Is there a way to prevent devices on S1 to communicate with devices on S2?
Traffic originating on a bus that has a target address decoding to the same bus is not propagated to other buses. If the target address decodes to the other secondary bus, the transaction is placed into either the posted write buffer or the delayed transaction buffer of that target bus (depending on the PCI command used) and will commence at the other bus when the bridge next receives grant from the arbiter. If the target address decodes to neither secondary bus, and is initiated from a secondary bus, the bridge forwards it to the primary PCI bus by placing the transaction into the proper FIFO for that PCI command. If the initiator is already upstream from the bridge and the target is also upstream from the bridge, the bridge does not claim the transaction. There are no “protected” or “non-transparent” address spaces; one of the above four conditions applies.
