To give you a brief background of our network application/system. This system is a SNA gateway cluster controller that talk SNA to the mainframe and IP to clients (SNA clients) running on Unix/Windows. Thus allowing 3270 like clients on IP network to talk to SNA application on the mainframe (e.g IMS).
We used to run a UNIX based home grown SNA communication controller that talked to the mainframe over token ring and NCP (3745 FEP). We changed our architecture when IBM announced EOL of IBM 3745. Our SNA gateway controller now talks to a Cisco SNA switch router using LLC over Ethernet. The SNA Switch router communicates with VTAM using APPN. Our communication controller runs on x86 platform and has 2 network interfaces 1 for IP to talk to the end clients and 1 for LLC/Ethernet to talk to the Cisco SNA switch router. This network looks something like: Mainframe Application VTAM Cisco SNA switch router (communication: APPN up, LLC/Ethernet down) Our custom controller (communication: LLC up, IP down) <- z/VM solution? End SNA clients (communication: IP up)) Today we are using HP x86 servers that run Linux in our environment. Our intent is to replaces all the servers with a z/VM Linux based solution. We already ported and validated our network application on z/VM using 2 OSA express cards (1 for IP VLAN 730 and 1 for LLC VLAN 106). What we are trying to do is instead of using 2 OSA adapter just use 1 OSA adapter with trunking enabled for VLANs 730 and 106. The trunk solution works when the VLAN tagging is done using 2 vswitches using the same OSA and presenting the network interface as an access port to the Linux guest machine. We are trying to move the VLANs setup/configuration to the Linux guest were the Linux kernel does the VLAN tagging instead of using 2 Vswitches. This would reduce the number of vswitches. We are looking at getting at a network probe in this environment to capture trace. Hope I could explain everything clearly if not let me know I can give more details :-). Ashwin Bhemidhi -----Original Message----- From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of Alan Schilla Sent: Monday, April 28, 2008 9:29 AM To: [email protected] Subject: Re: z/VM Linux OS VLAN tagging I'm sorry if I created any confusion. I don't have any issues. My VLAN's work just fine and I do not run any non-IP. I was just responding to Ashwin's post describing what I have done. Al Schilla Systems Programmer Enterprise Technology Services Office of Enterprise Technologies phone: 651-201-1216 email: [EMAIL PROTECTED] -----Original Message----- From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of Harold Grovesteen Sent: Sunday, April 27, 2008 5:15 AM To: [email protected] Subject: Re: z/VM Linux OS VLAN tagging Alan, what non-IP protocol do you expect to use on VLAN 106? (SNA comes to mind but you might be trying to do something else.) You have mentioned ACL's on the Cicso switch. Are these blocking the traffic you expected to work? Being new to VLAN's, is this someone else's design you are implementing or your own? Non-IP protocols are not the norm today. How do security domains influence what you are trying to achieve? Firewalls are only useful for IP traffic. They do not understand non-IP traffic. It might help everyone assisting to have a higher-level understanding of what you are trying to accomplish to point you in the right direction. Harold Grovesteen Alan Schilla wrote: >Basically my security is layered. I have firewall appliances in front of >my zVM cisco routers blocking all traffic entering the trusted network. >So I am really dealing with trusted network partners although I also >need separation of these partners. Communication between zVM guests >within the same VLAN is allowed so I do not block this communication. >Intercommunication across VLANs is controlled at my cisco router by >attaching ACL's to the VLAN subinterfaces associated with my zVM trunk >interface. It sure seems to provide what I need. > >Al Schilla >Systems Programmer >Enterprise Technology Services >Office of Enterprise Technologies >phone: 651-201-1216 >email: [EMAIL PROTECTED] > >-----Original Message----- >From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of >Stricklin, Raymond J >Sent: Friday, April 25, 2008 1:33 PM >To: [email protected] >Subject: Re: z/VM Linux OS VLAN tagging > >What would be the security implications of a setup like this if, for >example, you were running untrusted linux guests? I guess in a broader >sense, where are the security boundaries? > >There's a lot about VLAN operation I do not yet understand, so forgive >me if this is a naive question. > >ok >r. > > > >>-----Original Message----- >>From: Alan Schilla [mailto:[EMAIL PROTECTED] >>Sent: Friday, April 25, 2008 11:19 AM >>To: [email protected] >>Subject: Re: z/VM Linux OS VLAN tagging >> >>I'm not sure this will help you but we run multiple VLANs >>thru a single vswitch. We define our cisco router port to the >>OSA as a vlan trunk defining the default gateway for each of >>our zVM linux VLANs. Our vswitch is defined as VLAN unaware >>so all the VLAN s forward traffic up the trunk to each VLAN >>default address on the router. >> >>Al Schilla >>Systems Programmer >>Enterprise Technology Services >>Office of Enterprise Technologies >>phone: 651-201-1216 >>email: [EMAIL PROTECTED] >>-----Original Message----- >>From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On >>Behalf Of Bhemidhi, Ashwin >>Sent: Wednesday, April 23, 2008 11:04 AM >>To: [email protected] >>Subject: Re: z/VM Linux OS VLAN tagging >> >>1.a) OSA port has been defined as a trunk >> b) OSA has been authorized the to use both VLANs on the trunk port >> c) trunk protocol set to "dot1q" >> >>2. define vswitch vswitche rdev 3600 ethernet vlan 1000 >>porttype trunk >> >>3. cp set vswitch vswitche grant svml09 porttype trunk vlan 106 730 >> >>4. vconfig add eth1 106 >> vconfig add eth1 730 >> >>VLAN 106 is Ethernet frame with no IP (LLC over Ethernet) >>VLAN 730 is IP. >> >>Our problem is when the tagging is done by the Linux guest. >>There is some wrong with the VLAN 106 frames going out to a >>Cisco router. The router for some reason is rejecting those frames. >> >>This works when we setup 2 different Vswitches using the same >>OSA trunk port. In this case each vswitch assigns a network >>interface to the Linux guest machine as an access port with >>default VLAN 106 and 730 respectively. Basically the >>vswitches in this case are doing the VLAN ID tagging and the >>guest sees 2 interfaces eth1 and eth2. >> >> >>Regards, >>Ashwin >> >> >> >> >> >> >>-----Original Message----- >>From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On >>Behalf Of Alan Altmark >>Sent: Tuesday, April 22, 2008 10:38 PM >>To: [email protected] >>Subject: Re: z/VM Linux OS VLAN tagging >> >>On Tuesday, 04/22/2008 at 05:52 EDT, "Bhemidhi, Ashwin" >><[EMAIL PROTECTED]> >>wrote: >> >> >> >>>1) Redhat Linux guest machine running kernel version >>> >>> >>2.6.18-1.2747.el5 >> >> >>>under z/VM 5.3 >>>2) Using OSA Express 2 with Gigabit port and VLAN enabled at the >>> >>> >>network >> >> >>>switch with 2 different VLANS. >>>3) The 2 VLANs are a) a VLAN for IP network for IP traffic and b) a >>> >>> >>VLAN >> >> >>>for only Ethernet frames (LLC, no IP). >>>4) Configured 1 Layer 2 VSwitch with 2 VLANs and granted >>> >>> >>the Network >> >> >>>interface as a trunk to the Linux guest machine. >>> >>> >>1. Make sure the switch >> a) has the OSA port defined as a trunk >> b) has authorized the OSA to use both VLANs on the trunk port >> c) has set the trunk protocol to "dot1q" >>2. DEFINE VSWITCH .... VLAN 1 (or whatever the default VLAN >>is for the port). By default, the default VLAN (sorry!) is >>the switch's native VLAN id, which defaults to 1. (extra >>sorry) In 5.3 you can DEFINE VSWITCH ... VLAN 2 NATIVE 1 if >>you want guests to have VLAN 2 by default, but keep the >>native (untagged)VLAN 1. >>3. Make sure you grant both VLANs to the guest. Use explicit >>grants; don't use defaults. >>4. Use vconfig to create two VLAN-specific interfaces on eth0 >> >>Alan Altmark >>z/VM Development >>IBM Endicott >> >>---------------------------------------------------------------------- >>For LINUX-390 subscribe / signoff / archive access >>instructions, send email to [EMAIL PROTECTED] with the >>message: INFO LINUX-390 or visit >>http://www.marist.edu/htbin/wlvindex?LINUX-390 >> >>---------------------------------------------------------------------- >>For LINUX-390 subscribe / signoff / archive access >>instructions, send email to [EMAIL PROTECTED] with the >>message: INFO LINUX-390 or visit >>http://www.marist.edu/htbin/wlvindex?LINUX-390 >> >>---------------------------------------------------------------------- >>For LINUX-390 subscribe / signoff / archive access >>instructions, send email to [EMAIL PROTECTED] with the >>message: INFO LINUX-390 or visit >>http://www.marist.edu/htbin/wlvindex?LINUX-390 >> >> >> > >---------------------------------------------------------------------- >For LINUX-390 subscribe / signoff / archive access instructions, >send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or >visit >http://www.marist.edu/htbin/wlvindex?LINUX-390 > >---------------------------------------------------------------------- >For LINUX-390 subscribe / signoff / archive access instructions, >send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit >http://www.marist.edu/htbin/wlvindex?LINUX-390 > > > ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
