On Tuesday, 01/25/2011 at 11:15 EST, louis.gai...@its.ms.gov wrote: > I am trying to create a vswitch with vlan capablitites I am using the > osa-express implementatiion guide chapter 11 > > 1. I defined the switch ( define vswitch vsw3 rdev fa00 eth vlan 12 portt > trunk
Welcome to z/VM. As a matter of Good Security Policy, I believe in explicit authorization so as to avoid confusion and errors in the future. 1. Change VLAN 12 to VLAN 666 (or some unused/unauthorized/not-valid-on-your-switch VLAN). Do NOT use the NATIVE VLAN id for this value. 2. Remove PORTTYPE TRUNK. PORTTYPE, like PORTNAME, is an Abomination, never doing what anyone expects it to do. Never use either of those options [I gesture in the manner of a Jedi Knight exerting influence on your mind]. 3. SET VSWITCH VSW3 GRANT <userid> VLAN 12 4. Do NOT configure the Linux guests to be VLAN-aware. That is, do not use vconfig. 5. If you have a guest that needs access to more than one VLAN on the same VSWITCH, use SET VSWITCH VSW3 PORTTYPE TRUNK VLAN 12 13 14 and *do* use vconfig. 5. If a QUERY VSWITCH VSW3 ACCESS ever shows you a guest with VLAN 666, you will know that you did not specify a "proper" VLAN id on the GRANT. A very nice audit tool. Just so folks are aware, if I ever show up at your company to perform a z/VM system management "health check", I will be looking at your VSWITCH administration practices very closely. :-) Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
