Alan, what non-IP protocol do you expect to use on VLAN 106? (SNA comes
to mind but you might be trying to do something else.) You have
mentioned ACL's on the Cicso switch. Are these blocking the traffic you
expected to work? Being new to VLAN's, is this someone else's design
you are implementing or your own? Non-IP protocols are not the norm
today. How do security domains influence what you are trying to
achieve? Firewalls are only useful for IP traffic. They do not
understand non-IP traffic.
It might help everyone assisting to have a higher-level understanding of
what you are trying to accomplish to point you in the right direction.
Harold Grovesteen
Alan Schilla wrote:
Basically my security is layered. I have firewall appliances in front of
my zVM cisco routers blocking all traffic entering the trusted network.
So I am really dealing with trusted network partners although I also
need separation of these partners. Communication between zVM guests
within the same VLAN is allowed so I do not block this communication.
Intercommunication across VLANs is controlled at my cisco router by
attaching ACL's to the VLAN subinterfaces associated with my zVM trunk
interface. It sure seems to provide what I need.
Al Schilla
Systems Programmer
Enterprise Technology Services
Office of Enterprise Technologies
phone: 651-201-1216
email: [EMAIL PROTECTED]
-----Original Message-----
From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of
Stricklin, Raymond J
Sent: Friday, April 25, 2008 1:33 PM
To: [email protected]
Subject: Re: z/VM Linux OS VLAN tagging
What would be the security implications of a setup like this if, for
example, you were running untrusted linux guests? I guess in a broader
sense, where are the security boundaries?
There's a lot about VLAN operation I do not yet understand, so forgive
me if this is a naive question.
ok
r.
-----Original Message-----
From: Alan Schilla [mailto:[EMAIL PROTECTED]
Sent: Friday, April 25, 2008 11:19 AM
To: [email protected]
Subject: Re: z/VM Linux OS VLAN tagging
I'm not sure this will help you but we run multiple VLANs
thru a single vswitch. We define our cisco router port to the
OSA as a vlan trunk defining the default gateway for each of
our zVM linux VLANs. Our vswitch is defined as VLAN unaware
so all the VLAN s forward traffic up the trunk to each VLAN
default address on the router.
Al Schilla
Systems Programmer
Enterprise Technology Services
Office of Enterprise Technologies
phone: 651-201-1216
email: [EMAIL PROTECTED]
-----Original Message-----
From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On
Behalf Of Bhemidhi, Ashwin
Sent: Wednesday, April 23, 2008 11:04 AM
To: [email protected]
Subject: Re: z/VM Linux OS VLAN tagging
1.a) OSA port has been defined as a trunk
b) OSA has been authorized the to use both VLANs on the trunk port
c) trunk protocol set to "dot1q"
2. define vswitch vswitche rdev 3600 ethernet vlan 1000
porttype trunk
3. cp set vswitch vswitche grant svml09 porttype trunk vlan 106 730
4. vconfig add eth1 106
vconfig add eth1 730
VLAN 106 is Ethernet frame with no IP (LLC over Ethernet)
VLAN 730 is IP.
Our problem is when the tagging is done by the Linux guest.
There is some wrong with the VLAN 106 frames going out to a
Cisco router. The router for some reason is rejecting those frames.
This works when we setup 2 different Vswitches using the same
OSA trunk port. In this case each vswitch assigns a network
interface to the Linux guest machine as an access port with
default VLAN 106 and 730 respectively. Basically the
vswitches in this case are doing the VLAN ID tagging and the
guest sees 2 interfaces eth1 and eth2.
Regards,
Ashwin
-----Original Message-----
From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On
Behalf Of Alan Altmark
Sent: Tuesday, April 22, 2008 10:38 PM
To: [email protected]
Subject: Re: z/VM Linux OS VLAN tagging
On Tuesday, 04/22/2008 at 05:52 EDT, "Bhemidhi, Ashwin"
<[EMAIL PROTECTED]>
wrote:
1) Redhat Linux guest machine running kernel version
2.6.18-1.2747.el5
under z/VM 5.3
2) Using OSA Express 2 with Gigabit port and VLAN enabled at the
network
switch with 2 different VLANS.
3) The 2 VLANs are a) a VLAN for IP network for IP traffic and b) a
VLAN
for only Ethernet frames (LLC, no IP).
4) Configured 1 Layer 2 VSwitch with 2 VLANs and granted
the Network
interface as a trunk to the Linux guest machine.
1. Make sure the switch
a) has the OSA port defined as a trunk
b) has authorized the OSA to use both VLANs on the trunk port
c) has set the trunk protocol to "dot1q"
2. DEFINE VSWITCH .... VLAN 1 (or whatever the default VLAN
is for the port). By default, the default VLAN (sorry!) is
the switch's native VLAN id, which defaults to 1. (extra
sorry) In 5.3 you can DEFINE VSWITCH ... VLAN 2 NATIVE 1 if
you want guests to have VLAN 2 by default, but keep the
native (untagged)VLAN 1.
3. Make sure you grant both VLANs to the guest. Use explicit
grants; don't use defaults.
4. Use vconfig to create two VLAN-specific interfaces on eth0
Alan Altmark
z/VM Development
IBM Endicott
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access
instructions, send email to [EMAIL PROTECTED] with the
message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access
instructions, send email to [EMAIL PROTECTED] with the
message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access
instructions, send email to [EMAIL PROTECTED] with the
message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or
visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
