> I am pretty sure this can't be done at the vswitch level but > thought I ask if anyone has done something similar. I know I can > block at the guest level but wanted to block all guests at the switch > level.
IP addresses are layer 3 entities. VSWITCH deals with layer 2 frames. The most you could do with the VSWITCH is block the guest from attaching to the VSWITCH in question via GRANTs. You could put that guest on a different VLAN and use a Linux guest as a router between the VLANs. You could then use iptables in the Linux guest to limit where it can go and what it can connect to, but at the price of doing packet inspection on the 390 CPU. You could also do the above trick on an outboard box if your network is set up in that form, but you still need to insert some kind of filtering device. It's most efficient to do that outside the box, so that might be your best bet -- ACLs in a router are very efficient.
