IBM Z10 EC User Manual

When confi gured at 1 Gbps, the 1000BASE-T Ethernet fea-

ture operates in full duplex mode only and supports jumbo

frames when in QDIO mode (CHPID type OSD).

OSA-Express QDIO data connection isolation for the z/VM
environment

Multi-tier security zones are fast becoming the network

confi guration standard for new workloads. Therefore, it is

essential for workloads (servers and clients) hosted in a

virtualized environment (shared resources) to be protected

from intrusion or exposure of data and processes from

other workloads.

With Queued Direct Input/Output (QDIO) data connection

isolation you:

• Have the ability to adhere to security and HIPAA-security

guidelines and regulations for network isolation between

the operating system instances sharing physical network

connectivity

• Can establish security zone boundaries that have been

defi ned by your network administrators

• Have a mechanism to isolate a QDIO data connec-

tion (on an OSA port), ensuring all internal OSA routing

between the isolated QDIO data connections and all

other sharing QDIO data connections is disabled. In this

state, only external communications to and from the iso-

lated QDIO data connection are allowed. If you choose

to deploy an external fi rewall to control the access

between hosts on an isolated virtual switch and sharing

LPARs then an external fi rewall needs to be confi gured

and each individual host and or LPAR must have a route

added to their TCP/IP stack to forward local traffi c to the

fi rewall.

Internal “routing” can be disabled on a per QDIO connec-

tion basis. This support does not affect the ability to share

an OSA-Express port. Sharing occurs as it does today, but

the ability to communicate between sharing QDIO data

connections may be restricted through the use of this sup-

port. You decide whether an operating system’s or z/VM’s

Virtual Switch OSA-Express QDIO connection is to be non-

isolated (default) or isolated.

QDIO data connection isolation applies to the device

statement defi ned at the operating system level. While

an OSA-Express CHPID may be shared by an operating

system, the data device is not shared.

QDIO data connection isolation applies to the z/VM 5.3 and

5.4 with PTFs environment and to all of the OSA-Express3

and OSA-Express2 features (CHPID type OSD) on System

z10 and to the OSA-Express2 features on System z9.

Network Traffi c Analyzer

With the large volume and complexity of today’s network

traffi c, the z10 EC offers systems programmers and

network administrators the ability to more easily solve

network problems. With the introduction of the OSA-

Express Network Traffi c Analyzer and QDIO Diagnostic

Synchronization on the System z and available on the z10

EC, customers will have the ability to capture trace/trap

data and forward it to z/OS 1.8 tools for easier problem

determination and resolution.

This function is designed to allow the operating system

to control the sniffer trace for the LAN and capture the

records into host memory and storage (fi le systems), using

existing host operating system tools to format, edit, and

process the sniffer records.

OSA-Express Network Traffi c Analyzer is exclusive to the

z10 EC, z10 BC, z9 EC and z9 BC, and is applicable to the

OSA-Express3 and OSA-Express2 features when confi gured

as CHPID type OSD (QDIO), and is supported by z/OS.

Dynamic LAN idle for z/OS

Dynamic LAN idle is designed to reduce latency and

improve network performance by dynamically adjusting

the inbound blocking algorithm. When enabled, the z/OS

TCP/IP stack is designed to adjust the inbound blocking

algorithm to best match the application requirements.

28