I need to allow for good traffic into my vmware environment but block bad broadcast and multicast traffic from getting in. Currently I have an SVI setup to allow for the communication but it seems to allow broadcast and multicast traffic to get to my individual VLAN interfaces despite ACL entries on the inbound SVI interfaces.
Would I be better off making a routed port uplink to the rest of the network, or should I use VACLs to block all but desirable IP traffic?
Basically I have all of the vmware networks for console, management, kernel, vmotion etc. on their own vlan and subnet with ACLs to permit only the necessary traffic into the VLAN. I have to at some point link back to the production LAN network which I don't have control over, which has a ton of broad/multicast traffic that I dont want getting into the VMware networks. Currently I just have an L2 uplink port with an SVI in the native VLAN to allow communication.
So basically I am asking for the best way to block broadcast and multicast traffic from getting into my VLANs that is coming from the production network.
What I am a bit confused by is that my ACL on the production network shows literally millions of blocks, but then the ACLs on the internally defined VLANs are also showing drops of the broadcast traffic that I though should have been all dropped by the first ACL.