Re: NATing on z/VM

2011-11-28 Thread Rob van der Heij
On Mon, Nov 28, 2011 at 2:41 AM, Alan Altmark alan_altm...@us.ibm.com wrote:

 How did you do that?  Through the 'send dhcp-client-identifier' option?  I
 have wished that the dchp client config file had something like send
 vname-as-dhcp-client-identifier so that it could in the constant part
 of the clone.  Then it could be used on all virtual servers.  (Where vname
 is something like hypervisorname-vmname.)

Wishes ;-)   I think mine was that VSWITCH would have its own
built-in DHCP server to respond with the configured IP address and
probably even refuse anything else done by the guest...

IIRC we had the userid in the client hostname field (that's there for
the DHCP server to register the client in DNS). The DHCP server would
get the configuration data out of LDAP.

In theory there's a lot of potential in doing dynamic IP addresses for
servers and register them in DNS. This would allow servers to move or
have extra ones added on demand. Unfortunately many DNS
implementations today stretch the protocol in dangerous ways and make
it very hard to manage.

Rob

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
--
For more information on Linux on System z, visit
http://wiki.linuxvm.org/


Re: NATing on z/VM

2011-11-27 Thread Richard Troth
The most obvious solution is to run one zLinux guest straddling internal
and external, forwarding enabled, and tell the others it is their router.
If you need to generate the internal addresses, run DHCP server on it (or
on another internal guest). You'll need layer 2 for DHCP traffic.

NAT on Linux is easy then with IPTABLES.
 On Nov 27, 2011 12:26 PM, Cameron Seay cws...@gmail.com wrote:

 All:

 We need to use NATing to generate private IP addresses that can be accessed
 externally to our network.  Has anyone done this?

 Thanks.

 --
 Cameron Seay, Ph.D.
 Electronics, Computer and Information Technology
 School of Technology
 NC A  T State University
 Greensboro, NC
 336 334 7717 x2251

 --
 For LINUX-390 subscribe / signoff / archive access instructions,
 send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or
 visit
 http://www.marist.edu/htbin/wlvindex?LINUX-390
 --
 For more information on Linux on System z, visit
 http://wiki.linuxvm.org/


--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
--
For more information on Linux on System z, visit
http://wiki.linuxvm.org/


Re: NATing on z/VM

2011-11-27 Thread Richard Troth
... I should add that I don't personally recommend DHCP in a z/VM context.
Better to have the addresses pre-assigned to each guest. (You'd want to do
some prep of your virt MAC addresses. Might as well cut to the chase, even
relegate the MAC addrs to VM and save that effort.) On z/VM there are other
ways to match the IP addr with the guest.

Also ... NAT itself is not the plus we once thought. It really only buys
you address constraint relief in IPv4 space. Most of us see it (or used to)
as also offering security, but that is misleading. When you get to IPv6,
you'll want to dispense with NAT though still have stateful firewalls.
On Nov 27, 2011 12:26 PM, Cameron Seay cws...@gmail.com wrote:

 All:

 We need to use NATing to generate private IP addresses that can be accessed
 externally to our network.  Has anyone done this?

 Thanks.

 --
 Cameron Seay, Ph.D.
 Electronics, Computer and Information Technology
 School of Technology
 NC A  T State University
 Greensboro, NC
 336 334 7717 x2251

 --
 For LINUX-390 subscribe / signoff / archive access instructions,
 send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or
 visit
 http://www.marist.edu/htbin/wlvindex?LINUX-390
 --
 For more information on Linux on System z, visit
 http://wiki.linuxvm.org/


--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
--
For more information on Linux on System z, visit
http://wiki.linuxvm.org/


Re: NATing on z/VM

2011-11-27 Thread David Boyes
Yes. Use a Linux guest as your external access and use iptables to do the NAT. 
Works just like it does on intel, but note that it will require a fair amount 
of CPU because the guest has to examine every packet.





On Nov 27, 2011, at 12:25, Cameron Seay cws...@gmail.com wrote:

 All:
 
 We need to use NATing to generate private IP addresses that can be accessed
 externally to our network.  Has anyone done this?
 
 Thanks.
 
 --
 Cameron Seay, Ph.D.
 Electronics, Computer and Information Technology
 School of Technology
 NC A  T State University
 Greensboro, NC
 336 334 7717 x2251
 
 --
 For LINUX-390 subscribe / signoff / archive access instructions,
 send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
 http://www.marist.edu/htbin/wlvindex?LINUX-390
 --
 For more information on Linux on System z, visit
 http://wiki.linuxvm.org/

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
--
For more information on Linux on System z, visit
http://wiki.linuxvm.org/


Re: NATing on z/VM

2011-11-27 Thread Alan Altmark
On Sunday, 11/27/2011 at 01:38 EST, Richard Troth vmcow...@gmail.com
wrote:
 ... I should add that I don't personally recommend DHCP in a z/VM
context.
 Better to have the addresses pre-assigned to each guest. (You'd want to
do
 some prep of your virt MAC addresses. Might as well cut to the chase,
even
 relegate the MAC addrs to VM and save that effort.) On z/VM there are
other
 ways to match the IP addr with the guest.

Let's not throw the baby out with the bathwater, eh?  :-)  If you specify
MACID on the NICDEF, a DHCP reservation can be used to assign a
permanent IP address.  Some installations do this for all servers, as they
want to be able to update the gateway, dns, subnet mask, etc. from a
central point.

Alan Altmark

Senior Managing z/VM and Linux Consultant
IBM System Lab Services and Training
ibm.com/systems/services/labservices
office: 607.429.3323
mobile; 607.321.7556
alan_altm...@us.ibm.com
IBM Endicott

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
--
For more information on Linux on System z, visit
http://wiki.linuxvm.org/


Re: NATing on z/VM

2011-11-27 Thread r.stricklin
On Nov 27, 2011, at 4:22 PM, Alan Altmark wrote:

 Let's not throw the baby out with the bathwater, eh?  :-)  If you specify
 MACID on the NICDEF, a DHCP reservation can be used to assign a
 permanent IP address.  Some installations do this for all servers, as they
 want to be able to update the gateway, dns, subnet mask, etc. from a
 central point.

True. We found DHCP (as reservations to a permanent IP address) to be 
invaluable for simplifying DR exercises. We were on a Layer 3 VSWITCH at the 
time of implementation though so the MACID was not feasable for us. My solution 
was to have the DHCP client send the VM user name as the client ID, and key the 
static leases off that instead of the MAC address. It worked so well we stuck 
with it after migrating to Layer 2 VSWITCHes. 

It substantially simplified the process of deploying flashcopy clones, too.

ok
bear.


-- 
until further notice

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
--
For more information on Linux on System z, visit
http://wiki.linuxvm.org/


Re: NATing on z/VM

2011-11-27 Thread Bruce Furber
Maybe you could advertise a public address using. QUAGA OSPFD

Bruce


-m

We need to use NATing to generate private IP addresses that can be accessed
externally to our network.  Has anyone done this?

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
--
For more information on Linux on System z, visit
http://wiki.linuxvm.org/


Re: NATing on z/VM

2011-11-27 Thread Alan Altmark
On Sunday, 11/27/2011 at 07:57 EST, r.stricklin b...@typewritten.org
wrote:
 My solution
 was to have the DHCP client send the VM user name as the client ID, and
key the
 static leases off that instead of the MAC address. It worked so well we
stuck
 with it after migrating to Layer 2 VSWITCHes.

How did you do that?  Through the 'send dhcp-client-identifier' option?  I
have wished that the dchp client config file had something like send
vname-as-dhcp-client-identifier so that it could in the constant part
of the clone.  Then it could be used on all virtual servers.  (Where vname
is something like hypervisorname-vmname.)

Alan Altmark

Senior Managing z/VM and Linux Consultant
IBM System Lab Services and Training
ibm.com/systems/services/labservices
office: 607.429.3323
mobile; 607.321.7556
alan_altm...@us.ibm.com
IBM Endicott

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
--
For more information on Linux on System z, visit
http://wiki.linuxvm.org/


Re: NATing on z/VM

2011-11-27 Thread r.stricklin
On Nov 27, 2011, at 5:41 PM, Alan Altmark wrote:

 How did you do that?  Through the 'send dhcp-client-identifier' option?  I
 have wished that the dchp client config file had something like send
 vname-as-dhcp-client-identifier so that it could in the constant part
 of the clone.  Then it could be used on all virtual servers.  (Where vname
 is something like hypervisorname-vmname.)

Indeed. On SuSE this is done in /etc/sysconfig/network/dhcp with 
DHCLIENT_CLIENT_ID. By default it's blank. But,

DHCLIENT_CLIENT_ID=`/usr/bin/awk '/VM00 Name:/ { print $NF }' /proc/sysinfo`

This was the foundation of a lot of DR and provisioning automation for us. I've 
spent more than a little time to no avail, trying to determine whether this is 
even possible with, for example, Xen. Disappointing, as it's such a simple 
thing.


ok
bear.

-- 
until further notice

--
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
--
For more information on Linux on System z, visit
http://wiki.linuxvm.org/