Basically my security is layered. I have firewall appliances in front of my zVM cisco routers blocking all traffic entering the trusted network. So I am really dealing with trusted network partners although I also need separation of these partners. Communication between zVM guests within the same VLAN is allowed so I do not block this communication. Intercommunication across VLANs is controlled at my cisco router by attaching ACL's to the VLAN subinterfaces associated with my zVM trunk interface. It sure seems to provide what I need.
Al Schilla Systems Programmer Enterprise Technology Services Office of Enterprise Technologies phone: 651-201-1216 email: [EMAIL PROTECTED] -----Original Message----- From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of Stricklin, Raymond J Sent: Friday, April 25, 2008 1:33 PM To: [email protected] Subject: Re: z/VM Linux OS VLAN tagging What would be the security implications of a setup like this if, for example, you were running untrusted linux guests? I guess in a broader sense, where are the security boundaries? There's a lot about VLAN operation I do not yet understand, so forgive me if this is a naive question. ok r. > -----Original Message----- > From: Alan Schilla [mailto:[EMAIL PROTECTED] > Sent: Friday, April 25, 2008 11:19 AM > To: [email protected] > Subject: Re: z/VM Linux OS VLAN tagging > > I'm not sure this will help you but we run multiple VLANs > thru a single vswitch. We define our cisco router port to the > OSA as a vlan trunk defining the default gateway for each of > our zVM linux VLANs. Our vswitch is defined as VLAN unaware > so all the VLAN s forward traffic up the trunk to each VLAN > default address on the router. > > Al Schilla > Systems Programmer > Enterprise Technology Services > Office of Enterprise Technologies > phone: 651-201-1216 > email: [EMAIL PROTECTED] > -----Original Message----- > From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On > Behalf Of Bhemidhi, Ashwin > Sent: Wednesday, April 23, 2008 11:04 AM > To: [email protected] > Subject: Re: z/VM Linux OS VLAN tagging > > 1.a) OSA port has been defined as a trunk > b) OSA has been authorized the to use both VLANs on the trunk port > c) trunk protocol set to "dot1q" > > 2. define vswitch vswitche rdev 3600 ethernet vlan 1000 > porttype trunk > > 3. cp set vswitch vswitche grant svml09 porttype trunk vlan 106 730 > > 4. vconfig add eth1 106 > vconfig add eth1 730 > > VLAN 106 is Ethernet frame with no IP (LLC over Ethernet) > VLAN 730 is IP. > > Our problem is when the tagging is done by the Linux guest. > There is some wrong with the VLAN 106 frames going out to a > Cisco router. The router for some reason is rejecting those frames. > > This works when we setup 2 different Vswitches using the same > OSA trunk port. In this case each vswitch assigns a network > interface to the Linux guest machine as an access port with > default VLAN 106 and 730 respectively. Basically the > vswitches in this case are doing the VLAN ID tagging and the > guest sees 2 interfaces eth1 and eth2. > > > Regards, > Ashwin > > > > > > > -----Original Message----- > From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On > Behalf Of Alan Altmark > Sent: Tuesday, April 22, 2008 10:38 PM > To: [email protected] > Subject: Re: z/VM Linux OS VLAN tagging > > On Tuesday, 04/22/2008 at 05:52 EDT, "Bhemidhi, Ashwin" > <[EMAIL PROTECTED]> > wrote: > > > 1) Redhat Linux guest machine running kernel version > 2.6.18-1.2747.el5 > > under z/VM 5.3 > > 2) Using OSA Express 2 with Gigabit port and VLAN enabled at the > network > > switch with 2 different VLANS. > > 3) The 2 VLANs are a) a VLAN for IP network for IP traffic and b) a > VLAN > > for only Ethernet frames (LLC, no IP). > > 4) Configured 1 Layer 2 VSwitch with 2 VLANs and granted > the Network > > interface as a trunk to the Linux guest machine. > > 1. Make sure the switch > a) has the OSA port defined as a trunk > b) has authorized the OSA to use both VLANs on the trunk port > c) has set the trunk protocol to "dot1q" > 2. DEFINE VSWITCH .... VLAN 1 (or whatever the default VLAN > is for the port). By default, the default VLAN (sorry!) is > the switch's native VLAN id, which defaults to 1. (extra > sorry) In 5.3 you can DEFINE VSWITCH ... VLAN 2 NATIVE 1 if > you want guests to have VLAN 2 by default, but keep the > native (untagged)VLAN 1. > 3. Make sure you grant both VLANs to the guest. Use explicit > grants; don't use defaults. > 4. Use vconfig to create two VLAN-specific interfaces on eth0 > > Alan Altmark > z/VM Development > IBM Endicott > > ---------------------------------------------------------------------- > For LINUX-390 subscribe / signoff / archive access > instructions, send email to [EMAIL PROTECTED] with the > message: INFO LINUX-390 or visit > http://www.marist.edu/htbin/wlvindex?LINUX-390 > > ---------------------------------------------------------------------- > For LINUX-390 subscribe / signoff / archive access > instructions, send email to [EMAIL PROTECTED] with the > message: INFO LINUX-390 or visit > http://www.marist.edu/htbin/wlvindex?LINUX-390 > > ---------------------------------------------------------------------- > For LINUX-390 subscribe / signoff / archive access > instructions, send email to [EMAIL PROTECTED] with the > message: INFO LINUX-390 or visit > http://www.marist.edu/htbin/wlvindex?LINUX-390 > ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
