On Monday, 04/04/2011 at 12:12 EDT, "Martin, Terry R. (CMS/CTR) (CTR)"
<terry.mar...@cms.hhs.gov> wrote:
> This weekend we changed the SWITCH on the Data Comm side to tag a new
VLAN
> (581). Up to this point the switch was only set up for ACCESS switch
not
> TRUNK with a default VLAN of 472. Now the SWITCH PORT is changed to
handle
> TRUNKING.
>
> On my z/VM side I set up the VSWITCH to now handle VLAN tagging.
Everything
> looks good on the switch side but when I try testing a z/Linux guest in
terms
> of having it connect to the VSWITCH via VLAN 851 it still does not get
to the
> Subnet pointed to by VLAN 581. I did the GRANT for this guest:
>
> SET VSWITCH VSE4DD11 GRANT E49L250D VLAN 851.
>
> What am I missing? Now I did not do anything with RACF for this do I
need to
> allow something in RACF?
Please see "VLAN ID-qualified profiles" in the RACF Security
Administrator's Guide. If this VSWITCH is protected by RACF, then
1) The user needs UPDATE access to SYSTEM.VSE4DD11
2) The user needs UPDATE access to SYSTEM.VSE4DD11.0851
If the user doesn't have access to a VLAN-qualified profile, then the user
will be authorized for the default VLAN ID specified on DEFINE VSWITCH.
This is why I like to see
DEFINE VSWITCH VSE4DD11 VLAN 666 ....
where 666 is a VLAN ID that the vswitch is not now and never shall be
authorized to use. This ensures that you have an explicit authorization.
Alan Altmark
z/VM and Linux on System z Consultant
IBM System Lab Services and Training
ibm.com/systems/services/labservices
office: 607.429.3323
mobile; 607.321.7556
alan_altm...@us.ibm.com
IBM Endicott
