Steps to allow QDIO Accelerator to forward routed traffic when IP security is enabled

If you enabled IP security and you want to allow QDIO Accelerator to forward routed traffic, perform the following steps:

1. Consult your network security policy to determine how TCP/IP processes routed traffic. You cannot use QDIO Accelerator for routed traffic when any of the following conditions are true:
   • Some routed traffic must be denied in your IP filter policy.
   • Some routed traffic must be protected by IPsec in your IP filter policy.
   • Some routed traffic must be logged using TRMD.

   If any of these conditions are true, QDIO Accelerator forwards only sysplex distributor traffic.

2. If TCP/IP issues message EZD2020A and your network security policy specifies that all routed traffic is permitted, configure your TCP/IP profile to permit all routed traffic without logging:
   1. Ensure that the first IPv4 IPSECRULE statement with the Routing value Routed or Either permits all IPv4 addresses, all protocols, and all security classes.
      Tip: If your rule has the ROUTING value Either, the rule applies to both local and routed traffic. If your security policy does not allow you to permit all local traffic, split this rule into two rules, one with the Routing value Routed and one with the Routing value Local.
   2. Ensure that the first IPv4 IPSECRULE statement does not specify LOG to enable filter logging.
3. If TCP/IP issues message EZD2021A and your network security policy specifies that all routed traffic is permitted, configure your policy filter rules to permit all routed traffic without logging.
   1. If you are using the IBM® Configuration Assistant for z/OS® Communications Server to configure your IPSec policy, use the following settings:
      1. Ensure that the first connectivity rule that applies to routed IPv4 traffic specifies a topology of filtering only, applies to all IPv4 addresses, and uses a requirement map that maps all IP protocols and all security classes to a Permit security level.
         Tip: Your connectivity rule might apply to both local and routed traffic. If your security policy does not allow you to permit all local traffic, split this rule into two rules, one that applies to filtering for routed traffic and one that applies to filtering for local traffic.
      2. Ensure that the first connectivity rule specifies that filter matches are not logged.
   2. If you are manually configuring your IPSec policy, use the following settings:
      1. Ensure that the associated IpService statement for the first IpFilterRule statement has the Routing value Routed or Either, permits all IPv4 addresses, all protocols, and all security classes, and has the Direction value Bidirectional.
         Tip: If your rule has the Routing value Either, the rule applies to both local and routed traffic. If your security policy does not allow you to permit all local traffic, split this filter rule into two filter rules, one with the Routing value Routed and one with the Routing value Local.
      2. Ensure that the associated IpGenericFilterAction statement for the first IpFilterRule statement specifies the IpFilterLogging setting No to disable filter logging.
4. If TCP/IP issues message EZD2022A, and your network security policy specifies that all routed traffic is permitted, ensure that your defensive filters permit routed traffic:
   1. Issue the ipsec -F display command to display the defensive filters.
   2. If any filters are listed that apply to routed traffic, you have the following options:
      • Because defensive filters are temporary filters designed to address temporary conditions, you can wait for these filters to expire. After the filters expire, QDIO Accelerator can resume forwarding routed traffic.
      • If you and your security administrator determine that these defensive filters are no longer needed, your security administrator can issue the ipsec -F delete command to delete these filters so that QDIO Accelerator can resume forwarding routed traffic.
   For more information about the ipsec command, see z/OS Communications Server: IP System Administrator's Commands.