We just went through all this with a government contract - we had to have a "presentation zone" separated totally from a "Data zone" separated from an "app zone", it was a nightmare. Technical (logic) has nothing to do with it, it is another chance for the dreaded Loch Ness Security Department to arise from the mire and take over.
We created 3 VLANS on the mainframe. We had to kill our hipersocket connection because each VLAN was required to exit the mainframe out to Ethernet and proceed through network firewalls and subsequently return to the mainframe after the data was blessed. But wait, you can't have all that data coming back through one VSWITCH can you? Of course not. I would prefer not to discuss the OSA cards, that got in to real money. So all of our data does not go through the same OSA cards, that is my story and I am sticking to it. Anyway, got to learn a boatload, and spend lots of money, so all was not lost. If attaching this connection is against policy, I apologize in advance. http://www.youtube.com/watch?v=nGeKSiCQkPw From: The IBM z/VM Operating System [mailto:IBMVM@LISTSERV.UARK.EDU] On Behalf Of Davis, Larry (National VM/VSE Capability) Sent: Thursday, July 21, 2011 3:26 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Separate virtual switch controllers No One Controller can handle all the VSWITCHES you may want to create. I would create at least to Controller and code all your VSwitch definitions with a CONTROLLER * and two RDEV devices. Also you can use VLAN's to reduce the number of Ports and isolate the traffic through a switch. Larry Davis From: The IBM z/VM Operating System [mailto:IBMVM@LISTSERV.UARK.EDU] On Behalf Of O'Brien, Dennis L Sent: Thursday, July 21, 2011 3:16 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Separate virtual switch controllers We are working on a project to provide Internet access to select Linux guests on z/VM. The network team plans to use separate OSA's and virtual switches for this. For the initial testing, there will be one OSA and virtual switch for the presentation zone and a separate OSA and virtual switch for the secure zone. These are in addition to the existing virtual switch that we already have on our internal network. The network people have also asked for separate virtual switch controllers. Is there any reason to create separate controller virtual machines (DTCVSWx) for these virtual switches? My understanding is that no data flows through the controllers. They're just used to manage the virtual switches. I believe there was a statement from IBM that the two default controllers, DTCVSW1 and DTCVSW2, are sufficient for any number of virtual switches. Is there any security risk if the same controllers manage virtual switches for multiple zones? Dennis "I want to express my gratitude to my family. To my mother and father who instilled in me the values that have carried me this far." -- former U.S. Representative Anthony Wiener, during his resignation speech ________________________________ This message w/attachments (message) is intended solely for the use of the intended recipient(s) and may contain information that is privileged, confidential or proprietary. If you are not an intended recipient, please notify the sender, and then please delete and destroy all copies and attachments, and be advised that any review or dissemination of, or the taking of any action in reliance on, the information contained in or attached to this message is prohibited. Unless specifically indicated, this message is not an offer to sell or a solicitation of any investment products or other financial product or service, an official confirmation of any transaction, or an official statement of Sender. Subject to applicable law, Sender may intercept, monitor, review and retain e-communications (EC) traveling through its networks/systems and may produce any such EC to regulators, law enforcement, in litigation and as required by law. The laws of the country of each sender/recipient may impact the handling of EC, and EC may be archived, supervised and produced in countries other than the country in which you are located. This message cannot be guaranteed to be secure or free of errors or viruses. References to "Sender" are references to any subsidiary of Bank of America Corporation. Securities and Insurance Products: * Are Not FDIC Insured * Are Not Bank Guaranteed * May Lose Value * Are Not a Bank Deposit * Are Not a Condition to Any Banking Service or Activity * Are Not Insured by Any Federal Government Agency. Attachments that are part of this EC may have additional important disclosures and disclaimers, which you should read. This message is subject to terms available at the following link: http://www.bankofamerica.com/emaildisclaimer. By messaging with Sender you consent to the foregoing. ----------------------------------------------------- Please see the following link for the BlueCross BlueShield of Tennessee E-mail disclaimer: http://www.bcbst.com/email_disclaimer.shtm
