From b074964d6f2bdb1348aa0d48900e9183a8c079ab Mon Sep 17 00:00:00 2001
From: Aaron Lauterer <a.lauterer@proxmox.com>
Date: Wed, 20 Nov 2024 13:02:04 +0100
Subject: [PATCH] pvesdn: add note to port isolation to use firewall in
 clusters

since port isolation is only local on the host. To get better port
isolation, the VNET firewall can be used.

Signed-off-by: Aaron Lauterer <a.lauterer@proxmox.com>
---
 pvesdn.adoc | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/pvesdn.adoc b/pvesdn.adoc
index 2e24dd2..1541e54 100644
--- a/pvesdn.adoc
+++ b/pvesdn.adoc
@@ -388,6 +388,10 @@ but not for the interface itself. This means guests can only send traffic to
 non-isolated bridge-ports, which is the bridge itself. In order for this setting
 to take effect, you need to restart the affected guest.
 
+NOTE: Port isolation is local to each host. Use the
+xref:pvesdn_firewall_integration[VNET Firewall] to further isolate traffic in
+the VNET across nodes. For example, DROP by default and only allow traffic from
+the IP subnet to the gateway and the vice versa.
 
 [[pvesdn_config_subnet]]
 Subnets