Ryan wrote:
Hello everyone,
When I am in a virtual machine, I'm able to see packets in all the other VLANs that are tagged on the physical switch ports connected to the ESXi hosts. For instance, if I assign the port group with VLAN 10 to a virtual machine, it can still ping VLAN 20, 30, 40, 50, 60, etc.. on other VM's and physical devices. I do not want this behavior due to security reasons. I would prefer the VM's NIC acted more like an access port, rather than a trunk port.
Let me detail the hardware configuration. There are three hosts with eight physical network ports each. Four ports from each host are configured only for virtual machine VLANs and vMotion traffic. These ports are trunked on the physical HP A5120 switches with access to all of the production VLANs, since the various VM's encompass them.
On the ESXi hosts, one vSwitch is set up on each of the three hosts with the trunked ports, for virtual machine and vMotion traffic. Each VLAN is placed in its own virtual machine port group, with the port group containing the needed VLAN assigned to the respective VM.
So the question is how do I stop the VM's from being able to see other VLANs? Please let me know if I need to provide additional details.
Ryan
It is not VMware / vSphere / ESXi doing the routing. This is your physical network setup. I suggest you talk to the person who configured your network and let them take your security requirements in to account.