[masraum]

Quote:

Originally Posted by ErrorMargin

This is true if you run tagged or trunk level VLANs, where each packed is tagged with the VLAN number and every device must be configured to work on the desired VLAN.

However, if you configure port (aka access port) level VLAN as I suggest above, then the router will only send the designated traffic for a given port's VLAN to that port, and it will not route that traffic to any other port. Per my example above, when configured for access port VLANs, port 1 will only see traffic to and from VLAN 1, port 2 will only see traffic to and from VLAN 2, etc. No firewalls or client configuration required.

A port level VLAN is probably the best and certainly the easiest way to conclusively achieve the goals of the OP.

Here is some documentation to back this up:

This page from Cisco Meraki explains in the Best Practices section that an untagged or "access" port accepts traffic for only a single VLAN. No VLAN tagging or firewall required:
https://documentation.meraki.com/Platform_Management/Dashboard_Administration/Design_and_Configure/Configuration_Guides/Routing_and_Firewall/Fundamentals_of_802.1Q_VLAN_Tagging


This page from Ubiquity says that "Trunk ports allow traffic for multiple VLANs, while access ports handle traffic for a single VLAN, ensuring a robust and well-organized network."
https://help.ui.com/hc/en-us/articles/26136855808919-Switch-Port-VLAN-Assignment-Trunk-Access-Ports


This page on VLANs from Cisco says 'An access port can have only one VLAN configured on the interface; it can carry traffic for only one VLAN.'
https://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli_rel_4_1/Cisco_Nexus_5000_Series_Switch_CLI_Software_Config uration_Guide_chapter8.html

The thing is that if you have 3 VLANs on one switch, and that switch also has the layer 3 interfaces for those VLANs (basically that switch is the "gateway" for all 3 VLANs), then the switch will route between them. VLANs are a layer 2 segregation, so as soon as you add layer 3, your segregation is no longer applicable, but then most layer 3 devices support access lists.

All VLANs do (at least in the normal networking world) is keep devices from talking directly to each other (rather than through a middle man like a router).

In a normal home device that has a WAN port and a bunch of LAN ports, even if you can put the LAN ports on different VLANs will allow the devices on the various VLANs to talk unless there's some sort of access management specifically to disallow that.