXML(xmlNodePtr node,
     if (vlanNode && virNetDevVlanParse(vlanNode, ctxt, &actual->vlan) < 0)
         goto error;
 
+    if (virNetworkPortOptionsParseXML(ctxt, &actual->isolatedPort) < 0)
+        goto error;
+
     *def = g_steal_pointer(&actual);
     ret = 0;
  error:
@@ -12430,6 +12433,9 @@ virDomainNetDefParseXML(virDomainXMLOptionPtr xmlopt,
             goto error;
     }
 
+    if (virNetworkPortOptionsParseXML(ctxt, &def->isolatedPort) < 0)
+        goto error;
+
  cleanup:
     virDomainActualNetDefFree(actual);
     virHashFree(filterparams);
@@ -25539,6 +25545,7 @@ virDomainActualNetDefContentsFormat(virBufferPtr buf,
         return -1;
     if (virNetDevBandwidthFormat(virDomainNetGetActualBandwidth(def), 0, buf) < 0)
         return -1;
+    virNetworkPortOptionsFormat(virDomainNetGetActualPortOptionsIsolated(def), buf);
     return 0;
 }
 
@@ -25915,6 +25922,7 @@ virDomainNetDefFormat(virBufferPtr buf,
             return -1;
         if (virNetDevBandwidthFormat(def->bandwidth, 0, buf) < 0)
             return -1;
+        virNetworkPortOptionsFormat(def->isolatedPort, buf);
 
         /* ONLY for internal status storage - format the ActualNetDef
          * as a subelement of <interface> so that no persistent config
@@ -29992,6 +30000,17 @@ virDomainNetGetActualVlan(const virDomainNetDef *iface)
 }
 
 
+virTristateBool
+virDomainNetGetActualPortOptionsIsolated(const virDomainNetDef *iface)
+{
+    if (iface->type == VIR_DOMAIN_NET_TYPE_NETWORK &&
+        iface->data.network.actual) {
+        return iface->data.network.actual->isolatedPort;
+    }
+    return iface->isolatedPort;
+}
+
+
 bool
 virDomainNetGetActualTrustGuestRxFilters(const virDomainNetDef *iface)
 {
diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
index 867a9c7661..cdc4d25700 100644
--- a/src/conf/domain_conf.h
+++ b/src/conf/domain_conf.h
@@ -928,6 +928,7 @@ struct _virDomainActualNetDef {
     virNetDevBandwidthPtr bandwidth;
     virNetDevVlan vlan;
     int trustGuestRxFilters; /* enum virTristateBool */
+    virTristateBool isolatedPort;
     unsigned int class_id; /* class ID for bandwidth 'floor' */
 };
 
@@ -1032,6 +1033,7 @@ struct _virDomainNetDef {
     virNetDevBandwidthPtr bandwidth;
     virNetDevVlan vlan;
     int trustGuestRxFilters; /* enum virTristateBool */
+    virTristateBool isolatedPort;
     int linkstate;
     unsigned int mtu;
     virNetDevCoalescePtr coalesce;
@@ -3239,6 +3241,8 @@ const virNetDevBandwidth *
 virDomainNetGetActualBandwidth(const virDomainNetDef *iface);
 const virNetDevVlan *virDomainNetGetActualVlan(const virDomainNetDef *iface);
 bool virDomainNetGetActualTrustGuestRxFilters(const virDomainNetDef *iface);
+virTristateBool
+virDomainNetGetActualPortOptionsIsolated(const virDomainNetDef *iface);
 const char *virDomainNetGetModelString(const virDomainNetDef *net);
 int virDomainNetSetModelString(virDomainNetDefPtr et,
                                const char *model);
diff --git a/src/conf/network_conf.c b/src/conf/network_conf.c
index 1f14a964a2..819b645df7 100644
--- a/src/conf/network_conf.c
+++ b/src/conf/network_conf.c
@@ -1172,6 +1172,26 @@ virNetworkIPDefParseXML(const char *networkName,
 }
 
 
+int
+virNetworkPortOptionsParseXML(xmlXPathContextPtr ctxt,
+                              virTristateBool *isolatedPort)
+{
+    g_autofree char *str = NULL;
+    int tmp = VIR_TRISTATE_BOOL_ABSENT;
+
+    if ((str = virXPathString("string(./port/@isolated)", ctxt))) {
+        if ((tmp = virTristateBoolTypeFromString(str)) <= 0) {
+            virReportError(VIR_ERR_XML_ERROR,
+                           _("unknown port isolated value '%s'"), str);
+            return -1;
+        }
+    }
+
+    *isolatedPort = tmp;
+    return 0;
+}
+
+
 static int
 virNetworkPortGroupParseXML(virPortGroupDefPtr def,
                             xmlNodePtr node,
@@ -1725,6 +1745,9 @@ virNetworkDefParseXML(xmlXPathContextPtr ctxt,
     if (vlanNode && virNetDevVlanParse(vlanNode, ctxt, &def->vlan) < 0)
         goto error;
 
+    if (virNetworkPortOptionsParseXML(ctxt, &def->isolatedPort) < 0)
+        goto error;
+
     /* Parse bridge information */
     def->bridge = virXPathString("string(./bridge[1]/@name)", ctxt);
     def->bridgeZone = virXPathString("string(./bridge[1]/@zone)", ctxt);
@@ -2331,6 +2354,14 @@ virNetworkIPDefFormat(virBufferPtr buf,
     return 0;
 }
 
+void
+virNetworkPortOptionsFormat(virTristateBool isolatedPort,
+                            virBufferPtr buf)
+{
+    if (isolatedPort != VIR_TRISTATE_BOOL_ABSENT)
+        virBufferAsprintf(buf, "<port isolated='%s'/>\n",
+                          virTristateBoolTypeToString(isolatedPort));
+}
 
 static int
 virPortGroupDefFormat(virBufferPtr buf,
@@ -2608,6 +2639,7 @@ virNetworkDefFormatBuf(virBufferPtr buf,
         return -1;
     if (virNetDevBandwidthFormat(def->bandwidth, 0, buf) < 0)
         return -1;
+    virNetworkPortOptionsFormat(def->isolatedPort, buf);
 
     for (i = 0; i < def->nips; i++) {
         if (virNetworkIPDefFormat(buf, &def->ips[i]) < 0)
diff --git a/src/conf/network_conf.h b/src/conf/network_conf.h
index d5dd8480db..db7243eef5 100644
--- a/src/conf/network_conf.h
+++ b/src/conf/network_conf.h
@@ -272,6 +272,7 @@ struct _virNetworkDef {
     virNetDevBandwidthPtr bandwidth;
     virNetDevVlan vlan;
     int trustGuestRxFilters; /* enum virTristateBool */
+    virTristateBool isolatedPort;
 
     /* Application-specific custom metadata */
     xmlNodePtr metadata;
@@ -377,6 +378,14 @@ virNetworkConfigFile(const char *dir,
 void
 virNetworkSetBridgeMacAddr(virNetworkDefPtr def);
 
+int
+virNetworkPortOptionsParseXML(xmlXPathContextPtr ctxt,
+                              virTristateBool *isolatedPort);
+
+void
+virNetworkPortOptionsFormat(virTristateBool isolatedPort,
+                            virBufferPtr buf);
+
 VIR_ENUM_DECL(virNetworkForward);
 
 #define VIR_CONNECT_LIST_NETWORKS_FILTERS_ACTIVE \
diff --git a/src/conf/virnetworkportdef.c b/src/conf/virnetworkportdef.c
index 28a58ad8f8..a0705a8322 100644
--- a/src/conf/virnetworkportdef.c
+++ b/src/conf/virnetworkportdef.c
@@ -161,6 +161,8 @@ virNetworkPortDefParseXML(xmlXPathContextPtr ctxt)
     if (vlanNode && virNetDevVlanParse(vlanNode, ctxt, &def->vlan) < 0)
         return NULL;
 
+    if (virNetworkPortOptionsParseXML(ctxt, &def->isolatedPort) < 0)
+        return NULL;
 
     trustGuestRxFilters
         = virXPathString("string(./rxfilters/@trustGuest)", ctxt);
@@ -360,6 +362,7 @@ virNetworkPortDefFormatBuf(virBufferPtr buf,
         virNetDevBandwidthFormat(def->bandwidth, def->class_id, buf);
     if (virNetDevVlanFormat(&def->vlan, buf) < 0)
         return -1;
+    virNetworkPortOptionsFormat(def->isolatedPort, buf);
     if (def->trustGuestRxFilters)
         virBufferAsprintf(buf, "<rxfilters trustGuest='%s'/>\n",
                           virTristateBoolTypeToString(def->trustGuestRxFilters));
diff --git a/src/conf/virnetworkportdef.h b/src/conf/virnetworkportdef.h
index f5ba337fc9..78cf2c1ba4 100644
--- a/src/conf/virnetworkportdef.h
+++ b/src/conf/virnetworkportdef.h
@@ -60,6 +60,7 @@ struct _virNetworkPortDef {
     unsigned int class_id; /* class ID for bandwidth 'floor' */
     virNetDevVlan vlan;
     int trustGuestRxFilters; /* enum virTristateBool */
+    virTristateBool isolatedPort;
 
     int plugtype; /* virNetworkPortPlugType */
     union {
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 0d281ec7ed..8883aa89cc 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -513,6 +513,7 @@ virDomainNetGetActualBridgeName;
 virDomainNetGetActualDirectDev;
 virDomainNetGetActualDirectMode;
 virDomainNetGetActualHostdev;
+virDomainNetGetActualPortOptionsIsolated;
 virDomainNetGetActualTrustGuestRxFilters;
 virDomainNetGetActualType;
 virDomainNetGetActualVirtPortProfile;
diff --git a/tests/networkxml2xmlin/isolated-ports.xml b/tests/networkxml2xmlin/isolated-ports.xml
new file mode 100644
index 0000000000..9bdcb88ac6
--- /dev/null
+++ b/tests/networkxml2xmlin/isolated-ports.xml
@@ -0,0 +1,7 @@
+<network>
+  <name>port-isolation-test</name>
+  <uuid>81ff0d90-c91e-6742-64da-4a736edb9a9b</uuid>
+  <bridge name="br0"/>
+  <forward mode="bridge"/>
+  <port isolated="yes"/>
+</network>
diff --git a/tests/networkxml2xmlout/isolated-ports.xml b/tests/networkxml2xmlout/isolated-ports.xml
new file mode 100644
index 0000000000..bff5278600
--- /dev/null
+++ b/tests/networkxml2xmlout/isolated-ports.xml
@@ -0,0 +1,7 @@
+<network>
+  <name>port-isolation-test</name>
+  <uuid>81ff0d90-c91e-6742-64da-4a736edb9a9b</uuid>
+  <forward mode='bridge'/>
+  <bridge name='br0'/>
+  <port isolated='yes'/>
+</network>
diff --git a/tests/networkxml2xmltest.c b/tests/networkxml2xmltest.c
index f784b90c69..ec679e72ee 100644
--- a/tests/networkxml2xmltest.c
+++ b/tests/networkxml2xmltest.c
@@ -160,6 +160,7 @@ mymain(void)
     DO_TEST("metadata");
     DO_TEST("set-mtu");
     DO_TEST("dnsmasq-options");
+    DO_TEST("isolated-ports");
 
     return ret == 0 ? EXIT_SUCCESS : EXIT_FAILURE;
 }
diff --git a/tests/qemuxml2argvdata/net-isolated-port.xml b/tests/qemuxml2argvdata/net-isolated-port.xml
new file mode 100644
index 0000000000..122378a8f0
--- /dev/null
+++ b/tests/qemuxml2argvdata/net-isolated-port.xml
@@ -0,0 +1,34 @@
+<domain type='qemu'>
+  <name>q35-test</name>
+  <uuid>11dbdcdd-4c3b-482b-8903-9bdb8c0a2774</uuid>
+  <memory unit='KiB'>2097152</memory>
+  <currentMemory unit='KiB'>2097152</currentMemory>
+  <vcpu placement='static' cpuset='0-1'>2</vcpu>
+  <os>
+    <type arch='x86_64' machine='q35'>hvm</type>
+    <boot dev='hd'/>
+  </os>
+  <clock offset='utc'/>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>destroy</on_crash>
+  <devices>
+    <emulator>/usr/bin/qemu-system-x86_64</emulator>
+    <disk type='block' device='disk'>
+      <source dev='/dev/HostVG/QEMUGuest1'/>
+      <target dev='sda' bus='sata'/>
+      <address type='drive' controller='0' bus='0' target='0' unit='0'/>
+    </disk>
+    <controller type='pci' index='0' model='pcie-root'/>
+    <interface type='network'>
+      <mac address='52:54:00:d6:c0:0b'/>
+      <source network='default'/>
+      <port isolated='yes'/>
+      <model type='virtio'/>
+    </interface>
+    <video>
+      <model type='qxl' ram='65536' vram='32768' vgamem='8192' heads='1'/>
+    </video>
+    <memballoon model='none'/>
+  </devices>
+</domain>
diff --git a/tests/qemuxml2xmloutdata/net-isolated-port.x86_64-latest.xml b/tests/qemuxml2xmloutdata/net-isolated-port.x86_64-latest.xml
new file mode 100644
index 0000000000..d21a5a395b
--- /dev/null
+++ b/tests/qemuxml2xmloutdata/net-isolated-port.x86_64-latest.xml
@@ -0,0 +1,63 @@
+<domain type='qemu'>
+  <name>q35-test</name>
+  <uuid>11dbdcdd-4c3b-482b-8903-9bdb8c0a2774</uuid>
+  <memory unit='KiB'>2097152</memory>
+  <currentMemory unit='KiB'>2097152</currentMemory>
+  <vcpu placement='static' cpuset='0-1'>2</vcpu>
+  <os>
+    <type arch='x86_64' machine='q35'>hvm</type>
+    <boot dev='hd'/>
+  </os>
+  <cpu mode='custom' match='exact' check='none'>
+    <model fallback='forbid'>qemu64</model>
+  </cpu>
+  <clock offset='utc'/>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>destroy</on_crash>
+  <devices>
+    <emulator>/usr/bin/qemu-system-x86_64</emulator>
+    <disk type='block' device='disk'>
+      <driver name='qemu' type='raw'/>
+      <source dev='/dev/HostVG/QEMUGuest1'/>
+      <target dev='sda' bus='sata'/>
+      <address type='drive' controller='0' bus='0' target='0' unit='0'/>
+    </disk>
+    <controller type='pci' index='0' model='pcie-root'/>
+    <controller type='usb' index='0' model='qemu-xhci'>
+      <address type='pci' domain='0x0000' bus='0x02' slot='0x00' function='0x0'/>
+    </controller>
+    <controller type='sata' index='0'>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x1f' function='0x2'/>
+    </controller>
+    <controller type='pci' index='1' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='1' port='0x10'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0' multifunction='on'/>
+    </controller>
+    <controller type='pci' index='2' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='2' port='0x11'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x1'/>
+    </controller>
+    <controller type='pci' index='3' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='3' port='0x12'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x2'/>
+    </controller>
+    <interface type='network'>
+      <mac address='52:54:00:d6:c0:0b'/>
+      <source network='default'/>
+      <port isolated='yes'/>
+      <model type='virtio'/>
+      <address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/>
+    </interface>
+    <input type='mouse' bus='ps2'/>
+    <input type='keyboard' bus='ps2'/>
+    <video>
+      <model type='qxl' ram='65536' vram='32768' vgamem='8192' heads='1' primary='yes'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x0'/>
+    </video>
+    <memballoon model='none'/>
+  </devices>
+</domain>
diff --git a/tests/qemuxml2xmltest.c b/tests/qemuxml2xmltest.c
index daf9b53ce8..c29dd5053d 100644
--- a/tests/qemuxml2xmltest.c
+++ b/tests/qemuxml2xmltest.c
@@ -463,6 +463,7 @@ mymain(void)
     DO_TEST("net-virtio-teaming-network",
             QEMU_CAPS_VIRTIO_NET_FAILOVER,
             QEMU_CAPS_DEVICE_VFIO_PCI);
+    DO_TEST_CAPS_LATEST("net-isolated-port");
     DO_TEST("net-hostdev", NONE);
     DO_TEST("net-hostdev-bootorder", NONE);
     DO_TEST("net-hostdev-vfio", QEMU_CAPS_DEVICE_VFIO_PCI);