Isolated VLANs

Hi, I am just looking for a bit of advice on how I would set up my DMZ network so that I can isolate my virtual machines from each other, my setup includes 3 host machines, each with 4 1GB connections set up in a SET. I then have ~10 virtual machines spread between the 3 devices. I don't want the vms to have any connectivity to each other unless they go through a firewall at the end of my promiscuous port. I can then have better control for access etc

I want to be able to move the virtual machines between any host without connectivity issues. at the moment all machines are using an IP address in the 192.168.10.x range with a default gateway of 192.168.10.1 which is the firewall at the end of the promiscuous port.

Here is the code I am currently using below. The issue I have at the moment is that the machines on each host can ping each other, but they don't go through the Promiscuous port to achieve this, it appears to be a direct connection. I would presume this is because they use the same port.

Machines on Host 1 cant ping machines on Host 2. It doesn't attempt to send this traffic through the promiscuous port either as my firewall reports no traffic. Is this because the machines are on the same subnet and are trying to find the other vms using broadcast rather than routing via default gateway? I suspect the reason the machines can ping eachother on the same host machine is because the ports are what is isolated. Not the traffic from each VM, so as far as the switch is concerned any traffic on host1 is coming from host1 and it wont differentiate between host / vm etc.

Any advice on a better way to configure this or changes to make it work would be appreciated!

configure vlan 2-3 exit vlan 2 private-vlan primary private-vlan association 3 exit vlan 3 private-vlan isolated exit ! interface Gi1/0/1 channel-group 1 mode on exit ! interface Gi1/0/2 channel-group 1 mode on exit ! interface Gi1/0/3 channel-group 1 mode on exit ! interface Gi1/0/4 channel-group 1 mode on exit ! interface Gi1/0/5 channel-group 2 mode on exit ! interface Gi1/0/6 channel-group 2 mode on exit ! interface Gi1/0/7 channel-group 2 mode on exit ! interface Gi1/0/8 channel-group 2 mode on exit ! interface Gi1/0/9 channel-group 3 mode on exit ! interface Gi1/0/10 channel-group 3 mode on exit ! interface Gi1/0/11 channel-group 3 mode on exit ! interface Gi1/0/12 channel-group 3 mode on exit ! interface Gi1/0/23 channel-group 4 mode on exit ! interface Gi1/0/24 channel-group 4 mode on exit ! interface port-channel 1 switchport mode private-vlan host switchport private-vlan host-association 2 3 exit ! interface port-channel 2 switchport mode private-vlan host switchport private-vlan host-association 2 3 exit ! interface port-channel 3 switchport mode private-vlan host switchport private-vlan host-association 2 3 exit ! interface port-channel 4 switchport mode private-vlan promiscuous switchport private-vlan mapping 2 3 exit