On Wednesday, 12/08/2010 at 08:31 EST, RPN01 <nix.rob...@mayo.edu> wrote:
> Is there anyone out there that actually gains security from CP users not > being granted onto their vSwitches? How many people would like to be able to > define a vSwitch as "open to the public" or not requiring a grant to be > accessed? In the same way plugging an ethernet cable into a switch is not sufficient to gain connectivity, so defining a virtual wire is not sufficient to gain connectivity to a virtual network. This is just the way networking is done. Virtualizing the wires doesn't change anything. Assuming you have RACF and generic profiles active, you can allow access to all VSWITCHes while denying access to all user-created Guest LANs. RDEFINE ** CL(VMLAN) UACC(NONE) RDEFINE SYSTEM.** CL(VMLAN) UACC(UPDATE) Without an ESM, Class G Guest LANs can be disabled by putting VMLAN TRANSIENT 0 in SYSTEM CONFIG. I've been saying for several years, "You need an ESM." More and more z/VM security management will be focused on ESMs, not native CP. If your fave ESM doesn't simplify things for you, gripe to the vendor. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott