ur z/VM environment currently sits behind a firewall. We would like to allow one Linux guest to act as an Internet server. We do not however want to expose the other Linux guests or the z/VM environment itself to the outside world. We are using VSWITCH.
Good. That makes a few things possible. Is this possible? What options are there? Do we require a separate OSA for the Linux guest in the DMZ? Not necessarily. The easiest thing to do is to have your network guys engineer a new VLAN, and move the guest you want to expose onto that VLAN. That requires no physical hardware changes, and the networking guys can do all the routing that needs to happen outside the box. As long as there are no other network connections to the exposed guest, you can't get from there to any of the other guests. The assumption is that you're using VLAN-aware VSWITCHes, and that your networking guys understand how to make the magic connections to create and propagate a VLAN in your network. These days, that's a fairly safe bet. If you have spare money or excessively paranoid security weenies, you could get another OSA and dedicate it to that one guest. It's a waste of money, but technically valid. As I'm not a comm's guy, please keep it simple. Thanks in advance. You'll want to work closely with the network guys. Show them the 1st paragraph above, and they'll get it. -- db
