Okay, so we have an HP ProCurve Switch 2824, a Zyxel router and a bunch of 2012 R2 servers.
We currently have 3 VLANs in our network: 10(Public),20(Private) and 30(Management), but we'd like to have more isolation in these VLANs. I've been searching the internet for few weeks for a way to isolate hosts in the same VLAN, but I have only found port-isolation and that only works for ports and not VLANs.
All 24 ports of the switch are tagged to VLANs 10,20 and 30.
What I'm asking is that is it possible to prevent hosts in the same VLAN from talking to each other and force all traffic trough the router we have or something similiar?
For security reasons I just can't allow VMs to talk to each other without a firewall in-between them.
I appreciate every little clue you might have.
EDIT:
Cisco has something that I believe would suit my needs, but sadly the equipment I have is HP(Someone before me chose the equipment and I'm stuck with it).
http://www.cisco.com/c/en/us/support/docs/lan-switching/private-vlans-pvlans-promiscuous-isolated-community/40781-194.html
Best Answer
The only way to force traffic through a router is make a bunch of /30 subnets (usually with each on their own vlan) and put a single PC and a single router interface on each one.
You can also go 802.1QinQ but that's normally used for metro area networks and comes with its own set of complexities, and then you still have to set up /30's with router interfaces. But at least you'd still only have three "top level" VLANs.
Otherwise you would need to have very strictly enforced firewall rules on each host - you can control this centrally and granually with GPOs - that deny all traffic in and out except to where you want them to talk to. Except then you're basically totally cutting them off and making a firewall change by GPO is not exactly instant.