We have several machines plugged into various ports on a Cisco Nexus 5000. We want to separate the switch into groups, so a handful of machines can see and talk to each other and no one else. So, to create a physically isolated port group.
We (apparently) have no VLAN IDs available, as they are all used (large corporate network), so we cannot just separate these into a VLAN or a PVLAN.
Is there a way to just tell the switch to physically isolate traffic to only a given group of ports?
If you want these devices to be totally isolated from everything else, just add them all onto their own separate switch and call it a day. No point being on the shared company switch if you specifically don't want them to be able to talk to anyone else.
Edit:
What else is on the same segment as you that you want to avoid? Do you just not want the servers to be able to route out? Or are there other servers on the same VLAN segment that they shouldn't be able to talk to?
If you really wanted to get crazy, you could have IT provision a new virtual switch on the Nexus chassis that has your server ports assigned to it. You can use whatever VLANs you like, and they won't communicate with the ones in the main context. Of course, if I was your network engineer and you asked me to do this I would have a good chuckle about it with the guys after work.
There are other hacks you could do. PVLANs of course, but you don't have any more VLANs. VLAN filters could be used to only allow your IPs to talk to your own IPs. Just plain old ACLs on ports could stop the L3 traffic too if you wanted.
I also have a suspicion that the switch isn't out of VLANs, and your network guy just wants to avoid work or having to explain to you why policy doesn't allow it. But take that for what its worth -- a guess.
The correct answer for this is to use VLANs -- this is pretty much exactly what they're designed for.
Unfortunately Nexus 5K doesn't support VDC like Nexus 7K. So I agree the only way to divide network (except using new switch) is using VLANs or PVLANs.