Brian Nielsen wrote:
In short, yes. The port would be set up as a trunk port...
You may want to use VLAN's in the network ...
This really cannot be done without VLANs -- a "trunk port" is a VLAN
term describing a port which is defined to carry traffic for multiple VLANs.
The separate security zones can only be properly isolated from each
other by using VLANs. If you use overlapping IP address ranges in a
single VLAN (or on a non-VLAN network), an administrator on any of your
systems could configure a connection to any of the available networks
and gain direct access to that address range.
A VSWITCH would allow you to attach your guests to the right VLAN,
enforced by CP (and/or your ESM, depending on your z/VM level). This
would allow you to set up non-VLAN-aware systems that attach, and are
restricted, to their rightful security zone.
On the network side, you need IEEE 802.1q Virtual LAN (VLAN) support in
the switch(es) to create the different VLANs. Presumably the
appropriate firewalls to control access between the VLANs already exist,
but if they don't (and you have some cycles to spare under z/VM) you
could build one or more Linux systems linked to the VSWITCH and defined
to each of the VLANs to provide your firewall/routing function.
My VSWITCH Redpaper (REDP-3719) is getting a bit old now, but if you're
not familiar with VLAN and VSWITCH it's still worth a read for the basics.
Cheerio,
Vic Cross
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
