Virtual Switch

The virtual switch is a guest LAN technology that bridges real hardware and virtual networking LANs, offering external LAN connectivity to the guest LAN environment. The virtual switch operates with virtual QDIO adapters (OSA-Express), and external LAN (Uplink port) connectivity is available only through OSA-Express adapters in QDIO mode (CHPID type OSD). Like the OSA-Express adapter, the virtual switch supports the transport of either IP packets or Ethernet frames.

By default, the virtual switch operates in IP mode. Each guest is identified by one or more IP addresses for the delivery of IP packets. Data is transported within IP packets, and therefore the virtual switch in IP mode supports only IP based application communications. All traffic destined for the physical portion of the LAN segment is encapsulated into an Ethernet frame with the OSA-Express's MAC as the source MAC address. On inbound, the OSA-Express strips the Ethernet frame and forwards the IP packet to the virtual switch for delivery to the guest by the destination IP address within the IP packet.

When operating in Ethernet mode, the virtual switch uses each guest's unique MAC address to forward frames. Data is transported and delivered within Ethernet frames, providing the ability to transport both IP and non-IP base application data through the fabric that the virtual switch supports. Through the ARP processing of each guest, the guest's MAC address becomes known (cached) by hosts residing on the physical side of the LAN segment. The generation and assignment of the locally defined MAC address is performed by z/VM under the direct management control of the LAN administrator. Each outbound or inbound frame through the OSA-Express switch trunk connection is an Ethernet frame with the guest's MAC address as the source or destination MAC address.

The virtual switch configured in Ethernet mode supports the aggregation of multiple OSA-Express adapters for external LAN connectivity. By supporting the IEEE 802.3ad Link Aggregation protocols and mechanisms the aggregation of individual physical links (features) makes this collection or group appear as one large link. The deployment of this type of configuration increases the virtual switch bandwidth and provides near seamless failover in the event that a port becomes unavailable. This support provides the ability to aggregate physical OSE-features. The ability also exists to configure multiple virtual switches to the same LAG by sharing the OSA-Express adapters that comprise the Link Aggregation port group. The aggregation of simulated guest NIC ports is not supported (simulated NICs are those defined with the DEFINE NIC command). For more information of z/VM® VSwitch support of Link Aggregation see Virtual Switch Link Aggregation.

A system administrator has the option to manage a VSwitch by a user strategy, by a port strategy or by using a combination of the two methods. For user management strategy virtual switch, authorization and configuration will be on a user ID basis via the SET VSWITCH GRANT and REVOKE commands. All connections for a particular user have the same attributes (port type, promiscuous, VLAN id, etc). For port management strategy, authorization and configuration is on a port basis. Each port must be defined and configured with the SET VSWITCH PORTNUMBER command or NICDEF directory statement. Connectivity to a specific port number can be specified on the COUPLE command. A guest can have multiple unique ports connected to the same virtual switch. Each port has it own attributes.

The virtual switch coupled with the OSA-Express adapter provides a very powerful, flexible, and robust virtualization model. Data is transferred between guest ports of the virtual switch and between sharing partitions of the same OSA-Express adapter without having to leave the box. For installations that have security policies that require that access to the guest ports of the virtual switch be controlled, the deployment of the virtual switch port isolation facility is required. This facility actually isolates all guest port communications and also isolates the virtual switch OSA connection from all other sharing hosts/LPARs on the OSA adapter or port. An external router configured as a firewall can be deployed to control access between the virtual switch guest ports themselves and between a guest port and any hosts (LPARs) sharing the same OSA port.

The virtual switch HiperSockets Bridge Port supports QDIO (OSD) type simulated LANs. Through the configuration of a HiperSockets Bridge Port on the virtual switch, this bridging is extended to the HiperSockets channel LAN (CHPID) as well. A HiperSockets Bridge Port provides a layer 2 Bridge for bridge capable ports connected to a HiperSockets LAN through the virtual switch to an external network LAN over its OSA-Express Uplink port. This configuration places all LAN endpoints on the same flat layer 2 broadcast domain. This bridging capability allows a virtual machine with a single HiperSockets connection, connectivity to destinations that reside on the HiperSockets network, as well as simulated NIC devices coupled to the virtual switch and more importantly external destination located on the physical network.