1

Okay, so we have an HP ProCurve Switch 2824, a Zyxel router and a bunch of 2012 R2 servers. We currently have 3 VLANs in our network: 10(Public),20(Private) and 30(Management), but we'd like to have more isolation in these VLANs. I've been searching the internet for few weeks for a way to isolate hosts in the same VLAN, but I have only found port-isolation and that only works for ports and not VLANs.

All 24 ports of the switch are tagged to VLANs 10,20 and 30.

What I'm asking is that is it possible to prevent hosts in the same VLAN from talking to each other and force all traffic trough the router we have or something similiar? For security reasons I just can't allow VMs to talk to each other without a firewall in-between them.

I appreciate every little clue you might have.

EDIT: Cisco has something that I believe would suit my needs, but sadly the equipment I have is HP(Someone before me chose the equipment and I'm stuck with it).
http://www.cisco.com/c/en/us/support/docs/lan-switching/private-vlans-pvlans-promiscuous-isolated-community/40781-194.html

Niklas Lindgren
  • 58
  • 6
  • 1
    It seems to me that you could just simply create additional VLAN's. Also, forcing the traffic between machines to transit the router would necessitate giving them ip addresses in different subnets. Hosts in the same subnet wouldn't send local (same subnet) traffic to the router, regardless of VLAN assignment. – joeqwerty Jan 30 '15 at 00:41
  • Sadly creating a new VLAN for each new VM isn't really an option because it would require at least 2 new VLANs per VM and that would explode quickly in my environment. Cisco has something that I believe would suit my needs, but sadly the equipment I have is HP(Guy before me chose the equipment and I'm stuck with it)... http://www.cisco.com/c/en/us/support/docs/lan-switching/private-vlans-pvlans-promiscuous-isolated-community/40781-194.html – Niklas Lindgren Jan 30 '15 at 00:49

1 Answers1

5

The only way to force traffic through a router is make a bunch of /30 subnets (usually with each on their own vlan) and put a single PC and a single router interface on each one.

You can also go 802.1QinQ but that's normally used for metro area networks and comes with its own set of complexities, and then you still have to set up /30's with router interfaces. But at least you'd still only have three "top level" VLANs.

Otherwise you would need to have very strictly enforced firewall rules on each host - you can control this centrally and granually with GPOs - that deny all traffic in and out except to where you want them to talk to. Except then you're basically totally cutting them off and making a firewall change by GPO is not exactly instant.

Mark Henderson
  • 68,316
  • 31
  • 175
  • 255
  • Was hoping not to have a need to do the /30 subnets, but it seems like I have no other choise. Thanks! (802.1QinQ sounds interesting, have to do some reasearch on that) – Niklas Lindgren Jan 30 '15 at 13:55