Re: Ethernet vswitch definition
Thanks for the replies, Alan David. I appreciate it. My networking group is pretty flexible and asked me what *I* wanted, for the most part. Nice to have that option. :) Dave -Original Message- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Alan Altmark Sent: Friday, January 09, 2009 7:26 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Ethernet vswitch definition On Thursday, 01/08/2009 at 06:09 EST, KEETON Dave * SDC dave.kee...@state.or.us wrote: Scenario: If you had an environment that consisted of Administration, Production networks and you wanted a guest to participate in both, wouldn't you just create two VLAN memberships to eth0 (ala vconfig)? Or would it be prudent to create a separate VSWITCH for Administration and Production and use eth0 and eth1 nics (using the PORTTYPE ACCESS method)? This will be driven by your Networking folks. If they would normally configure a trunk port for a distributed system, then it's ok for a guest. If not, no. From a z/VM security point of view, it's the same, though the increased complexity of trunk ports can trigger a failure in the human element of the equation. As David says, this may make the Network Gods nervous. Trunk v. Access: Sometimes the 'obvious' solution is the 'wrong' (or unworkable) solution. For instance, most sites will not mix Internet and Intranet traffic on the same physical switch. Ergo you cannot use a trunk port to carry both. Or they will not carry traffic in different security domains, as represented by a VLAN, on the same wire, so again, a trunk won't help. While on one level it may seem silly, being largely based on history and Everyone Knows kinds of things, ranking right up there with telnet is not secure. On the other hand, using separate switches to carry Internet traffic can be a wise thing for other reasons, including ease of physical audit (put red tape on it and allowo only red ethernet cables) and the ability to just turn it off in an emergency without affecting your ability to access the systems internally. Don't fight with your networking people about this stuff - it's their territory and their responsibility, not yours. If you need to buy additional OSAs, for example, then just say so and TPTB will decide whether the expense is worth the risk. (Hint: Network folks almost always get their way on this soft of stuff. It's ok. Breathe in. Breathe out. In. Out.) It goes without saying, but it must be said, that involving network AND security people *early* in the design is far better (for you) than surprising them at the 11th hour. Talk about cranky Alan Altmark z/VM Development IBM Endicott
Re: Ethernet vswitch definition
On 1/8/09 6:09 PM, KEETON Dave * SDC dave.kee...@state.or.us wrote: I have need for multiple VLAN memberships also. I keep running into issues with routing when I have more than one VLAN configured. Does anyone have any pearls of wisdom in this area? Any docs for advanced VLAN networking with VSWITCH under z/VM 5.4? Working on some stuff for a future conference. Nothing to share yet. Scenario: If you had an environment that consisted of Administration, Production networks and you wanted a guest to participate in both, wouldn't you just create two VLAN memberships to eth0 (ala vconfig)? Or would it be prudent to create a separate VSWITCH for Administration and Production and use eth0 and eth1 nics (using the PORTTYPE ACCESS method)? You can do either technically, but I suspect it will be simpler and easier to audit if you create separate VSWITCHes for each network. The main use for multiple VLANs on the same interface is to save hardware costs (adapters and switch ports); with virtual hardware, that problem really doesn't exist, so keeping things simple by having multiple switches and interfaces is easier to manage. That approach also lets your ESM control and audit who is connecting to what -- if you give a trunk port to a guest, you are relying on the admin of that guest to behave and not tag things for or connect to the wrong VLAN. Yes you can limit that in the switch, but that's going to make your networking people twitchy and cranky -- not a desirable outcome.
Re: Ethernet vswitch definition
On Thursday, 01/08/2009 at 06:09 EST, KEETON Dave * SDC dave.kee...@state.or.us wrote: Scenario: If you had an environment that consisted of Administration, Production networks and you wanted a guest to participate in both, wouldn't you just create two VLAN memberships to eth0 (ala vconfig)? Or would it be prudent to create a separate VSWITCH for Administration and Production and use eth0 and eth1 nics (using the PORTTYPE ACCESS method)? This will be driven by your Networking folks. If they would normally configure a trunk port for a distributed system, then it's ok for a guest. If not, no. From a z/VM security point of view, it's the same, though the increased complexity of trunk ports can trigger a failure in the human element of the equation. As David says, this may make the Network Gods nervous. Trunk v. Access: Sometimes the 'obvious' solution is the 'wrong' (or unworkable) solution. For instance, most sites will not mix Internet and Intranet traffic on the same physical switch. Ergo you cannot use a trunk port to carry both. Or they will not carry traffic in different security domains, as represented by a VLAN, on the same wire, so again, a trunk won't help. While on one level it may seem silly, being largely based on history and Everyone Knows kinds of things, ranking right up there with telnet is not secure. On the other hand, using separate switches to carry Internet traffic can be a wise thing for other reasons, including ease of physical audit (put red tape on it and allowo only red ethernet cables) and the ability to just turn it off in an emergency without affecting your ability to access the systems internally. Don't fight with your networking people about this stuff - it's their territory and their responsibility, not yours. If you need to buy additional OSAs, for example, then just say so and TPTB will decide whether the expense is worth the risk. (Hint: Network folks almost always get their way on this soft of stuff. It's ok. Breathe in. Breathe out. In. Out.) It goes without saying, but it must be said, that involving network AND security people *early* in the design is far better (for you) than surprising them at the 11th hour. Talk about cranky Alan Altmark z/VM Development IBM Endicott
Ethernet vswitch definition
We are looking at converting our vswitch from IP to Ethernet. As my first step I'm trying to get the syntax correct in SYSTEM CONFIG I comment out my current vswitch define and add the new one /*Define vswitch zvm1 rdev 0c60 0c70 */ Define vswitch zvm1 rdev 0c60 0c70 VLAN 4000 PORTT TRUNK ETH When I syntax check it I get an error 2853 +++dVal = x2d(xVal) 1906 +++ if ( xInRange(tok,loRange,hiRange) = 0 ) 1206 +++ call handle_token 278 +++ call verify_statement/* Verify statement syntax */ DMSREX475E Error 40 running CPSYNTAX EXEC, line 2853: Incorrect call to routine which isn't exactly helpful. It didn't even tell me what line the error was on. z/VM 5.4 Anybody see my error? Bobby Bauer Center for Information Technology National Institutes of Health Bethesda, MD 20892-5628 301-594-7474
Re: Ethernet vswitch definition
Yes, there is a ptf for that. I'll have to go looking for the number. Marcy This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Bauer, Bobby (NIH/CIT) [E] Sent: Thursday, January 08, 2009 10:33 AM To: IBMVM@LISTSERV.UARK.EDU Subject: [IBMVM] Ethernet vswitch definition We are looking at converting our vswitch from IP to Ethernet. As my first step I'm trying to get the syntax correct in SYSTEM CONFIG I comment out my current vswitch define and add the new one /*Define vswitch zvm1 rdev 0c60 0c70 */ Define vswitch zvm1 rdev 0c60 0c70 VLAN 4000 PORTT TRUNK ETH When I syntax check it I get an error 2853 +++dVal = x2d(xVal) 1906 +++ if ( xInRange(tok,loRange,hiRange) = 0 ) 1206 +++ call handle_token 278 +++ call verify_statement/* Verify statement syntax */ DMSREX475E Error 40 running CPSYNTAX EXEC, line 2853: Incorrect call to routine which isn't exactly helpful. It didn't even tell me what line the error was on. z/VM 5.4 Anybody see my error? Bobby Bauer Center for Information Technology National Institutes of Health Bethesda, MD 20892-5628 301-594-7474
Re: Ethernet vswitch definition
We had this same problem. There is actually nothing wrong with the line but the checker looks at the length of the parms following RDEV until one is greater than 4 characters (if I remember right). Try repositioning the VLAN 4000 after TRUNK. There is a fix out there for it. Bob Bates Enterprise Hosting Services w. (469)892-6660 c. (214) 907-5071 This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Bauer, Bobby (NIH/CIT) [E] Sent: Thursday, January 08, 2009 12:33 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Ethernet vswitch definition We are looking at converting our vswitch from IP to Ethernet. As my first step I'm trying to get the syntax correct in SYSTEM CONFIG I comment out my current vswitch define and add the new one /*Define vswitch zvm1 rdev 0c60 0c70 */ Define vswitch zvm1 rdev 0c60 0c70 VLAN 4000 PORTT TRUNK ETH When I syntax check it I get an error 2853 +++dVal = x2d(xVal) 1906 +++ if ( xInRange(tok,loRange,hiRange) = 0 ) 1206 +++ call handle_token 278 +++ call verify_statement/* Verify statement syntax */ DMSREX475E Error 40 running CPSYNTAX EXEC, line 2853: Incorrect call to routine which isn't exactly helpful. It didn't even tell me what line the error was on. z/VM 5.4 Anybody see my error? Bobby Bauer Center for Information Technology National Institutes of Health Bethesda, MD 20892-5628 301-594-7474
Re: Ethernet vswitch definition
Thanks, that fixed the syntax error. Who would have though IBM could make that mistake? Did an IBMLINK search but so far haven't found any PTF that looked like this. Bobby Bauer Center for Information Technology National Institutes of Health Bethesda, MD 20892-5628 301-594-7474 From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Bob Bates Sent: Thursday, January 08, 2009 1:52 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Ethernet vswitch definition We had this same problem. There is actually nothing wrong with the line but the checker looks at the length of the parms following RDEV until one is greater than 4 characters (if I remember right). Try repositioning the VLAN 4000 after TRUNK. There is a fix out there for it. Bob Bates Enterprise Hosting Services w. (469)892-6660 c. (214) 907-5071 This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Bauer, Bobby (NIH/CIT) [E] Sent: Thursday, January 08, 2009 12:33 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Ethernet vswitch definition We are looking at converting our vswitch from IP to Ethernet. As my first step I'm trying to get the syntax correct in SYSTEM CONFIG I comment out my current vswitch define and add the new one /*Define vswitch zvm1 rdev 0c60 0c70 */ Define vswitch zvm1 rdev 0c60 0c70 VLAN 4000 PORTT TRUNK ETH When I syntax check it I get an error 2853 +++dVal = x2d(xVal) 1906 +++ if ( xInRange(tok,loRange,hiRange) = 0 ) 1206 +++ call handle_token 278 +++ call verify_statement/* Verify statement syntax */ DMSREX475E Error 40 running CPSYNTAX EXEC, line 2853: Incorrect call to routine which isn't exactly helpful. It didn't even tell me what line the error was on. z/VM 5.4 Anybody see my error? Bobby Bauer Center for Information Technology National Institutes of Health Bethesda, MD 20892-5628 301-594-7474
Re: Ethernet vswitch definition
Check the PSP bucket for 5.4 RSU0801 ... I saw it in there yesterday. -- Jeff Forte IBM Global Services z/VM System Support E-mail: jfo...@us.ibm.com -- Phone:877-548-1651 (TL 349-8649) Bauer, Bobby (NIH/CIT) [E] baue...@mail.nih To .gov IBMVM@LISTSERV.UARK.EDU Sent by: The IBM cc z/VM Operating SystemSubject ib...@listserv.u Re: Ethernet vswitch definition ARK.EDU 01/08/2009 01:57 PM Please respond to The IBM z/VM Operating System ib...@listserv.u ARK.EDU Thanks, that fixed the syntax error. Who would have though IBM could make that mistake? Did an IBMLINK search but so far haven’t found any PTF that looked like this. Bobby Bauer Center for Information Technology National Institutes of Health Bethesda, MD 20892-5628 301-594-7474 From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Bob Bates Sent: Thursday, January 08, 2009 1:52 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Ethernet vswitch definition We had this same problem. There is actually nothing wrong with the line but the checker looks at the length of the parms following RDEV until one is greater than 4 characters (if I remember right). Try repositioning the VLAN 4000 after TRUNK. There is a fix out there for it. Bob Bates Enterprise Hosting Services w. (469)892-6660 c. (214) 907-5071 “This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Bauer, Bobby (NIH/CIT) [E] Sent: Thursday, January 08, 2009 12:33 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Ethernet vswitch definition We are looking at converting our vswitch from IP to Ethernet. As my first step I’m trying to get the syntax correct in SYSTEM CONFIG I comment out my current vswitch define and add the new one /*Define vswitch zvm1 rdev 0c60 0c70 */ Define vswitch zvm1 rdev 0c60 0c70 VLAN 4000 PORTT TRUNK ETH When I syntax check it I get an error 2853 +++dVal = x2d(xVal) 1906 +++ if ( xInRange(tok,loRange,hiRange) = 0 ) 1206 +++ call handle_token 278 +++ call verify_statement/* Verify statement syntax */ DMSREX475E Error 40 running CPSYNTAX EXEC, line 2853: Incorrect call to routine which isn’t exactly helpful. It didn’t even tell me what line the error was on. z/VM 5.4 Anybody see my error? Bobby Bauer Center for Information Technology National Institutes of Health Bethesda, MD 20892-5628 301-594-7474
Re: Ethernet vswitch definition
On Thursday, 01/08/2009 at 01:38 EST, Bauer, Bobby (NIH/CIT) [E] baue...@mail.nih.gov wrote: Define vswitch zvm1 rdev 0c60 0c70 VLAN 4000 PORTT TRUNK ETH By the way, PORTTYPE TRUNK sets the default *virtual* porttype on the SET/MODIFY VSWITCH GRANT command. It has no bearing on the physical port type. Unless a guest needs to access more than one VLAN on the VSWITCH, it should be given PORTTYPE ACCESS on the GRANT. (I regret that we put PORTTYPE on DEFINE VSWITCH. It was meant to be be helpful, but it has caused more problems than it has solved. Granting access to a single VLAN should have resulted in virtual access port; more than VLAN, a virtual trunk. Sigh.) Alan Altmark z/VM Development IBM Endicott
Re: Ethernet vswitch definition
Your explanation is how I understood it. VLAN defvid makes the switch capable of supporting VLAN PORTT determines if the guest is or is not VLAN aware. Bobby Bauer Center for Information Technology National Institutes of Health Bethesda, MD 20892-5628 301-594-7474 -Original Message- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Alan Altmark Sent: Thursday, January 08, 2009 2:14 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Ethernet vswitch definition On Thursday, 01/08/2009 at 01:38 EST, Bauer, Bobby (NIH/CIT) [E] baue...@mail.nih.gov wrote: Define vswitch zvm1 rdev 0c60 0c70 VLAN 4000 PORTT TRUNK ETH By the way, PORTTYPE TRUNK sets the default *virtual* porttype on the SET/MODIFY VSWITCH GRANT command. It has no bearing on the physical port type. Unless a guest needs to access more than one VLAN on the VSWITCH, it should be given PORTTYPE ACCESS on the GRANT. (I regret that we put PORTTYPE on DEFINE VSWITCH. It was meant to be be helpful, but it has caused more problems than it has solved. Granting access to a single VLAN should have resulted in virtual access port; more than VLAN, a virtual trunk. Sigh.) Alan Altmark z/VM Development IBM Endicott
Re: Ethernet vswitch definition
On Thursday, 01/08/2009 at 02:30 EST, Bauer, Bobby (NIH/CIT) [E] baue...@mail.nih.gov wrote: Your explanation is how I understood it. Good. VLAN defvid makes the switch capable of supporting VLAN ...and it sets the default VLAN authorization for the GRANT. PORTT determines if the guest is or is not VLAN aware. Some people have been creating VLAN-aware guests that only access a single VLAN (on a particular VSWITCH), wasting cycles. I just want to be sure you aren't falling into that trap. Alan Altmark z/VM Development IBM Endicott
Re: Ethernet vswitch definition
Always glad to have someone looking over my shoulder. We do have requirements for access to various VLANs. Bobby Bauer Center for Information Technology National Institutes of Health Bethesda, MD 20892-5628 301-594-7474 -Original Message- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Alan Altmark Sent: Thursday, January 08, 2009 2:37 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Ethernet vswitch definition On Thursday, 01/08/2009 at 02:30 EST, Bauer, Bobby (NIH/CIT) [E] baue...@mail.nih.gov wrote: Your explanation is how I understood it. Good. VLAN defvid makes the switch capable of supporting VLAN ...and it sets the default VLAN authorization for the GRANT. PORTT determines if the guest is or is not VLAN aware. Some people have been creating VLAN-aware guests that only access a single VLAN (on a particular VSWITCH), wasting cycles. I just want to be sure you aren't falling into that trap. Alan Altmark z/VM Development IBM Endicott
Re: Ethernet vswitch definition
I have need for multiple VLAN memberships also. I keep running into issues with routing when I have more than one VLAN configured. Does anyone have any pearls of wisdom in this area? Any docs for advanced VLAN networking with VSWITCH under z/VM 5.4? Scenario: If you had an environment that consisted of Administration, Production networks and you wanted a guest to participate in both, wouldn't you just create two VLAN memberships to eth0 (ala vconfig)? Or would it be prudent to create a separate VSWITCH for Administration and Production and use eth0 and eth1 nics (using the PORTTYPE ACCESS method)? Any thoughts would be greatly appreciated. Thanks, Dave -Original Message- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Bauer, Bobby (NIH/CIT) [E] Sent: Thursday, January 08, 2009 11:39 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Ethernet vswitch definition Always glad to have someone looking over my shoulder. We do have requirements for access to various VLANs. Bobby Bauer Center for Information Technology National Institutes of Health Bethesda, MD 20892-5628 301-594-7474 -Original Message- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Alan Altmark Sent: Thursday, January 08, 2009 2:37 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Ethernet vswitch definition On Thursday, 01/08/2009 at 02:30 EST, Bauer, Bobby (NIH/CIT) [E] baue...@mail.nih.gov wrote: Your explanation is how I understood it. Good. VLAN defvid makes the switch capable of supporting VLAN ...and it sets the default VLAN authorization for the GRANT. PORTT determines if the guest is or is not VLAN aware. Some people have been creating VLAN-aware guests that only access a single VLAN (on a particular VSWITCH), wasting cycles. I just want to be sure you aren't falling into that trap. Alan Altmark z/VM Development IBM Endicott
Re: Ethernet vswitch definition
Are the administration and production networks connected to 1 physical switch over 1 OSA port? David Kreuter From: The IBM z/VM Operating System on behalf of KEETON Dave * SDC Sent: Thu 1/8/2009 6:09 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: [IBMVM] Ethernet vswitch definition I have need for multiple VLAN memberships also. I keep running into issues with routing when I have more than one VLAN configured. Does anyone have any pearls of wisdom in this area? Any docs for advanced VLAN networking with VSWITCH under z/VM 5.4? Scenario: If you had an environment that consisted of Administration, Production networks and you wanted a guest to participate in both, wouldn't you just create two VLAN memberships to eth0 (ala vconfig)? Or would it be prudent to create a separate VSWITCH for Administration and Production and use eth0 and eth1 nics (using the PORTTYPE ACCESS method)? Any thoughts would be greatly appreciated. Thanks, Dave -Original Message- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Bauer, Bobby (NIH/CIT) [E] Sent: Thursday, January 08, 2009 11:39 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Ethernet vswitch definition Always glad to have someone looking over my shoulder. We do have requirements for access to various VLANs. Bobby Bauer Center for Information Technology National Institutes of Health Bethesda, MD 20892-5628 301-594-7474 -Original Message- From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Alan Altmark Sent: Thursday, January 08, 2009 2:37 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Ethernet vswitch definition On Thursday, 01/08/2009 at 02:30 EST, Bauer, Bobby (NIH/CIT) [E] baue...@mail.nih.gov wrote: Your explanation is how I understood it. Good. VLAN defvid makes the switch capable of supporting VLAN ...and it sets the default VLAN authorization for the GRANT. PORTT determines if the guest is or is not VLAN aware. Some people have been creating VLAN-aware guests that only access a single VLAN (on a particular VSWITCH), wasting cycles. I just want to be sure you aren't falling into that trap. Alan Altmark z/VM Development IBM Endicott