On Monday, 04/04/2011 at 12:12 EDT, "Martin, Terry R. (CMS/CTR) (CTR)" <terry.mar...@cms.hhs.gov> wrote:
> This weekend we changed the SWITCH on the Data Comm side to tag a new VLAN > (581). Up to this point the switch was only set up for ACCESS switch not > TRUNK with a default VLAN of 472. Now the SWITCH PORT is changed to handle > TRUNKING. > > On my z/VM side I set up the VSWITCH to now handle VLAN tagging. Everything > looks good on the switch side but when I try testing a z/Linux guest in terms > of having it connect to the VSWITCH via VLAN 851 it still does not get to the > Subnet pointed to by VLAN 581. I did the GRANT for this guest: > > SET VSWITCH VSE4DD11 GRANT E49L250D VLAN 851. > > What am I missing? Now I did not do anything with RACF for this do I need to > allow something in RACF? Please see "VLAN ID-qualified profiles" in the RACF Security Administrator's Guide. If this VSWITCH is protected by RACF, then 1) The user needs UPDATE access to SYSTEM.VSE4DD11 2) The user needs UPDATE access to SYSTEM.VSE4DD11.0851 If the user doesn't have access to a VLAN-qualified profile, then the user will be authorized for the default VLAN ID specified on DEFINE VSWITCH. This is why I like to see DEFINE VSWITCH VSE4DD11 VLAN 666 .... where 666 is a VLAN ID that the vswitch is not now and never shall be authorized to use. This ensures that you have an explicit authorization. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 mobile; 607.321.7556 alan_altm...@us.ibm.com IBM Endicott