z/VM system configuration - Layer 2 test scenario

Chapter 4. Networking Overview

4.10 Layer 2 test scenario

4.10.4 z/VM system configuration

Our test network required at a minimum one connection from an OSA-Express port to a trunk port on the physical switch. See the description of this type of port in “Trunk ports” on page 111. We also required back up network connections, so we used two OSA ports connected to two switch trunk ports. The majority of our virtual servers connect to two different subnets, two different VLANs, so two virtual switches are required to implement the required VLAN access restrictions.

Because we have two OSA ports and two Virtual Switches, it is logical to assign one OSA port as the primary interface to one switch and the other OSA port as the primary to the other. This way both ports are utilized, but at the same time both are available for backup. If a single OSA port cannot handle all of the

IP name Network Netmask Gateway Interface

custalb1 Default n/a 192.168.1.250^a

a. This address is defined on the access router outside of the test network.

eth0

extfw1 Default n/a 10.1.252.250^a eth0

custbweb1 10.1.0.0

itsofw1 Default n/a 10.1.251.250^a eth0

itsofw2 Default n/a 10.1.251.250^a eth0

fileserv1 Default n/a 10.1.1.5 vlan301

Chapter 4. Networking Overview 133 network traffic for your environment during a failure of one of the ports, then additional OSA ports are needed for backup.

The device addresses for our OSA ports are 2D40 and 2E40, with 2D43 and 2E43 as the address of the backup devices. As described in “Hardware

configuration” on page 70, each OSA port actually uses three device addresses.

Defining Virtual Switches

One or more VSWITCH controller machines are required to be operating to use a Virtual Switch, so make sure the tasks described in 4.9.2, “Configure controller service machines” on page 121 have been completed. We added statements to our SYSTEM CONFIG file to define our Virtual Switches during system start up.

See “Defining a VSWITCH” on page 124 for the syntax of the DEFINE command.

Here are the lines from our SYSTEM CONFIG file:

Define Vswitch VSWTCHN1 Rdev 2D40 2E43 Ethernet VLAN 1 Porttype ACCESS Define Vswitch VSWTCHN2 Rdev 2E40 2D43 Ethernet VLAN 1 Porttype ACCESS Notice that we have specified Ethernet for Layer 2 mode. The default VLAN ID is 1, which matches the native VLAN ID of our switch. And the default connection is through an access port. A VSWITCH can also be defined dynamically with a CP DEFINE command. In our example, the syntax of the command is the same as the SYSTEM CONFIG statement.

Another line that should be added to the SYSTEM CONFIG file is a VMLAN statement. This is to ensure that the virtual MAC addresses created in the z/VM system are unique in your network. See “Planning for unique MAC addresses” on page 127 for further information. In our test system we added this line:

VMLAN MACPREFIX 020000

This is also the default value if no VMLAN MACPREFIX statement is in the SYSTEM CONFIG file. We recommend that you do not use this default value in your systems, but assign a unique number to each one. In our example, our system is the only one on the isolated network.

Defining virtual Linux servers

Our example network has six virtual Linux servers in it. The VM user ID, host name, VLAN access, and usage of each server is shown in Table 4-17 Table 4-17 VM user id list

VM User id Host name VLANs Usage

LNXNFW1 itsofw1 201

301

Admin firewall A

The column of VLAN numbers is the VLAN IDs that each host is connected to, as also shown in Figure 4-35 on page 129.

Each user ID except LNXNFS1 is connected to both Virtual Switches. The directory entry for each user has the following lines:

NICDEF 0600 TYPE QDIO LAN SYSTEM VSWTCHN1 NICDEF 0610 TYPE QDIO LAN SYSTEM VSWTCHN2

User id LNXNFS1 only connects to VSWTCHN2, using this line in its directory:

NICDEF 0600 TYPE QDIO LAN SYSTEM VSWTCHN2

Defining VLAN permissions

Only VM user IDs that have been granted permission are allowed to connect a virtual NIC to a Virtual Switch. Included in this permission is the type of access (ACCESS or TRUNK) and the permitted VLAN id (ACCESS port) or ids (TRUNK port.) Each user ID and Virtual Switch requires a separate command or definition. There are three ways to define this access: SYSTEM CONFIG file statements, CP commands, or RACF/VM permissions.

SYSTEM CONFIG file

The following lines in Example 4-1 are added after the Define Vswitch lines:

Example 4-1 VLAN permissions in the SYSTEM CONFIG file

Modify Vswitch VSWTCHN1 Grant LNXNFW1 Porttype ACCESS VLAN 201 Modify Vswitch VSWTCHN2 Grant LNXNFW1 Porttype ACCESS VLAN 301 Modify Vswitch VSWTCHN1 Grant LNXNFW2 Porttype ACCESS VLAN 201 Modify Vswitch VSWTCHN2 Grant LNXNFW2 Porttype ACCESS VLAN 302 Modify Vswitch VSWTCHN1 Grant LNXNWA1 Porttype ACCESS VLAN 101

LNXNFW2 itsofw2 201

302

Admin firewall B

LNXNWA1 custaweb1 101

301

Customer A web server 1

LNXNWA2 custaweb2 101

301

Customer A web server 2

LNXNWB1 custbweb1 102

302

Customer B web server 1

LNXNFS1 fileserv1 301

302

Common file server VM User id Host name VLANs Usage

Chapter 4. Networking Overview 135 Modify Vswitch VSWTCHN1 Grant LNXNWA2 Porttype ACCESS VLAN 101

Modify Vswitch VSWTCHN2 Grant LNXNWA2 Porttype ACCESS VLAN 301 Modify Vswitch VSWTCHN1 Grant LNXNWB1 Porttype ACCESS VLAN 102 Modify Vswitch VSWTCHN2 Grant LNXNWB1 Porttype ACCESS VLAN 302 Modify Vswitch VSWTCHN2 Grant LNXNFS1 Porttype TRUNK VLAN 301 302

These permissions are automatically granted during every VM system IPL.

CP commands

These commands can be executed as part of the system start up process, if the SYSTEM CONFIG file statements are not used, or used to dynamically set up the test environment.

Example 4-2 VLAN permissions as CP commands

CP SET VSWITCH VSWTCHN1 GRANT LNXNFW1 PORTTYPE ACCESS VLAN 201 CP SET VSWITCH VSWTCHN2 GRANT LNXNFW1 PORTTYPE ACCESS VLAN 301 CP SET VSWITCH VSWTCHN1 GRANT LNXNFW2 PORTTYPE ACCESS VLAN 201 CP SET VSWITCH VSWTCHN2 GRANT LNXNFW2 PORTTYPE ACCESS VLAN 302 CP SET VSWITCH VSWTCHN1 GRANT LNXNWA1 PORTTYPE ACCESS VLAN 101 CP SET VSWITCH VSWTCHN2 GRANT LNXNWA1 PORTTYPE ACCESS VLAN 301 CP SET VSWITCH VSWTCHN1 GRANT LNXNWA2 PORTTYPE ACCESS VLAN 101 CP SET VSWITCH VSWTCHN2 GRANT LNXNWA2 PORTTYPE ACCESS VLAN 301 CP SET VSWITCH VSWTCHN1 GRANT LNXNWB1 PORTTYPE ACCESS VLAN 102 CP SET VSWITCH VSWTCHN2 GRANT LNXNWB1 PORTTYPE ACCESS VLAN 302 CP SET VSWITCH VSWTCHN2 GRANT LNXNFS1 PORTTYPE TRUNK VLAN 301 302

RACF/VM permissions

We recommend that your VM systems use an external security manager, especially for production systems. Starting with z/VM 5.1, RACF/VM can control access to a VSWITCH. A complete description of how to set up RACF on your system is outside the scope of this book. However, if you have it set up, see Figure 4-37 on page 136 for the commands to enable VSWITCH access in our environment.

Figure 4-37 RACF/VM commands for a Virtual Switch

More information about how to configure RACF/VM to protect Guest LANs and Virtual Switches can be found in the publication RACF V1R10 Security

Administrator’s Guide, SC28-1340.

In document Linux for IBM System z9 and IBM zseries (Page 146-150)