Layer 2 promiscuous mode
OSA and HiperSockets ports that operate in layer 2 mode can be set up to receive all frames that are addressed to unknown MAC addresses.
On most architectures, traffic between operating systems and networks is handled by Ethernet Network Interface Controllers (NICs). NICs usually filter incoming traffic to admit only frames with destination MAC addresses that are registered with the NIC.
However, a
NIC can also be configured to receive and pass to the operating system all Ethernet frames that
reach it, regardless of the destination MAC address. This mode of operation is known as
promiscuous mode
. For example, promiscuous mode is a prerequisite for configuring a NIC as a
member of a Linux® software bridge.
For more information about how to set up a software bridge, see the documentation that is provided by Red Hat® Enterprise Linux, or the bridging how-to available at http://www.tldp.org/HOWTO/BRIDGE-STP-HOWTO
On IBM Z®, you can realize a promiscuous mode for Ethernet traffic through a bridge port configuration or through Virtual Network Interface Controller (VNIC) characteristics.
Depending on the hardware level, OSA and HiperSockets devices can be configured as bridge ports or they can be configured with VNIC characteristics. The same OSA or HiperSockets device cannot simultaneously be configured as a bridge port and with VNIC characteristics.VNIC characteristics
With (VNIC) characteristics, you can set and fine-tune a promiscuous mode for HiperSockets and OSA devices.
Bridge ports
Linux can assign a bridge port role to a logical port, and the HiperSockets or OSA adapter assigns an active state to one of the logical ports to which a role was assigned. A local port in active bridge port state receives all Ethernet frames with unknown destination MAC addresses.
HiperSockets only: On IQDX channels
permission to configure ports as bridge ports must be granted in IBM®
zEnterprise® Unified Resource Manager (zManager). On machines in PR/SM mode, bridge ports can only be configured on IQD channels that are
defined as external-bridged
in the IOCDS. On machines in DPM mode, bridge ports can be
configured on any IQD channel.
Differences between promiscuous mode and bridge-port roles
Making a logical port of an OSA or HiperSockets adapter an active bridge port is similar to enabling promiscuous mode on a non-mainframe NIC that is connected to a real Ethernet switch. However, there are important differences:
- Number of ports in promiscuous mode
-
- Real switches: Any number of interfaces that are connected to a real switch can be turned to promiscuous mode, and all of them then receive frames with unknown destination addresses.
- Bridge ports on IBM Z: Although you can assign the bridge-port role to multiple ports of a single OSA or HiperSockets adapter, only one port is active and receives traffic to unknown destinations.
- Monitoring traffic to other systems
-
- Real switches: A port of a real switch can be configured to receive frames with both known and unknown destinations. If a NIC in promiscuous mode is connected to the port, the corresponding host receives a copy of all traffic that passes through the switch. This includes traffic that is destined to other hosts connected to this switch.
- Bridge ports on IBM Z or qeth devices with vnicc/flooding set: Only frames with unknown destinations are passed to the operating system. It is not possible to intercept traffic addressed to systems connected to other ports of the same OSA adapter.
- On IBM Z: The HiperSockets network traffic analyzer or z/VM® guest LAN sniffer can be used to monitor traffic that is destined for other ports.
- Limitation by the source of traffic (OSA bridge port only)
-
- Real switches and HiperSockets bridge-port LAN: Frames with unknown destination MAC addresses are delivered to the promiscuous interfaces regardless of the port through which the frames enter the switch or HiperSockets adapter.
- OSA bridge ports or OSA ports that are set to vnicc/flooding
and vnicc/learning: Active bridge ports or ports with the flooding and learning
VNIC characteristics learn which MAC addresses need to be routed to the owning system
by analyzing ARP and other traffic. Incoming frames are routed to these ports if one of the
following conditions applies:
- The frame's destination MAC matches an address that is learned or registered with the port.
- The frame's destination MAC is not learned or registered with any of the local ports of the OSA adapter, and it arrived from the physical Ethernet port.
Bridge port roles
Linux can assign a primary or secondary role to a logical port of an OSA or a HiperSockets adapter. Only one logical port of such an adapter can be assigned the primary role, but multiple other logical ports can be assigned secondary role. When one or more logical ports of an adapter are assigned primary or secondary role, the hardware ensures that exactly one of these ports is active. The active port receives frames with unknown destination. When a port with primary role is present, it always becomes active. When only ports with secondary role are present, the hardware decides which one becomes active. Changes in the ports' state are reported to Linux user space through udev events.
You can set a bridge port role either directly by using the bridge_role attribute or indirectly by using the bridge_reflect_promisc attribute.