VM64463: VIRTUAL SWITCH (VSWITCH) PORT ISOLATION SUPPORT

Obtain the fix for this APAR.

APAR status

• Closed as new function.

Error description

• New function
  

Local fix

Problem summary

• ****************************************************************
  * USERS AFFECTED: All users of z/VM Virtual Switch (VSWITCH)   *
  *                 requiring port isolation security using      *
  *                 OSA-Express QDIO data connection isolation.  *
  *                 Keywords: D/T2097 D/T2098 D/T2096 D/T2094    *
  ****************************************************************
  * PROBLEM DESCRIPTION:                                         *
  ****************************************************************
  * RECOMMENDATION: APPLY PTF                                    *
  ****************************************************************
  With this support, z/VM provides the ability to disable
  guest-to-guest communication through a virtual switch while
  preserving each guest's ability to communicate with hosts or
  routers located in the external network.  When a virtual switch
  is defined to be "isolated", all communication between the
  guest ports on that virtual switch are disabled.
  This enhancement also supports a new OSA-Express2 and
  OSA-Express3 function on the IBM System z9 and System z10 that
  applies this style of isolation to shared OSA port.  With the
  application of the requisite LIC update, an isolated virtual
  switch will be unable to communicate directly with other
  partitions sharing the OSA port.  Communications must be
  relayed through another host, such as a router or firewall,
  connected to the external network.
  This support enables the implementation of a virtual "private
  VLAN", wherein the hosts on a LAN segment have access only to
  the router/firewall, not each other.
  This function requires virtual switch controller support in
  TCP/IP via APAR PK67610.
  Additionally, updated OSA-Express microcode is required.  OSA
  QDIO Connection Isolation is available for OSA-Express2
  and OSA-Express3 features on a System z10 EC and z10 BC and
  OSA-Express2 features on a System z9 EC and z9 BC with MCLs
    OSA-Express2 on z9 is G40946.008
    OSA-Express2 on z10 is N10953.002
    OSA-Express3 on z10 is N10959.004 and N10967.055
  This support supercedes previous isolation APAR VM64281.
  

Problem conclusion

Temporary fix

Comments

• This APAR, VM64463, and corresponding TCP/IP APAR, PK67610,
  along with updated OSA-Express microcode
  provide support for Virtual Switch Port Isolation.
  The z/VM 5.4.0 publications at the z/VM web site
         http://www.vm.ibm.com/library/
  will be updated in December, 2008 with the publication changes
  that are summarized below.
  Additional information describing this support will also be
  added to z/VM Connectivity, Document Number SC24-6080.
  -- The following externals have been updated for this APAR:
    CP System Configuration statements:
      MODIFY VSWITCH
    CP Commands:
      SET VSWITCH
      QUERY VSWITCH
      QUERY CONTROLLER
    CP Monitor Records:
      Record 21 MRIODVSW - VSWITCH Activity Sample Record
    CP Diagnosis Codes:
      Diagnose x'26C' Subcode x'20' - Return Virtual Switch List
      Diagnose x'26C' Subcode x'24' - Return Virtual Port Info
    CP Messages:
      HCP2832E - new format
      HCP3000E - deleted
      HCP3002E - new message
      HCP3003E - new message
      HCP3004E - new message
  -- The rest of this file contains a high-level overview of the
  publication hits that are associated with VM64463 for z/VM.
  Publication Title:   CP Planning and Administration
  Order Number         SC24-6083
  System + Release     z/VM 5.3.0, z/VM 5.4.0
  -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  MODIFY VSWITCH statement
    - New operand values for the ISOLATION keyword
  -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     >>--MODIFY VSWITCH--switchname--.----------------------.--><
   .
  |                               '-ISOLation--.-OFF-.-------'
  |                                            '-ON--'
   .
  | ISOLation
  |   determines if guests on the virtual switch can communicate
  |   between themselves and other hosts and/or LPARs that are
  |   sharing the same OSA-Express port with the virtual switch.
  | OFF
  |   is the default and guests ports can communicate with each
  |   other and with any hosts and/or LPARs sharing the same OSA
  |   port.
  | ON
  |   prohibits guests | from sending traffic to other guests on
  |   the same virtual switch by discarding traffic that is
  |   destined for another guest port on the VSWITCH.
  |   In addition, no direct LPAR communications sharing the same
  |   OSA port is permitted with the guest ports of the VSWITCH.
  |   All traffic from the VSWITCH destined for any sharing
  |   hosts/LPARs on the same OSA port will be dropped.
  |   Any traffic destined for the VSWITCH guest ports from
  |   hosts/LPARs sharing the same OSA port will also be dropped.
  Publication Title:   CP Commands and Utilities Reference
  Order Number         SC24-6081
  System + Release     z/VM 5.3.0, z/VM 5.4.0
  -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  SET VSWITCH statement
    - New operand values for the ISOLATION keyword
  -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     >>--SET VSWITCH--switchname--.-------------------------.--><
   .
  |                               '-ISOLation--.-OFF-.------'
  |                                            '-ON--'
   .
  | ISOLation
  |   determines if guests on the virtual switch can communicate
  |   between themselves and other hosts and/or LPARs that are
  |   sharing the same OSA-Express port with the virtual switch.
  | OFF
  |   is the default and guests ports can communicate with each
  |   other and with any hosts and/or LPARs sharing the same OSA
  |   port.
  | ON
  |   prohibits guests | from sending traffic to other guests on
  |   the same virtual switch by discarding traffic that is
  |   destined for another guest port on the VSWITCH.
  |   In addition, no direct LPAR communications sharing the same
  |   OSA port is permitted with the guest ports of the VSWITCH.
  |   All traffic from the VSWITCH destined for any sharing
  |   hosts/LPARs on the same OSA port will be dropped.
  |   Any traffic destined for the VSWITCH guest ports from
  |   hosts/LPARs sharing the same OSA port will also be dropped.
  -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  QUERY VSWITCH command
    - Isolation status: added to the response header information.
    - A new error type is added to the list of explanations when
      the RDEV device can not be initialized successfully.
      -- No OSA QDIO Connection Isolation.
  -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  | Isolation Status: nnn
  |   indicates the isolation status of the VSWITCH and its RDEV
  |   QDIO data connection.
   .
    q vswitch vsl2sw5
    VSWITCH SYSTEM VSL2SW5  Type: VSWITCH Connected: 2    Maxcon
      PERSISTENT  RESTRICTED    ETHERNET                  Accoun
      VLAN Aware  Default VLAN: 0001    Default Porttype: Trunk
                  Native  VLAN: 0001    VLAN Counters: OFF
      MAC address: 02-6F-5C-60-00-0A
      State: Ready
      IPTimeout: 5         QueueStorage: 8
  |   Isolation Status: OFF
      RDEV: 1E20.P00 Controller: CONTROL5 VDEV:  1E20
  -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  QUERY CONTROLLER command:
    - ISOLATION capability added to the response header
      information.
  -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    Capability:
  |   ISOLATION indicates whether or not the controller can
  |   control virtual switches that are using the isolation
  |   setting.
    q controller dtcvsw1
    Controller DTCVSW1   Available: YES   VDEV Range: *         L
  |   Capability: IP ETHERNET VLAN_ARP GVRP    LINKAGG    ISOLATI
       SYSTEM VSL2SW5    Primary          Controller: DTCVSW1   V
  Publication Title:   CP Programming Services
  Order Number         SC24-6084
  System + Release     z/VM 5.3.0, z/VM 5.4.0
  -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    Diagnose x'26C' Subcode X'00000020' Return Virtual Switch
    Information
    - New Data returned for
      Table 45. RDEV Information (DSECT CSIVRSTR, Length CSIVRLEN)
  -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     Length        Contents
     ----------------------
     1             Error status
                   X'00' - No error
                   X'18' - Port number is invalid for device
  |                X'19' - No OSA Connection Isolation
  -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    Diagnose x'26C' Subcode X'00000024' Return Virtual Port
    Information
    - New Data returned for
      Table 52. Port or NIC Information (DSECT CSIPNSTR, Length
      CSIPNLEN)
  -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     Length        Contents
     ----------------------
  |  1             Extended Port Status
  |                1... .... Isolation status ON Drop
  Publication Title:   CP Messages and Codes
  Order Number         GC24-6119
  System + Release     z/VM 5.3.0, z/VM 5.4.0
  -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    New message format for HCP2832E
  -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  |HCP2832E  Connection device for VSWITCH SYSTEM switchname is
  |          not active.  No OSA QDIO Connection Isolation Support
  |Explanation:  The ISOLATION option has been specified on the
  |SET VSWITCH command and the OSA-Express device does not have
  |the correct microcode to support QDIO Connection Isolation.
  |System Action:   Device is not an active connection for the
  |virtual switch.  The virtual switch connection to the real
  |hardware network may be active if other devices are defined
  |that have the support, either through the RDEV keyword
  |on DEFINE VSWITCH or SET VSWITCH, or by way of SET PORT GROUP.
  |User Response:  The ISOLATION option requires a certain level
  |of OSA microcode. Use SET VSWITCH with the RDEV option
  |or SET PORT GROUP with the JOIN option to specify the address
  |of one or more different QDIO OSA-Express devices that has
  |the proper microcode level. You can also correct the problem
  |with the current device by applying the proper microcode.
  |Issue SET VSWITCH with the CONNECT option to reconnect a device
  |to the network.
  -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    New message HCP3002E
  -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  |HCP3002E  Unable to establish ISOLATION mode at this time;
  |          VSWITCH SYSTEM switchname configuration in transition
  |
  |Explanation:  The VSWITCH configuration is actively being
  |changed at this time.
  |Some of the conditions that can cause this are:
  |
  |  o OSA Initialization in progress
  |
  |  o OSA device in STOPLAN state
  |
  |  o OSA devices being detached
  |
  |  o VSWITCH failover recovery
  |
  |  o AUTORestart in progress
  |
  |  o VSWITCH detach pending
  |
  |System Action:  None.
  |User Response:  Once the above conditions have completed then
  |issue the SET VSWITCH ISOLATION command again. The QUERY
  |VSWITCH command can be used to determine the current status.
  -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    New message HCP3003E
  -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  |HCP3003E  Controller controllername for VSWITCH SYSTEM
  |          switchname does not support OSA QDIO Connection
  |          Isolation.
  |
  |Explanation:  The controller deployed by the virtual switch
  |does not have the required support for the ISOLATION operand.
  |System Action:   None.
  |User Response:  Ensure that the controller has all required
  |service applied or select one of the pre-installed controllers
  |that are shipped with the product.
  -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    New message HCP3004E
  -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  |HCP3004E  Device device for VSWITCH SYSTEM switchname does
  |          not support OSA QDIO Connection Isolation.
  |Explanation:  The active OSA connection for the indicated
  |virtual switch does not support the ISOLATION operand.
  |Support for the ISOLATION operand is
  |provided on OSA-Express2 feature and higher only.
  |System Action:  None.
  |User Response:  Verify the OSA device is an OSA-Express2
  |feature, or higher, and has all required service applied.
  

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UM32563 UM32564 UM32565 UM32566

Modules/Macros

• CPSYNCHK HCPCSIBK HCPGPI   HCPLAN   HCPLANBK
  HCPMES   HCPMESA  HCPMESB  HCPMXRBK HCPOCO   HCPOM1   HCPRP
  HCPSCFBK HCPSWC   HCPSWI   HCPSWIBK HCPSWQ   HCPSWS   HCPSWU
  HCPSWY   HCPUCP   HCPVLQ   HCPVSWBK HCP2832E HCP3002E HCP3003E
  HCP3004E MRIODVSW
  

Fix information

• Fixed component name

  VM CP

• Fixed component ID

  568411202

Applicable component levels

• RA53 PSY UM32563

     UP09/02/24 P 0901

• RA54 PSY UM32564

     UP09/03/24 P 0901

• R530 PSY UM32565

     UP09/02/24 P 0901

• R540 PSY UM32566

     UP08/11/06 P 0901

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.