?
Solved

AIX LPARs, IVM and network segmentation

Posted on 2011-03-25
5
Medium Priority
?
1,164 Views
Last Modified: 2013-11-17
Hi,

We have bought a couple of new IBM blades, each blade has two internal ethernet switch and is connected to other switches on the network. Our "friendly communication admins" has segmented the network in multiples VLANs. One of them is the IVM-VIOserver that is in another segment. I meant there's no connection between segments, all ports are closed. I have clear that between the IVM and LPARs there's services like ctrmc but dont know if they, the IVM and LAPRs needs others tcp or udop ports.  ALso, I need multiples services between segments like NFS, SSH, portamp, xwindows are other..
Question:
1- Is there any document regarding best practices regarding connectivity between the VIOserver (IVM) and LPARs? Must they be in the same VLAN?
2- Is there any document or best practices regarding  the configuration of internal blade's switches VLANS?
My boss is asking me if it's necesary to have TOO MUCH security inside the blade or not. Take in mind there's only one VIOserver by blade and it's not easy to make changes constantly on it  because a new vlan is added to the blade.[

is my spanish-english clear for you? :-)
0
Comment
Question by:sminfo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 

Author Comment

by:sminfo
ID: 35216748
I forgot, besides any explication from you I need, if exists, some documentation of IBM,  to refuse the communication admins regarding if there's not need to exaggerate the creation of VLAns inside the blade or not.
Thanks.
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 35217465
Well, Israel,

I think I'll need some time to understand what you're after.

In the meantime you could read this, maybe it has some info.

The IBM Blade Center JS12/22 Implementation Guide:

http://www.redbooks.ibm.com/redbooks/pdfs/sg247655.pdf

I don't have much time at the moment, but I'll be back soon!

Cheers

wmp
0
 

Author Comment

by:sminfo
ID: 35218373
ok wmp, teh fact is the communications admins are always making VLANs on their side, but it means I have to create the same VLAns on the VIOserver. The blades we have are JS43, and I read that to add a new vlan I have to make a live migration to all LPARs to another blade and then maek the change. That's what I see nonfunctional (dont know if it's the word). And in the other side, I have to give them all TCP/UDP ports LPARs and/or VIOserver (IVM) needs to work properly.. It's a really pain i.....
I'll go home now... see you later..
Israel.
0
 
LVL 68

Accepted Solution

by:
woolmilkporc earned 2000 total points
ID: 35239958
Hi again,

sorry for the delay (lots of work here, two new machines ...).

Whereas communication between the VIO (IVM) and the Hypervisor is carried out using a network-independent device (the VMC, virtual management channel, ibmvmc0), Dynamic LPAR needs regular TCP/IP communication between IVM and the LPARS, particularly RMC.
So there must be at least one VLAN accessible by all partitions and the VIO/IVM, allowing communication over (at least) RMC port 657.
You might of course want more ports for inter-partition communication, such as ssh and the like.

This should not be a problem, since you have by default four virtual LANs inside a blade and you can create additional ones with an appropriate VLAN ID, if needed.

The LPARs are not aware of VLAN tagging, this is done by the hypervisor.

To bridge the VLAN to the outside world you must avoid the default behaviour of stripping the VLAN tags by the VIO SEA (Use  "mkvdev -vlan ...")

Now you'll just have give your LPARs a virtual adapter connected to the right VLAN.
To change the virtual ethernet adapter of an LPAR it must be down (at least under IVM), so using LPM will not be sufficient.

As for LPM: In order to make LPM work the migrating LPAR's VLAN must of course be bridged to a physical network, and your LAN must be configured so that migrating partitions can continue to communicate with other necessary clients and servers after a migration is completed.

Here are some links for you:

Redpaper about IVM setup:
http://www.redbooks.ibm.com/redpapers/pdfs/redp4061.pdf

DeveloperWorks about virtual VLANs:
http://www.ibm.com/developerworks/systems/library/es-pwr5-virtualvlan/

DeveloperWorks about Blade Networking:
http://www.ibm.com/developerworks/power/library/l-bladenetconf/index.html

Hope I could give you a bit of help.

wmp
0
 

Author Closing Comment

by:sminfo
ID: 35255584
Good!  wmp..
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This tech tip describes how to install the Solaris Operating System from a tape backup that was created using the Solaris flash archive utility. I have used this procedure on the Solaris 8 and 9 OS, and it shoudl also work well on the Solaris 10 rel…
I promised to write further about my project, and here I am.  First, I needed to setup the Primary Server.  You can read how in this article: Setup FreeBSD Server with full HDD encryption (http://www.experts-exchange.com/OS/Unix/BSD/FreeBSD/A_3660-S…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question