On Fri, Jan 16, 2004 at 01:40:12PM -0600, Alan Schilla wrote: > This means I need to > isolate one guest lan from another so rather than point-2-point mine is more > a pool-2-pool environment. I have been providing this using an SLES8 > iptables server that receives packets from VM TCP/IP and distributes to the > application server guest lans. This environment is also front-ended with an > external firewall providing most port and ip address filtering. Within the > iptables server I maintain a pretty small ruleset so I do not see this > firewall server as very active but also, at this time, our VM Linux > environment is not very active either.
You may want to turn up the priority on the virtual machine, too, since if it's starving, no Linux guests are getting any work done. > I did need to make this firewall > guest larger because of the storage used for each qdio eth interface. I am > curious why 6 point-2-point is a recommended maximum? Because that's all the state I can keep in my head with any degree of confidence. The machine can certainly handle more, but the design gets confusing to me if there are more up-and-downstreams. YMMV. > Would this statement > also apply to guest lan? Not in terms of hosts, certainly. Again, I would probably put a max of about 5 guest LANS through a single box just so that I could keep the "who gets to route to whom" decision tree reasonably manageable. > Is this also taken to the previous layer of VM > TCP/IP so an additional stack should be defined when more that 6? Nah, unless you need multiple VM stacks for failover, etc. > I saw the > picture in a previous posting using VLAN and switching to forward requests > from guestlan back to the external firewall but I did not see how this was > simpler. Less resource maybe but it looked pretty complex to me. And does > each separate guestlan require a separate VLAN and external OSA port? Please > let me know your thoughts. It's not simpler! It's a way you can do it if you have to route guest LANs through an outside device, either because of policy, or because you have a severe cycle crunch and can't afford to do the packet filtering locally. Each separate guest LAN needs a separate VLAN, but will not need a separate OSA port, because the VLAN effectively enforces the traffic isolation you were using the OSA port for. Adam
