IBM Z10 BC manual OSA-Express QDIO data connection isolation for the z/VM environment

When confi gured at 1 Gbps, the 1000BASE-T Ethernet feature operates in full duplex mode only and supports jumbo frames when in QDIO mode (CHPID type OSD).

OSA-Express QDIO data connection isolation for the z/VM

environment

Multi-tier security zones are fast becoming the network confi guration standard for new workloads. Therefore, it is essential for workloads (servers and clients) hosted in a virtualized environment (shared resources) to be protected from intrusion or exposure of data and processes from other workloads.

With Queued Direct Input/Output (QDIO) data connection isolation you:

•Have the ability to adhere to security and HIPAA-security guidelines and regulations for network isolation between the operating system instances sharing physical network connectivity

•Can establish security zone boundaries that have been defi ned by your network administrators

•Have a mechanism to isolate a QDIO data connection (on an OSA port), ensuring all internal OSA routing between the isolated QDIO data connections and all other shar- ing QDIO data connections is disabled. In this state, only external communications to and from the isolated QDIO data connection are allowed. If you choose to deploy

an external firewall to control the access between hosts on an isolated virtual switch and sharing LPARs then an external firewall needs to be confi gured and each indi- vidual host and or LPAR must have a route added to their TCP/IP stack to forward local traffi c to the fi rewall.

Internal “routing” can be disabled on a per QDIO connec- tion basis. This support does not affect the ability to share an OSA-Express port. Sharing occurs as it does today, but the ability to communicate between sharing QDIO data connections may be restricted through the use of this sup- port. You decide whether an operating system’s or z/VM’s Virtual Switch OSA-Express QDIO connection is to be non- isolated (default) or isolated.

QDIO data connection isolation applies to the device statement defi ned at the operating system level. While an OSA-Express CHPID may be shared by an operating system, the data device is not shared.

QDIO data connection isolation applies to the z/VM 5.3 and

5.4with PTFs environment and to all of the OSA-Express3 and OSA-Express2 features (CHPID type OSD) on System z10 and to the OSA-Express2 features on System z9.

Network Traffic Analyzer

With the large volume and complexity of today’s network traffi c, the z10 BC offers systems programmers and net- work administrators the ability to more easily solve net- work problems. With the introduction of the OSA-Express Network Traffi c Analyzer and QDIO Diagnostic Synchro- nization on the System z and available on the z10 BC, customers will have the ability to capture trace/trap data and forward it to z/OS 1.8 tools for easier problem determi- nation and resolution.

This function is designed to allow the operating system to control the sniffer trace for the LAN and capture the records into host memory and storage (fi le systems), using existing host operating system tools to format, edit, and process the sniffer records.