>We have a situation in which we need to separate a some machines that need to
>communicate via DecNet protocols (they all run VMS). One set of machines is
>less trusted than the other and we would like to have some method of
>partitioning the machines with a firewall of some sort.
Well basically DecNet is just another Ethernet "type" like IP so the
obvious answer is to create two subnets, one with the trusted ones, the
other with those less trusted and filter crossings based on MAC addresses
(AFAIR that is what DECnet uses). I believe that there are any number
of devices that can handle subnet filtering/isolation. Now if you want
to allow some communications you have a different problem. The same
structure applies but it depends of what, and with which, and to whom your
Short answer: you can but <insufficient data>.