IBM Support

VM65925: New Function - Simplified virtual NIC configuration and VSWITCH operation with enhanced NICDEF statement

A fix is available

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as new function.

Error description

  • Support a new capability: Directory Network Authorization
    (DNA). With this new capability, each virtual NIC can be
    configured and authorized entirely within the user directory,
    simplifying virtual server provisioning.
    Support a common VSWITCH model that can be operated using
    USERBASED and PORTBASED functions.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED: All systems using VSWITCH networks.          *
    ****************************************************************
    * PROBLEM DESCRIPTION:                                         *
    ****************************************************************
    * RECOMMENDATION: APPLY PTF                                    *
    ****************************************************************
    VM65925 provides support for Directory Network Authorization
    (DNA). With this new capability, each virtual NIC can be
    configured and authorized entirely within the user directory,
    simplifying virtual server provisioning.
    
    New operands on the NICDEF statement enable specification of
    the following attributes for a virtual NIC:
    o Virtual port number on the connected VSWITCH
    o Virtual trunk port enablement
    o VLAN associations
    o Promiscuous (virtual sniffer) authorization
    
    When these attributes are specified on NICDEF, the use of the
    SET VSWITCH and COUPLE commands is no longer required. However,
    VSWITCH access, VLAN authorization, and promiscuous mode
    enablement controls provided by an external security manager
    (ESM) such as the RACF Security Server feature continue to
    override any CP authorizations.
    
    DNA is enabled by default, but to assist with migration efforts,
    a new CP SET VMLAN DNA command is provided to temporarily
    disable the NICDEF enhancements. If DNA is disabled, CP will
    require an ESM or SET VSWITCH to authorize connection to the
    NICDEF LAN, and will not apply any of the new NICDEF options.
    
    This support eliminates the major operational differences
    between PORTBASED and USERBASED VSWITCH networks. A system
    administrator has the option to manage access to a VSWITCH by
    user ID, by virtual port, or by using a combination of the two
    methods. Virtual ports 1-2048 are reserved for explicit user
    configuration. Virtual ports 2176-4095 are reserved for the
    system to create temporary ports as needed. VSWITCH port
    management is not affected by the SET VMLAN DNA command.
    
    To ensure the integrity of virtual port numbers, Live Guest
    Relocation requires that the VSWITCH on the destination node
    must continue to match the PORTBASED or USERBASED designation
    on the source node.
    
    Changes have also been made to the RACF database initialization
    program RPIDIRCT (VM65931) and to DIRMAINT (VM65926) to
    recognize the new NICDEF operands in the user directory.
    
    Refer to z/VM Connectivity Version 6 Release 4 (SC24-6174-07)
    for more information.
    

Problem conclusion

Temporary fix

Comments

  • NICDEF statement (in USER DIRECT):
    
    With the PTFs for APARs VM65925, VM65926 and VM65931, the
    NICDEF user directory statement is enhanced to provide a set
    of new operands referred to as Directory Network Authorization
    (DNA). With DNA, a system administrator can configure and
    consolidate a virtual NIC device and its network properties in
    a secure, centralized location - z/VM's User Directory.
    
    The following new NICDEF operands are supported by DNA:
    o PORTNUMBER <portnum>
    o PORTTYPE ACCESS|TRUNK
    o VLAN <vidset>
    o PROMISCUOUS | NOPROMISCUOUS
    
    When a network configuration is added to the NICDEF statement,
    the MODIFY VSWITCH statement (SYSTEM CONFIG) and CP SET VSWITCH
    command can be eliminated. In this case, DNA satisfies the
    authorization previously provided by these other methods.
    When a new user is added to an existing network, the virtual
    NIC can be configured using the NICDEF statement to specify
    PORTTYPE, VLAN, and any other attributes that would have been
    specified with a separate "SET VSWITCH" network configuration.
    
    Example (using prior configuration methods):
    
      SYSTEM CONFIG includes:
        DEFINE VSWITCH ETH1 ETHERNET VLAN 1 NATIVE 1 RDEV 4200
        MODIFY VSWITCH ETH1 GRANT LNXSV01 PORTTYPE ACCESS VLAN 42
      USER DIRECT includes (for USER LNXSV01):
        NICDEF 4200 TYPE QDIO LAN SYSTEM ETH1 MACID 014200
    
    Example (using NICDEF to configure the connection):
    
      SYSTEM CONFIG only includes the VSWITCH definition:
        DEFINE VSWITCH ETH1 ETHERNET VLAN 1 NATIVE 1 RDEV 4200
      USER DIRECT includes (for USER LNXSV01):
        NICDEF 4200 TYPE QDIO LAN SYSTEM ETH1 MACID 014200
        NICDEF 4200 PORTTYPE ACCESS VLAN 42
    
    By default, CP Directory Network Authorization is enabled
    after applying the PTF for APAR VM65925. Directory Network
    Authorization support can be disabled or enabled by the
    SET VMLAN DNA command or configuration statement. When DNA is
    disabled, the NICDEF LAN statement will not be accepted as
    authorization to couple to the specified network, and the new
    NICDEF operands will not be applied during COUPLE processing.
    
    USERBASED and PORTBASED VSWITCH designations:
    
    Operational differences between PORTBASED and USERBASED
    VSWITCHes have been minimized with this support. A system
    administrator has the option to manage a VSWITCH by user, by
    port number, or by a combination of the two methods. While
    the management of USERBASED and PORTBASED VSWITCHes is now
    simplified, Note that merged PORTBASED/USERBASED behavior
    is not affected by the SET VMLAN DNA command.
    
    Notes:
    o Live Guest Relocation of a guest connected to a VSWITCH still
      requires a matching designation (PORTBASED or USERBASED) on
      the destination node.
    o After applying the PTF for APAR VM65925 to all members of
      the SSI cluster, the USERBASED and PORTBASED designations
      can be eliminated (simultaneously) from all DEFINE VSWITCH
      statements to avoid future relocation issues.
    o Note that merged PORTBASED/USERBASED behavior is not affected
      by the SET VMLAN DNA command.
    
    Refer to SC24-6174-07 z/VM Connectivity Version 6 Release 4
    for more information.
    

APAR Information

  • APAR number

    VM65925

  • Reported component name

    VM CP

  • Reported component ID

    568411202

  • Reported release

    640

  • Status

    CLOSED UR1

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    YesSpecatt / New Function / Xsystem

  • Submitted date

    2016-10-25

  • Closed date

    2017-07-27

  • Last modified date

    2017-11-24

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    UM35188 UM35189

Modules/Macros

  • CBITABLE COUPLE   HCPCBI   HCPCPL   HCPCSIBK HCPDDEV  HCPDHDR
    HCPDIR   HCPEQUAT HCPLAN   HCPLANBK HCPMES   HCPMESA  HCPMESB
    HCPMXRBK HCPNDCBK HCPNDF   HCPNET   HCPNIC   HCPNICBK HCPOM1
    HCPRLF   HCPRLI   HCPSCFBK HCPSLMBK HCPSWD   HCPSWM   HCPSWQ
    HCPSWS   HCPSWY   HCPUDR   HCPVLDBK HCPVLF   HCPVLQ   HCPVLS
    HCPVLU   HCPVNABK HCPZSC   HCP1882E HCP1982I HCP3022E HCP3034E
    HCP3043E HCP3044E HCP3046E HCP3222E HCP3224I HCP6011E LAN
    LGRNETWK LOGON    VMLAN    VMRELOCA VSWITCH
    

Publications Referenced
SC24617407 SC24617510 SC24617709 SC24617811 SC24617910
SC24618806 SC24618905 SC24619006 SC24620111 SC24621806

Fix information

  • Fixed component name

    VM CP

  • Fixed component ID

    568411202

Applicable component levels

  • RA64 PSY UM35188

       UP17/11/24 P 1702  

  • R640 PSY UM35189

       UP17/08/02 P 1702  

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.



Document information

More support for: z/VM family

Software version: 640

Operating system(s): z/VM

Reference #: VM65925

Modified date: 24 November 2017