Solved

How do you create a VLAN that isolates devices does not allow machines to communicate with each other within the VLAN


Hello. I have a VLAN and I would like to iscolate all traffic within the VLAN so devices within the same VLAN cannot communicate with each other. What is the best way to go about this?

icon

Best answer by Stefan K. 3 May 2021, 00:06

Single switch or multiple switches?

there are generally two features that could be used:

  • private VLAN
  • Port Isolation

Best regards

Stefan

View original

3 replies

Userlevel 6
Badge

Single switch or multiple switches?

there are generally two features that could be used:

  • private VLAN
  • Port Isolation

Best regards

Stefan

Hi Stefan,

 

It is a single switch stack, two X440 switches. Connected to the switch is a hypervisor cluster; on the hypervisor cluster, we have a vSwitch tagged to the VLAN, which various virtual machines use. We have firewall rules restricting traffic between the VLAN, but we need the clients isolated from each other in this specific VLAN.

Userlevel 6
Badge

Hi,

 

Do you mean the VMs to be isolated? Would Direct Attach feature (aka EVB/VEPA) do the job to pull the inter-VM traffic out of a vSwitch to control it entirely on EXOS? Then, if you need L3 communication isolation in the same subnet, an ACL or a Policy to block every IP in that subnet (besides the default GW if needed) might do the work. If you need L2 isolation and you cannot do separate port groups/VLANs, some sort of dmac blacklist would have to be created (ACL or Policy, static blackhole fdb entries would prevent these MAC addresses from any communication at all).

 

Hope that helps,

Tomasz

Reply