I am looking at setting up private vlans for my DMZ so hosts cannot talk directly to each other, they only need to talk to the firewall.
We have a HA firewall and 2 switches, each firewall connects to a separate switch, and the switches have a trunk port to each other.
What is the simpliest way to do this?
could I just used the switchport protected (pvlan edge type) command on the servers connected in the DMZ and that would be enough? or do I need to set up the full blown private vlan setup with primary and secondary vlans? if so how would that look?
you could put the hosts into separate vlans then on a routed interface on the switch (if its L3) or the firewalls, you could implement ACLs - first deny to dest of other vlans then permit any
or you could implement pvlans on the switches
never seen switchport protected used much in prodution networks
please rate if helpful or solved :)
That is not really what we are looking to achieve.
Actually come to think of it, the actual servers will be on a blade enclosure which there will be multiple servers going through the same port, how would we isolate these from each other if coming off the same port to a blade switch?