Welcome to the Community,

The ESXi host, i.e. the vSwitches are not doing any routing, which means the traffic from one VLAN cannot be seen in another VLAN (except for VLAN ID 4095) unless you do the routing on either a physical device (Router, Layer-3 Switch) or a e.g. virtual router.

André

Ryan wrote:

Hello everyone,

When I am in a virtual machine, I'm able to see packets in all the other VLANs that are tagged on the physical switch ports connected to the ESXi hosts. For instance, if I assign the port group with VLAN 10 to a virtual machine, it can still ping VLAN 20, 30, 40, 50, 60, etc.. on other VM's and physical devices. I do not want this behavior due to security reasons. I would prefer the VM's NIC acted more like an access port, rather than a trunk port.

Let me detail the hardware configuration. There are three hosts with eight physical network ports each. Four ports from each host are configured only for virtual machine VLANs and vMotion traffic. These ports are trunked on the physical HP A5120 switches with access to all of the production VLANs, since the various VM's encompass them.

On the ESXi hosts, one vSwitch is set up on each of the three hosts with the trunked ports, for virtual machine and vMotion traffic. Each VLAN is placed in its own virtual machine port group, with the port group containing the needed VLAN assigned to the respective VM.

So the question is how do I stop the VM's from being able to see other VLANs? Please let me know if I need to provide additional details.

Ryan

It is not VMware / vSphere / ESXi doing the routing. This is your physical network setup. I suggest you talk to the person who configured your network and let them take your security requirements in to account.

As your security purpose you don't wanna give access your VLAN to different VLAN.

So you just use access port and trunk when you connect Vswitch1 to Vswitch2 .

Also make sure that you don't route your VLAN then no one access other VLAN.

Regards,
Milton