Re: New z/VM 5.3 VSWITCH Port Isolation function
Alan, the subject brought me to a question I have in mind for some time. There seems to be a feature on z/VM's (4.4 to 5.2) which prevents the guests on the same VSWITCH to talk to eachother. This is what happens on our system with every VSWITCH I create. Every guest can't talk to other guests by default and I don't know how to enable it. Is there something I have to enable ? Regards, Wolfgang On Sun, Apr 06, 2008 at 12:25:37PM -0400, Alan Altmark wrote: [cross-posted to IBMVM and LINUX-390] I just want to bring to everyone's attention some new support for the Virtual Switch. APAR VM64281 for z/VM 5.3 (only) provides a port isolation function that prevents guests on the same VSWITCH or VLAN (if the VSWITCH is VLAN-aware) from talking directly to each other. You can decide what to do with packets destined for other guests on the LAN segment: silently drop them or forward them, as-is, out to the switch. This new function became available on February 26th. For more information, see p.58 of the -05 edition of the z/VM Connectivity book, http://publibz.boulder.ibm.com/epubs/pdf/hcsc9b21.pdf. If you have any questions, please post them to IBMVM. Thanks. Regards, Alan Alan Altmark Sr. Software Engineer IBM z/VM Development -- With kind regards/Mit freundlichen Gruessen, your/Ihr SuSE Team Wolfgang Engel ([EMAIL PROTECTED]) - SUSE LINUX Products GmbH Tel: +49-911-74053-668 Maxfeldstr. 5 Fax: +49-911-7417755 90409 Nuernberg, Email: [EMAIL PROTECTED] Germany WWW: http://www.suse.com SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg) -
Re: New z/VM 5.3 VSWITCH Port Isolation function
Hi, Wolfgang, There is nothing in the VSWITCH that will come up by default to prevent guests from talking to each other. If you send me your configuration information, I can take a look and see what might be going on.The default for a VSWITCH in z/VM 5.2 is DEFINE VSWITCH vswitchname If that is all you specify, you will come up as a VLAN UNAWARE IP layer VSWITCH without OSA connectivity to the external network.Remember your guests have to be authorized and coupled to the virtual switch. The new support that Alan is talking about is enabled by issuing a MODIFY or SET VSWITCH vswitchname ISOL OFF|DROP|FORWARD and is not enabled by default. Tracy (Bolinda) Adams [EMAIL PROTECTED] z/VM Development - Virtual Networking http://www.vm.ibm.com/virtualnetwork/ tie line - 620-5469 / (607-429-5469) Wolfgang Engel [EMAIL PROTECTED] Sent by: The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU 04/22/2008 08:28 AM Please respond to The IBM z/VM Operating System IBMVM@LISTSERV.UARK.EDU To IBMVM@LISTSERV.UARK.EDU cc Subject Re: New z/VM 5.3 VSWITCH Port Isolation function Alan, the subject brought me to a question I have in mind for some time. There seems to be a feature on z/VM's (4.4 to 5.2) which prevents the guests on the same VSWITCH to talk to eachother. This is what happens on our system with every VSWITCH I create. Every guest can't talk to other guests by default and I don't know how to enable it. Is there something I have to enable ? Regards, Wolfgang On Sun, Apr 06, 2008 at 12:25:37PM -0400, Alan Altmark wrote: [cross-posted to IBMVM and LINUX-390] I just want to bring to everyone's attention some new support for the Virtual Switch. APAR VM64281 for z/VM 5.3 (only) provides a port isolation function that prevents guests on the same VSWITCH or VLAN (if the VSWITCH is VLAN-aware) from talking directly to each other. You can decide what to do with packets destined for other guests on the LAN segment: silently drop them or forward them, as-is, out to the switch. This new function became available on February 26th. For more information, see p.58 of the -05 edition of the z/VM Connectivity book, http://publibz.boulder.ibm.com/epubs/pdf/hcsc9b21.pdf. If you have any questions, please post them to IBMVM. Thanks. Regards, Alan Alan Altmark Sr. Software Engineer IBM z/VM Development -- With kind regards/Mit freundlichen Gruessen, your/Ihr SuSE Team Wolfgang Engel ([EMAIL PROTECTED]) - SUSE LINUX Products GmbH Tel: +49-911-74053-668 Maxfeldstr. 5 Fax: +49-911-7417755 90409 Nuernberg, Email: [EMAIL PROTECTED] Germany WWW: http://www.suse.com SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg) -
Re: z/VM 5,3 installation
Hello Richard, Your VMSYSx file pool servers were not up and running, so the LDAP BFS fi le processing failed. See the info. at this URL for more information: http://www.vm.ibm.com/related/tcpip/tcprdbfs.html Regards, Mark Cibula; z/VM TCP/IP Support
Re: z/VM 5,3 installation
This is also documented in the PSP bucket for TCPIP530. Also in the PSP bucket for ZVM530 is the list of the 19 PTFs you should put on AFTER applying RSU0703, so you're not quite done yet. From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Schuh, Richard Sent: Monday, April 21, 2008 6:29 PM To: IBMVM@LISTSERV.UARK.EDU Subject: z/VM 5,3 installation I have a completely vanilla 5,3 system that was restored from the DDR. The SERVICE EXEC appeared to have successfully applied RSU0703 as there were no reported errors and it said it was successful. When I attempt PUT2PROD ALL, the result is (only the error portion of the log shown): ST:DTCPRD3021I TCP2PROD processing started ST:DTCPRD3018I No options in effect ST:DTCPRD3040I Issuing command: ST:VMFSIM QUERY SERVP2P PPF TDATA :COMPNAME TCPIPP2P :PRODID ST:(STEM !VMFDATA. ST:DTCPRD3006I Product ID in effect: 5VMTCP30%TCPIP ST:DTCPRD3012I Obtaining PPF :DCL. information... ST:DTCPRD3019I Processing file(s) for: BFS ST: LDAPSRV LOADBFS I -- BFS ST:RC=0 from EXEC OPENVM UNMOUNT / ST:ERROR: RC=99 obtaining QUERY ENROLL information for LDAPSRV VMSYS SV:DTCPRD3038E LOADBFS command completed with RC = 1 SV:DTCPRD3021E TCP2PROD processing completed with RC = 8 SV:VMFP2P1965E The command, TCP2PROD SERVP2P TCPIPP2P 5VMTCP30 TCPBFS, SV:failed with return code 8 ST:VMFP2P2760I PUT2PROD processing completed unsuccessfully for TCPIP ST:VMFP2P2760I PUT2PROD processing completed unsuccessfully This is the only error reported. The questions are, * What's up? What have I missed? As noted, this is an initial install with no foreign code or customization. * Did PUT2PROD end immediately upon hitting the error, meaning that it is possible that there are other components to process; other components that may also have errors? I would guess that it came to an immediate halt, but that is just a guess. Regards, Richard Schuh
Re: z/VM 5,3 installation
Thanks for the pointer. That looks like the solution to this problem. I will retry after bringing up the SFS servers. Regards, Richard Schuh From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Rempel, Horst Sent: Monday, April 21, 2008 10:47 PM To: IBMVM@LISTSERV.UARK.EDU Subject: AW: z/VM 5,3 installation Hello Richard, please have a look at http://www.vm.ibm.com/related/tcpip/tcprdbfs.html. You will find there a description, how to prevent these errors. kind regards Horst Rempel -Ursprüngliche Nachricht- Von: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] Auftrag von Schuh, Richard Gesendet: Dienstag, 22. April 2008 00:29 An: IBMVM@LISTSERV.UARK.EDU Betreff: z/VM 5,3 installation I have a completely vanilla 5,3 system that was restored from the DDR. The SERVICE EXEC appeared to have successfully applied RSU0703 as there were no reported errors and it said it was successful. When I attempt PUT2PROD ALL, the result is (only the error portion of the log shown): ST:DTCPRD3021I TCP2PROD processing started ST:DTCPRD3018I No options in effect ST:DTCPRD3040I Issuing command: ST:VMFSIM QUERY SERVP2P PPF TDATA :COMPNAME TCPIPP2P :PRODID ST:(STEM !VMFDATA. ST:DTCPRD3006I Product ID in effect: 5VMTCP30%TCPIP ST:DTCPRD3012I Obtaining PPF :DCL. information... ST:DTCPRD3019I Processing file(s) for: BFS ST: LDAPSRV LOADBFS I -- BFS ST:RC=0 from EXEC OPENVM UNMOUNT / ST:ERROR: RC=99 obtaining QUERY ENROLL information for LDAPSRV VMSYS SV:DTCPRD3038E LOADBFS command completed with RC = 1 SV:DTCPRD3021E TCP2PROD processing completed with RC = 8 SV:VMFP2P1965E The command, TCP2PROD SERVP2P TCPIPP2P 5VMTCP30 TCPBFS, SV:failed with return code 8 ST:VMFP2P2760I PUT2PROD processing completed unsuccessfully for TCPIP ST:VMFP2P2760I PUT2PROD processing completed unsuccessfully This is the only error reported. The questions are, * What's up? What have I missed? As noted, this is an initial install with no foreign code or customization. * Did PUT2PROD end immediately upon hitting the error, meaning that it is possible that there are other components to process; other components that may also have errors? I would guess that it came to an immediate halt, but that is just a guess. Regards, Richard Schuh
Re: z/VM 5,3 installation
I am a far cry from finished. After that, I get to install vendor software that includes CP and CMS modifications. Thanks for the response. Regards, Richard Schuh From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Quay, Jonathan (IHG) Sent: Tuesday, April 22, 2008 8:23 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: z/VM 5,3 installation This is also documented in the PSP bucket for TCPIP530. Also in the PSP bucket for ZVM530 is the list of the 19 PTFs you should put on AFTER applying RSU0703, so you're not quite done yet. From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Schuh, Richard Sent: Monday, April 21, 2008 6:29 PM To: IBMVM@LISTSERV.UARK.EDU Subject: z/VM 5,3 installation I have a completely vanilla 5,3 system that was restored from the DDR. The SERVICE EXEC appeared to have successfully applied RSU0703 as there were no reported errors and it said it was successful. When I attempt PUT2PROD ALL, the result is (only the error portion of the log shown): ST:DTCPRD3021I TCP2PROD processing started ST:DTCPRD3018I No options in effect ST:DTCPRD3040I Issuing command: ST:VMFSIM QUERY SERVP2P PPF TDATA :COMPNAME TCPIPP2P :PRODID ST:(STEM !VMFDATA. ST:DTCPRD3006I Product ID in effect: 5VMTCP30%TCPIP ST:DTCPRD3012I Obtaining PPF :DCL. information... ST:DTCPRD3019I Processing file(s) for: BFS ST: LDAPSRV LOADBFS I -- BFS ST:RC=0 from EXEC OPENVM UNMOUNT / ST:ERROR: RC=99 obtaining QUERY ENROLL information for LDAPSRV VMSYS SV:DTCPRD3038E LOADBFS command completed with RC = 1 SV:DTCPRD3021E TCP2PROD processing completed with RC = 8 SV:VMFP2P1965E The command, TCP2PROD SERVP2P TCPIPP2P 5VMTCP30 TCPBFS, SV:failed with return code 8 ST:VMFP2P2760I PUT2PROD processing completed unsuccessfully for TCPIP ST:VMFP2P2760I PUT2PROD processing completed unsuccessfully This is the only error reported. The questions are, * What's up? What have I missed? As noted, this is an initial install with no foreign code or customization. * Did PUT2PROD end immediately upon hitting the error, meaning that it is possible that there are other components to process; other components that may also have errors? I would guess that it came to an immediate halt, but that is just a guess. Regards, Richard Schuh
Re: z/VM 5,3 installation
Actually, I have a question about this. We have two identical (at least, as far as I can tell/remember) vanilla VM 5.3 lpars--one was actually a clone of the other--that I updated with the 5303 RSU service. The original lpar updated with no problems, but the second (clone) died with this query enroll problem. Neither system had the VMSERVS/U/R servers up, but only one complained about it even though both processed the TCPIP maintenance bundled in RSU5303. And I know I didn't make a local modification on the original lpar--I'm a VM newbie and am avoiding any mods like the plague. Is there anything else that might have triggered the need to update the LDAPSRV BFS? Maybe something we forgot about doin g on the one lpar? Thanks! Shannon Collinson -- SunTrust Bank
Re: z/VM 5,3 installation
Hi Shannon, usually what happens is that somewhere along the line the system gets left in a state where the filepool server is up. If you look in the TCP2PROD $MSGLOG on maint's a-disk, you can see exactly what happened. By the way, a long long time ago I was the IBM mainframe SE for Suntrust. Say hello to Frank for me. -Original Message- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Shannon Collinson Sent: Tuesday, April 22, 2008 12:25 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: z/VM 5,3 installation Actually, I have a question about this. We have two identical (at least,= as far as I can tell/remember) vanilla VM 5.3 lpars--one was actually a = clone of the other--that I updated with the 5303 RSU service. The original lpar updated with no problems, but the second (clone) died with = this query enroll problem. Neither system had the VMSERVS/U/R servers = up, but only one complained about it even though both processed the TCPIP= maintenance bundled in RSU5303. And I know I didn't make a local modification on the original lpar--I'm a VM newbie and am avoiding any = mods like the plague. Is there anything else that might have triggered = the need to update the LDAPSRV BFS? Maybe something we forgot about doin= g on the one lpar? Thanks! Shannon Collinson -- SunTrust Bank
Hipersockets - xposted to VM-L IBM-Main
I have a z/OS 1.9 system using an OSA to reach the internet and Hipersockets for LPAR communication. I then copied this system to a guest under z/VM. On the guest I attached the z/OS to my VSWITCH, and changed the IP address then brought up TCPIP on that adapter without problem. But the Hipersockets are a different issue. I attached 3 address, (even-odd-even) to the guest as the same addresses used on the original z/OS, changed the IP address and restarted TCPIP. The messages from TCPIP say that the adapter started okay, EZZ4313I INITIALIZATION COMPLETE FOR DEVICE IUTIQDFF but I can't ping any other address on the Hipersocket network. And nothing can ping it. All the messages from netstat,dev look exactly like the one on the z/OS that works, except of course, for the all zeros in the counts. DEVNAME: IUTIQDFF DEVTYPE: MPCIPA DEVSTATUS: READY CFGROUTER: NON ACTROUTER: NON LNKNAME: IUTLNK1 LNKTYPE: IPAQIDIOLNKSTATUS: READY NETNUM: N/A QUESIZE: N/A IPBROADCASTCAPABILITY: NO ARPOFFLOAD: YESARPOFFLOADINFO: YES ACTMTU: 57344 READSTORAGE: GLOBAL (8064K) SECCLASS: 255 MONSYSPLEX: NO BSD ROUTING PARAMETERS: MTU SIZE: 57344 METRIC: 00 DESTADDR: 0.0.0.0 SUBNETMASK: 255.255.255.0 MULTICAST SPECIFIC: MULTICAST CAPABILITY: YES GROUP REFCNT SRCFLTMD - -- 224.0.0.1 01 EXCLUDE SRCADDR: NONE LINK STATISTICS: BYTESIN = 0 INBOUND PACKETS = 0 INBOUND PACKETS IN ERROR = 0 INBOUND PACKETS DISCARDED = 0 INBOUND PACKETS WITH NO PROTOCOL = 0 BYTESOUT = 0 OUTBOUND PACKETS = 0 OUTBOUND PACKETS IN ERROR = 0 OUTBOUND PACKETS DISCARDED= 0 -- Mark Pace Mainline Information Systems
TCP/IP Fixes
In February, I installed PTF UK33720 on a 5.2 system. This PTF was correcting a problem in the FTP Server code wherein an FTP APPEND to a file residing in SFS could wipe out an existing file if a timeout of a data connection request occurred. I see no corresponding PTF for 5.3, which raises the question, should there be? I would hate to struggle through the pains of re-solving a problem that has already been analyzed and fixed. Regards, Richard Schuh