Private VLANS (PVLAN) within Proxmox

U

Undivided0519

New Member
Oct 30, 2024
15
1
3
Trying to wrap my head around how to implement a PVLAN within Proxmox. The purpose would be microsegmentation, so that each VM could not talk to each other without going through the upstream L3 device that has the Promiscuous Port configuration defined. Short of creating a VLAN per VM, is there a way to do this?
For reference and clear confusion, this is what I'm refering to, https://www.geeksforgeeks.org/private-vlan/, or some may call it "Port Isolation".
 
shanreich said:
You could either use the Bridge Port Isolation option [1] that has been introduced in the latest PVE version, or if you need more fine-grained control the VNet Firewall of SDN [2].

[1] https://pve.proxmox.com/pve-docs/pve-admin-guide.html#pvesdn_config_vnet
[2] https://pve.proxmox.com/pve-docs/pve-admin-guide.html#pvesdn_firewall_integration
Click to expand...
So this will have the isolation to the bridge, but doesn't satisfy the need of a network PVLAN that would extend all the way out to the switch that has the P port that would then allow the access. This is all about micro-segmentation to be honest.
 
Support for PVLANs itself is not available in Proxmox, sorry. You can manage the constraints from the PVE side with the tools mentioned above and then the switch takes care of everything that leaves the PVE node.
 
That's unfortunate, would be hard to use Proxmox in a Zero-Trust Network Architecture without this I think. There's ways, using the firewall and OVS, which the OVS is a interesting beast all in itself honestly.
 
I'm also interested in PVLAN but aslong as above scale across multiple hosts so that vm's are isolated also within the cluster it would be compatible. Would suggest above do that ? We are using PVLAN across sites which works well with Vmware which i'm trying to look away from.
 
Last edited:
You must log in or register to reply here.
Top Bottom