Control z/VM Management Network

You must maintain logical security controls and network definitions to separate z/VM® administrator access to the z/VM system from data networks used by guest workloads. Guests will often use a z/VM Virtual Switch to configure subnets of traffic and communicate via Layer 2 to IBM Z® or IBM® LinuxONE networking hardware.

It is recommended that traffic to the z/VM system be defined on a separate VLAN from guest traffic. It is encouraged (but not required) that the z/VM TCP/IP stack be configured to use a distinct OSA port from guest network traffic associated with a Guest LAN or a z/VM Virtual Switch; alternately, a z/VM Virtual Switch in VEPA mode will physically separate traffic out through a physical switch somewhere outside IBM Z hardware. (Such a switch would have a firewall configured, and would thus enforce security boundaries for the enterprise based upon larger TOE Environment requirements.)

Additionally, a distinct network of channel-to-channel (CTC) adapters in an ISFC collection serves to connect member nodes of a z/VM single system image cluster. Access to operations around CTC management must be constrained to authorized human users and associated userids; and z/VM Control Program commands associated with single system image maintenance may be audited if required by local security policy.