OSA-Express connection isolation
OSA-Express® connection isolation provides a way to prevent the adapter from internally routing packets directly to a stack that shares the same port. When connection isolation is in effect, the OSA-Express feature discards any unicast packets when the next-hop address is registered by a stack sharing the same port, and prevents any multicast or broadcast packets from being internally routed between the stacks sharing the port.
For direct routing to occur, the OSA-Express feature requires that neither of the stacks that are sharing a port can be isolated. Therefore, for traffic between two stacks that are sharing a port, as long as at least one of the stacks is isolated, then connection isolation is in effect for traffic in both directions between these stacks.
OSA-Express connection isolation can be useful when you want to prevent communication between two stacks that share the same OSA-Express port, and it provides extra assurance against a misconfiguration that might otherwise allow such traffic to flow. OSA-Express connection isolation can also be useful if you want to ensure that traffic flowing through the OSA adapter does not bypass any security features implemented on the external LAN.
Dynamic routing is not aware of OSA-Express connection isolation, which is an issue only if static routes are not used and traffic needs to flow between the two hosts that share the OSA adapter using connection isolation. In this case, a dynamic routing protocol might choose a route between the hosts that includes connection isolation, which would make each host unreachable from the other host. If you want dynamic routing to work between hosts that are using OSA-Express connection isolation, you must ensure in your dynamic routing configuration that the path that includes connection isolation is not chosen to route between the hosts.
- Configure each stack on a separate virtual LAN (VLAN).
- Use a static route with the next-hop address of a router on the
LAN.Result: Using a static route with the next-hop address of a router on the LAN to route to another host on the same LAN can result in excessive ICMP redirect packets from the router to the originating host.Guideline: If you use this technique, turn off receipt of ICMP redirects on the sharing hosts and, if possible, configure the router to not send ICMP redirects.