These days, in many environments firewalls are used, which only allow traffic between permitted hosts and ports. Unwanted traffic is blocked by the firewall. This prevents systems from accessing arbitrary ports on a server. If the source and target system are located as LPARs on the same managed system, communication via the virtual Ethernet switch is possible, bypassing the firewall. Packets between LPARs in the same managed system (same virtual switch and same VLAN) are delivered directly by the virtual switch. These packets are not sent to the external network, where the packets could be examined by a firewall.

In some environments there is a requirement that all network traffic must always go through a firewall. This can be achieved with PowerVM through the Virtual Port Aggregator Mode (VEPA). As can be seen from figure 7.9, network packets are always forwarded to the trunking port and thus ultimately to the external network via a shared Ethernet adapter. The packets leave the managed system. In the external network, the packets can then be examined by a firewall, for example, and if the packets are not blocked by the firewall, they must then be sent back to the physical Ethernet port of the managed system, where they are then sent, using the shared Ethernet adapter and trunking Port, back to the virtual switch and finally to the destination LPAR. Direct communication between two LPARs, as in VEB mode, is no longer possible with VEPA mode.