On Wednesday, 09/30/2009 at 05:12 EDT, Florian Bilek <florian.bi...@gmail.com> wrote:
> There is a switch VMSWI1 to this switch all the LINUX systems and the z/VM > stack is connected. > > The network is 151.100.1.0/24 > > I would like to set up now another LINUX Instance that will act as a firewall. > It should have the IP address 151.100.1.100. So it needs routing to another > network (151.100.16.0/24) You didn't provide a picture showing what you have and what you want. :-( That makes things obvious. Today you have 151.100.1.100/24 that consists of VM TCP/IP, your Linux guests, and (at least) the external gateway. Tomorrow you want to have 151.100.1.100/24 consist of a firewall and the gateway, and you want to have a new 151.100.16.0/24 to contain VM TCP/IP and your Linux guests. Keep in mind that if you want to keep using a VSWITCH for your guests, all firewalling (routing) is outboard. So: 1. You create a Guest LAN (or a *disconnected* VSWITCH) and change your VSWITCH to ETHERNET. 2. Put a firewall on both the new Guest LAN and your existing VSWITCH. It will have an IP address on the VSWITCH (151.100.1.100) and an IP address in the Guest LAN (e.g. 151.100.16.1) 3. Move VM TCP/IP and Linux guests to the Guest LAN 4. Change their IP address to something in the 151.100.16.0/24 subnet 5. Change their default gateways to point to the firewall, 151.100.16.1 6. Ensure that the switch has a static route that points 151.100.16.0/24 to 151.100.1.100. If you are required to handle host-directed failover in a DR scenario, the Linux firewall will also have to run an ospf daemon. > To my understanding I have to change VMSWI1 to a PRIROUTER. PRIROUTER is needed when you are operating in layer 3 mode *and* a guest connected to the VSWITCH is performing routing to another network/subnet (e.g. CTC, IUCV, Guest LAN or another VSWITCH). Since you proposing to change from a VSWITCH to a Guest LAN (I think), yes, you will need PRIROUTER if you leave the Linux firewall on layer 3. Alan Altmark z/VM Development IBM Endicott