Solved: Re: Preventing communication between vm's

ieuuk1987 · ‎08-24-2010

Hi All,

What we have is a VLAN in our network which consists of the gateway and a selection of VM's connected to it. What I would like to do is to stop the VM's from being able to communicate with each other short of putting each one its own dedicated VLAN?

Does anyone else have any better ideas?

Thanks,

I.

rickardnobel · ‎08-24-2010

What we have is a VLAN in our network which consists of the gateway and a selection of VM's connected to it. What I would like to do is to stop the VM's from being able to communicate with each other short of putting each one its own dedicated VLAN?

Must you use standard vSwitch or do you have license for Distributed Switch? If having a dSwitch you could use the Private VLAN feature and do what you wish, i.e. having one larger VLAN and yet not allow the VMs to communicate. They would be on a "isolated private vlan" I belive.

My VMware blog: www.rickardnobel.se

View solution in original post

amvmware · ‎08-24-2010

A bit of a strange request. - You could look at vShield as an option.

If you don't then not sure how else you can do it without using vLANs or multiple vswitches and NIC's

amvmware · ‎08-24-2010

A bit of a strange request. - You could look at vShield as an option.

If you don't then not sure how else you can do it without using vLANs or multiple vswitches and NIC's

AntonVZhbankov · ‎08-24-2010

Using VLANs is the only way to stop VMs from communication with each other on vSwitch.

vShield is a firewall that protects from external traffic, but doesn't do anything with VM-to-VM communication.

---

MCSA, MCTS Hyper-V, VCP 3/4, VMware vExpert

http://blog.vadmin.ru

EMCCAe, HPE ASE, MCITP: SA+VA, VCP 3/4/5, VMware vExpert XO (14 stars)
VMUG Russia Leader
http://t.me/beerpanda

rickardnobel · ‎08-24-2010

What we have is a VLAN in our network which consists of the gateway and a selection of VM's connected to it. What I would like to do is to stop the VM's from being able to communicate with each other short of putting each one its own dedicated VLAN?

Must you use standard vSwitch or do you have license for Distributed Switch? If having a dSwitch you could use the Private VLAN feature and do what you wish, i.e. having one larger VLAN and yet not allow the VMs to communicate. They would be on a "isolated private vlan" I belive.

My VMware blog: www.rickardnobel.se

dtracey · ‎08-24-2010

You could use host based firewalling? If they are windows boxes it's pretty simple to stop them communicationg with each other on whichever ports/services you are worried about?

Dan

ieuuk1987 · ‎08-25-2010

Hi Ricnob,

That sounds like what I'm going to need but we're only running enterprise.

I'll have to see what the options are to upgrading to enterprise plus and to getting a isolated vlan going.

Thanks to everyone for their suggestions!

rickardnobel · ‎08-25-2010

Here is a quite good picture that describes the Private VLAN feature on the Distributed Switch:

Private VLAN image

All VMs in the pictures are on the same general VLAN and ip range, but could be put into different "zones", where for example the isolated ones can not communicate with each other, that is, all frames are blocked by the virtual switch at Layer 2.

My VMware blog: www.rickardnobel.se