Solved

AIX LPARs, IVM and network segmentation

Posted on 2011-03-25
5
1,139 Views
Last Modified: 2013-11-17
Hi,

We have bought a couple of new IBM blades, each blade has two internal ethernet switch and is connected to other switches on the network. Our "friendly communication admins" has segmented the network in multiples VLANs. One of them is the IVM-VIOserver that is in another segment. I meant there's no connection between segments, all ports are closed. I have clear that between the IVM and LPARs there's services like ctrmc but dont know if they, the IVM and LAPRs needs others tcp or udop ports.  ALso, I need multiples services between segments like NFS, SSH, portamp, xwindows are other..
Question:
1- Is there any document regarding best practices regarding connectivity between the VIOserver (IVM) and LPARs? Must they be in the same VLAN?
2- Is there any document or best practices regarding  the configuration of internal blade's switches VLANS?
My boss is asking me if it's necesary to have TOO MUCH security inside the blade or not. Take in mind there's only one VIOserver by blade and it's not easy to make changes constantly on it  because a new vlan is added to the blade.[

is my spanish-english clear for you? :-)
0
Comment
Question by:sminfo
  • 3
  • 2
5 Comments
 

Author Comment

by:sminfo
Comment Utility
I forgot, besides any explication from you I need, if exists, some documentation of IBM,  to refuse the communication admins regarding if there's not need to exaggerate the creation of VLAns inside the blade or not.
Thanks.
0
 
LVL 68

Expert Comment

by:woolmilkporc
Comment Utility
Well, Israel,

I think I'll need some time to understand what you're after.

In the meantime you could read this, maybe it has some info.

The IBM Blade Center JS12/22 Implementation Guide:

http://www.redbooks.ibm.com/redbooks/pdfs/sg247655.pdf

I don't have much time at the moment, but I'll be back soon!

Cheers

wmp
0
 

Author Comment

by:sminfo
Comment Utility
ok wmp, teh fact is the communications admins are always making VLANs on their side, but it means I have to create the same VLAns on the VIOserver. The blades we have are JS43, and I read that to add a new vlan I have to make a live migration to all LPARs to another blade and then maek the change. That's what I see nonfunctional (dont know if it's the word). And in the other side, I have to give them all TCP/UDP ports LPARs and/or VIOserver (IVM) needs to work properly.. It's a really pain i.....
I'll go home now... see you later..
Israel.
0
 
LVL 68

Accepted Solution

by:
woolmilkporc earned 500 total points
Comment Utility
Hi again,

sorry for the delay (lots of work here, two new machines ...).

Whereas communication between the VIO (IVM) and the Hypervisor is carried out using a network-independent device (the VMC, virtual management channel, ibmvmc0), Dynamic LPAR needs regular TCP/IP communication between IVM and the LPARS, particularly RMC.
So there must be at least one VLAN accessible by all partitions and the VIO/IVM, allowing communication over (at least) RMC port 657.
You might of course want more ports for inter-partition communication, such as ssh and the like.

This should not be a problem, since you have by default four virtual LANs inside a blade and you can create additional ones with an appropriate VLAN ID, if needed.

The LPARs are not aware of VLAN tagging, this is done by the hypervisor.

To bridge the VLAN to the outside world you must avoid the default behaviour of stripping the VLAN tags by the VIO SEA (Use  "mkvdev -vlan ...")

Now you'll just have give your LPARs a virtual adapter connected to the right VLAN.
To change the virtual ethernet adapter of an LPAR it must be down (at least under IVM), so using LPM will not be sufficient.

As for LPM: In order to make LPM work the migrating LPAR's VLAN must of course be bridged to a physical network, and your LAN must be configured so that migrating partitions can continue to communicate with other necessary clients and servers after a migration is completed.

Here are some links for you:

Redpaper about IVM setup:
http://www.redbooks.ibm.com/redpapers/pdfs/redp4061.pdf

DeveloperWorks about virtual VLANs:
http://www.ibm.com/developerworks/systems/library/es-pwr5-virtualvlan/

DeveloperWorks about Blade Networking:
http://www.ibm.com/developerworks/power/library/l-bladenetconf/index.html

Hope I could give you a bit of help.

wmp
0
 

Author Closing Comment

by:sminfo
Comment Utility
Good!  wmp..
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Attention: This article will no longer be maintained. If you have any questions, please feel free to mail me. jgh@FreeBSD.org Please see http://www.freebsd.org/doc/en_US.ISO8859-1/articles/freebsd-update-server/ for the updated article. It is avail…
Let's say you need to move the data of a file system from one partition to another. This generally involves dismounting the file system, backing it up to tapes, and restoring it to a new partition. You may also copy the file system from one place to…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now