Zsp03439 usen 01

1,986 views
1,876 views

Published on

IBm zEnterprise System

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,986
On SlideShare
0
From Embeds
0
Number of Embeds
518
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Zsp03439 usen 01

  1. 1. © 2010 IBM Corporation Restricted Distribution Available in Hard Copy Once Presented by the IBM Account Team Jerry Stevens STSM, AIM ENS Architecture Strategy and Design IBM zEnterprise System Network Virtualization, Management, and Security (Part 1: Overview)
  2. 2. © 2010 IBM Corporation AIM ENS Architecture Strategy and Design Restricted Distribution 2 Trademarks The following are trademarks of the International Business Machines Corporation in the United States and/or other countries. The following are trademarks or registered trademarks of other companies. * Registered trademarks of IBM Corporation * All other products may be trademarks or registered trademarks of their respective companies. Notes: Performance is in Internal Throughput Rate (ITR) ratio based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput that any user will experience will vary depending upon considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve throughput improvements equivalent to the performance ratios stated here. IBM hardware products are manufactured from new parts, or new and serviceable used parts. Regardless, our warranty terms apply. All customer examples cited or described in this presentation are presented as illustrations of the manner in which some customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics will vary depending on individual customer configurations and conditions. This publication was produced in the United States. IBM may not offer the products, services or features discussed in this document in other countries, and the information may be subject to change without notice. Consult your local IBM business contact for information on the product or services available in your area. All statements regarding IBM's future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only. Information about non-IBM products is obtained from the manufacturers of those products or their published announcements. IBM has not tested those products and cannot confirm the performance, compatibility, or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. Prices subject to change without notice. Contact your IBM representative or Business Partner for the most current pricing in your geography. Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries. Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the United States, other countries, or both and is used under license therefrom. Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. INFINIBAND, InfiniBand Trade Association and the INFINIBAND design marks are trademarks and/or service marks of the INFINIBAND Trade Association. Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. UNIX is a registered trademark of The Open Group in the United States and other countries. Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. ITIL is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office. IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency, which is now part of the Office of Government Commerce. IBM* IBM Logo* AIX* BladeCenter* DataPower* POWER* POWER7* PR/SM RACF* Redbooks* System p* System x* System z* System z10 z10 zEnterprise z/OS* z/VM* z/VSE
  3. 3. © 2010 IBM Corporation AIM ENS Architecture Strategy and Design Restricted Distribution 3 Abstract  You've heard a lot about the IBM zEnterprise™ System. The new machines are faster, more powerful and more energy efficient. But the most significant change is that other kinds of computers can now be “plugged into” the mainframe to create an “Ensemble Network” where security exposures are minimized and the data center can be managed as if it were a single computer. Many questions about speeds, feeds, feature codes, operating system levels have been answered, but many more questions have been raised about network design and network security. Attend the sessions in a two-part series to hear the answers to questions about Ensemble networking: questions on the underlying architecture, on the routing and security structures, and on the software definitions.  The first session in the series, “IBM zEnterprise System Network Virtualization, Management, and Security (Part 1: Overview),” presents a high-level overview of the networking topics surrounding the new architecture. Part 1 is suitable for both an executive and a technical audience with both architects and implementers represented.  The second session, “IBM zEnterprise System Network Virtualization, Management, and Security (Part 2: Detail),” presents a more detailed view of the underlying architecture, its routing and security structures, and some of its software definitions. Part 2 is suitable for a technical audience that wants to understand more about the design, positioning, and implementation of the new architecture.  Both documents are available at: w3.ibm.com/support/techdocs
  4. 4. © 2010 IBM Corporation AIM ENS Architecture Strategy and Design Restricted Distribution 4 Agenda – IBM zEnterprise System Networking Overview  zEnterprise and IBM zEnterprise Unified Resource Manager (zManager) - Overview  zEnterprise Node Physical Infrastructure  Communications within the Ensemble  Network and OSA Types and Attributes  External Network Access  Network Virtualization Management  Provisioning Virtual Networks  Network Access Control and Security Notices: 1. All statements regarding IBM future direction and intent are subject to change or withdrawal without notice, and represents goals and objectives only. 2. The zEnterprise internal networks are provided with redundant hardware – redundancy is NOT shown in this presentation © 2010 IBM Corporation
  5. 5. © 2010 IBM Corporation AIM ENS Architecture Strategy and Design Restricted Distribution 5 IBM zEnterprise 196 (z196)  Unifies management of resources, extending IBM System z® qualities of service end-to-end across workloads  Provides platform, hardware and workload management  Optimized to host large-scale database, transaction, and mission-critical applications  The most efficient platform for large-scale Linux® consolidation  Capable of massive scale-up  New easy-to-use z/OS® V1.12 zEnterprise Unified Resource ManagerIBM zEnterprise 196 (z196)  Selected IBM POWER7® blades and IBM System x® Blades* for tens of thousands of AIX® and Linux applications  High-performance optimizers and appliances to accelerate time to insight and reduce cost  Dedicated high-performance private network IBM zEnterprise Unified Resource Manager (zManager) * All statements regarding IBM future direction and intent are subject to change or withdrawal without notice, and represents goals and objectives only. zEnterprise BladeCenter Extension (zBX) IBM zEnterprise BladeCenter® Extension (zBX) IBM zEnterprise System – Best-in-Class Systems and Software Technologies A “System of Systems” that unifies IT for predictable service delivery
  6. 6. © 2010 IBM Corporation AIM ENS Architecture Strategy and Design Restricted Distribution 6 IBM zEnterprise System – Best in Class Systems and Software Technologies A System of Systems that unifies IT for predictable service delivery  Unifies management of resources, extending IBM System z qualities of service end-to-end across workloads  Provides platform, hardware and workload management  Ideal for large scale data and transaction serving and mission critical applications  Most efficient platform for Large-scale Linux® consolidation  Leveraging a large portfolio of z/OS and Linux on System z applications  Capable of massive scale up, over 50 Billion Instructions per Second (BIPS)  Selected IBM POWER7 blades and IBM System x Blades1 for tens of thousands of AIX and Linux applications  High performance optimizers and appliances to accelerate time to insight and reduce cost  Dedicated high performance private network 1 All statements regarding IBM future direction and intent are subject to change or withdrawal without notice, and represents goals and objectives only. Unified management for a smarter system: zEnterprise Unified Resource Manager The world’s fastest and most scalable system: IBM zEnterprise 196 (z196) Scale out to a trillion instructions per second: IBM zEnterprise BladeCenter Extension (zBX) HMC
  7. 7. © 2010 IBM Corporation AIM ENS Architecture Strategy and Design Restricted Distribution 7 HMC Hypervisors Energy Networks Energy Management ▀ Monitoring and trend reporting of CPU energy efficiency. ▀ Ability to query maximum potential power. Performance Virtual Servers Operations Operational Controls ▀ Auto-discovery and configuration support for new resources. ▀ Cross platform hardware problem detection, reporting and call home. ▀ Physical hardware configuration, backup and restore. ▀ Delivery of system activity using new user. Hypervisor Management ▀ Integrated deployment and configuration of hypervisors ▀ Hypervisors (except z/VM®) shipped and serviced as firmware. ▀ Management of ISO images. ▀ Creation of virtual networks. Network Management ▀ Management of virtual networks including access control Key ▀ Manage suite ▀ Automate suite zEnterprise Unified Resource Manager Hardware Management
  8. 8. © 2010 IBM Corporation AIM ENS Architecture Strategy and Design Restricted Distribution 8 HMC Hypervisors Energy Networks Energy Management ▀ Static power savings Performance Virtual Servers Operations Hypervisor Management ▀ Manage and control communication between virtual server operating systems and the hypervisor. ▀ Single view of virtualization across platforms. ▀ Ability to deploy multiple, cross-platform virtual servers within minutes ▀ Management of virtual networks including access control Virtual Server Lifecycle Management ▀ Wizard-driven management of resources in accordance with specified business service level objectives ▀ HMC provides a single consolidated and consistent view of resources ▀ Monitor resource use within the context of a business workload ▀ Define workloads and associated performance policies Workload Awareness and Platform Performance Management zEnterprise Unified Resource Manager Platform Management Key ▀ Manage suite ▀ Automate suite
  9. 9. © 2010 IBM Corporation AIM ENS Architecture Strategy and Design Restricted Distribution 9 HMC Hypervisors Energy Networks Energy Management ▀ Monitoring and trend reporting of CPU energy efficiency. ▀ Ability to query maximum potential power. ▀ Static power savings. Performance Virtual Servers Operations Operational Controls ▀ Auto-discovery and configuration support for new resources. ▀ Cross platform hardware problem detection, reporting and call home. ▀ Physical hardware configuration, backup and restore. ▀ Delivery of system activity using new user. Network Management ▀ Management of virtual networks including access control ▀ Single view of virtualization across platforms. ▀ Ability to deploy multiple, cross-platform virtual servers within minutes ▀ Management of virtual networks including access control Virtual Server Lifecycle Management zEnterprise hardware management and platform management … Save time, cost and simplify asset management Decrease problem determination and resolution time for cross- platform resources Improve and simplify cross- platform availability procedures Enable broader and more granular view of resource consumption Factory installed and configured network Improved network security with lower latency, less complexity, no encryption/decryption Allow critical workloads to receive resources and priority based on goal- oriented policies established by business requirements Smart business adjustments based on workload insight Provide deep insight into how IT resources are being used Gain flexibility, consistency and uniformity of virtualization Provide the business with faster time to market Simplified network management for applications … Value Made Possible By the Unified Resource Manager Simplified installation of hypervisors Gain significant time to market with improved speed of deployment Simplified energy management Energy cost savings
  10. 10. © 2010 IBM Corporation AIM ENS Architecture Strategy and Design Restricted Distribution 10 zEnterprise Networking Value Points  Network Simplification – Single physical network and zBX “package” (physical network integration) – Central point of Management (zManager via the HMC/SE)  Secure communications – Physical security (internal / dedicated network equipment) – Logical security (controlled access) – Network Virtualization and Isolation  High Availability – Redundant Network Hardware – Logical failover  Unique System z QoS – Isolated / dedicated equipment – Special purpose dedicated data network & OSA-Express (no encryption required)
  11. 11. © 2010 IBM Corporation AIM ENS Architecture Strategy and Design Restricted Distribution 11 Z CPU, Memory and IO PR/SM System z CPU, Memory and IO SESE PR/SM™ z/VM VirtualMachinez/OS Linux Linux Linux VirtualMachinez/OS VirtualMachinez/OS VirtualMachinez/OS z Blade Extension ISS DP Cell DWA pHyp AIX AIX AIX pHyp AIX AIX AIX pHyp AIX AIX AIX xHyp Linux Linux Linux xHyp Linux Linux Linux xHyp Linux Linux Linux AMM z Blade Extension ISS DP Cell DWA pHyp AIX AIX AIX pHyp AIX AIX AIX pHyp AIX AIX AIX xHyp Linux Linux Linux xHyp Linux Linux Linux xHyp Linux Linux Linux AMM zBX DataPower® ISAOPT future future pHyp AIX AIX AIX pHyp AIX AIX AIX pHyp AIX AIX AIX xHyp Linux Linux Linux xHyp Linux Linux Linux xHyp Linux Linux Linux System x POWER® AMM VirtualMachinez/OS HMC 1 All statements regarding IBM future direction and intent are subject to change or withdrawal without notice, and represents goals and objectives only. Connecting the pieces with zManager! IBM zEnterprise System Overview
  12. 12. © 2010 IBM Corporation AIM ENS Architecture Strategy and Design Restricted Distribution 12 SystemzHardwareManagementConsole(HMC) withUnifiedResourceManager zBX Select IBM Blades Blade HW Resources Optimizers SmartAnalyticsOptimizer System z HW Resources z/OS z/TPF z/VSE™ Linux on System z Support Element Linux on System z z/VM Private High Speed Data Network IEDN Private Management Network INMNUnified Resource Manager Private data network (IEDN) 1 All statements regarding IBM future direction and intent are subject to change or withdrawal without notice, and represents goals and objectives only. Customer Network Customer Network System z Host Linux on System x 1 AIX on POWER7 DataPower1 FutureOffering FutureOffering Blade Virtualization Blade Virtualization System z PR/SM Putting zEnterprise System to the Task Use the smarter solution to improve your application design
  13. 13. © 2010 IBM Corporation AIM ENS Architecture Strategy and Design Restricted Distribution 13 BC Chassis TOR Switches zBX (2 frames) z196 zEnterprise Node Customer managed Management Network Customer managed Data Networks intraensemble data network intranode management network OSM & OSX OSAs OSD OSAszEnterprise Node HMCHMCHMCHMC IBM zEnterprise Node with Internal Networks
  14. 14. © 2010 IBM Corporation AIM ENS Architecture Strategy and Design Restricted Distribution 14 HMC SE FSP FSP BPC AMM System z Frame zBX Rack zEnterprise Node 1 zEnterprise Node 2 System z virtual server System z virtual server System z virtual server System z virtual server p virtual server p virtual server ISAOPT ISAOPT (D) Customer Managed Management Network (A) Private System Control Network (B) intranode management network (E) Customer Managed External Data Network (C) intraensemble data network Firewall IEDN spans Nodes IBM zEnterprise – Internal Networks BC-2 BC-1 Two New zEnterprise Networks (B & C) The IEDN is the primary focus of this presentation
  15. 15. © 2010 IBM Corporation AIM ENS Architecture Strategy and Design Restricted Distribution 15 zEnterprise Ensemble A collection of one or more zEnterprise Nodes (including any optionally attached zBX) that are managed as a single logical virtualized system by the zManager using a Hardware Management Console (HMC). intraensemble data network Node 2 Node 3 Node 1 Ensemble Member A zEnterprise node that has been added to an ensemble using the HMC. IBM zEnterprise – Ensemble and intraensemble Data Network
  16. 16. © 2010 IBM Corporation AIM ENS Architecture Strategy and Design Restricted Distribution 16 zEnterprise Ensemble intraensemble data network – key attributes: 1. single dedicated physical / flat layer 2 10 GbE network 2. Comprised of IBM zEnterprise (redundant) equipment (no external / customer hardware) 3. Can span nodes (i.e. can be shared by all co-located nodes within the Ensemble - 10km limit) 4. No layer 3 IP Routing required to communicate within the Ensemble 5. IP addresses (IPv4 or IPv6) are customer controlled (provisioned) 6. MAC addresses (prefixes) are provisioned / coordinated by zManager (HMC) 7. Access to the network is controlled by the zManager (HMC) via SE via OSX, hypervisors and physical switches 8. Virtual servers can be isolated into multiple groups on the physical network by defining multiple virtual networks (multiple VLANs) based on workloads and other isolation requirements Node 2 Node 3 Node 1 Ensemble Member IBM zEnterprise – intraensemble Data Network Key Attributes
  17. 17. © 2010 IBM Corporation AIM ENS Architecture Strategy and Design Restricted Distribution 17 HMC z196 CPC zEnterprise Node VSwitch LP 1 z/OS 1 LP 2 z/OS 2 LP 3 z/OS 3 LP 4 z/OS 4 LP 5 (zVM 1) VS1 VS2 VS3 VS4 OSX OSA BCBCBCBC zBX Racks TOR-A WAN 2. intraensemble data network 10GbE (OSX CHPID) OSD OSA ES M ES M ES M ES M ES M ES M ES M ES M OSM OSA TOR-B 1. Customer External Network (OSD CHPID) 3. intranode management network 1GbE (OSM CHPID) SE LAN extends to other nodes IBM zEnterprise – OSA and Network Types
  18. 18. © 2010 IBM Corporation AIM ENS Architecture Strategy and Design Restricted Distribution 18 HMC z196 CPC zEnterprise Node VSwitch LP 1 z/OS 1 IP Router LP 2 z/OS 2 LP 3 z/OS 3 LP 4 z/OS 4 LP 5 (zVM 1) VS1 VS2 VS3 VS4 OSX OSA BCBCBCBC zBX Racks TOR-A WAN intraensemble data network 10GbE (OSX CHPID) OSD OSA ES M ES M ES M ES M ES M ES M ES M ES M OSM OSA TOR-B Option #1 via System z (z/OS) (OSD CHPID) intranode management network 1GbE (OSM CHPID) SE LAN extends to other nodes External Network Access – Option 1 – System z (LP) IP Router
  19. 19. © 2010 IBM Corporation AIM ENS Architecture Strategy and Design Restricted Distribution 19 HMC z196 CPC zEnterprise Node VSwitch LP 1 z/OS 1 LP 2 z/OS 2 LP 3 z/OS 3 LP 4 z/OS 4 LP 5 (zVM 1) VS1 VS2 VS3 VS4 OSX OSA BCBCBCBC zBX Racks TOR-A WAN intraensemble data network 10GbE (OSX CHPID) OSD OSA ES M ES M ES M ES M ES M ES M ES M ES M OSM OSA TOR-B Option #2 Customer External Router / Firewall …direct to TOR intranode management network 1GbE (OSM CHPID) SE LAN extends to other nodes External Network Access – Option 2 – External IP Router …and to system z LPs External Load Balancer
  20. 20. © 2010 IBM Corporation AIM ENS Architecture Strategy and Design Restricted Distribution 20 Multiple Enterprise Nodes – Sharing zBX(s) within single Node System z OSA (OSX) BCBCBCBCTOR zBX Racks ESM ESM ESM ESM System z OSA (OSX) BCBCBCBCTOR zBX Racks ESM ESM ESM ESM zEnterprise Node 1 (with zBX) zEnterprise Node 2 (without zBX) Configuration - Multiple Enterprise Nodes (sharing zBX rack(s)) System z VSwitch LP 1 z/OS 1 LP 2 z/OS 2 LP 3 z/OS 3 LP 4 z/OS 4 LP 5 (zVM 1) VS1 VS2 VS3 VS4 OSA (OSX) intraensemble data network SE 1 SE 2
  21. 21. © 2010 IBM Corporation AIM ENS Architecture Strategy and Design Restricted Distribution 21 Migration Configuration (Down-level CPC) for DB2 / ISAOPT System z OSX OSA ISAOPTISAOPTBCBCTOR BC Racks ESM ESM ESM ESM System z OSX OSA ISAOPTISAOPTBCBCTOR BC Racks ESM ESM ESM ESM zEnterprise Node (with ISAOPT) System z10 Migration Configuration (direct zBX access) System z10 (with DB2) with direct access to (sharing) zEnterprise for ISAOPT System z VSwitch LP 1 z/OS 1 LP 2 z/OS 2 LP 3 z/OS 3 DB2 LP 4 z/OS 4 DB2 LP 5 (zVM 1) VS1 VS2 VS3 VS4 OSD OSA Migration Port (external VLAN)
  22. 22. © 2010 IBM Corporation AIM ENS Architecture Strategy and Design Restricted Distribution 22 Migration Configuration (Down-level CPC) for Other workloads System z OSA (OSX) BCBCBCBCTOR zBX Racks ESM ESM ESM ESM System z OSA (OSX) BCBCBCBCTOR zBX Racks ESM ESM ESM ESM zEnterprise Node 1 (with zBX) System z10 System z VSwitch LP 1 z/OS 1 LP 2 z/OS 2 LP 3 z/OS 3 LP 4 z/OS 4 LP 5 (zVM 1) VS1 VS2 VS3 VS4 OSA (OSD) intraensemble data network SE 1 Migration Configuration (direct zBX access) System z10 (other application workloads using external (indirect) network access to zEnterprise) External Network Layer 3 IP Router Firewall External Network (general application workloads such as IMS / DP)
  23. 23. © 2010 IBM Corporation AIM ENS Architecture Strategy and Design Restricted Distribution 23 System z OSX BC TOR zBX Racks ESM ESM TOR OSXOSX OSX Network Hardware Redundancy Redundant Network Hardware (High Availability) (Redundant OSAs, TORs, ESMs, and blade NICs) With the ability to add additional OSAs (additional bandwidth)
  24. 24. © 2010 IBM Corporation AIM ENS Architecture Strategy and Design Restricted Distribution 24 Virtual Network Concepts – Creating Virtual Networks Step 1. Create / Define a Virtual Network Network Name = Production Net VLAN ID = 300 Production Net Sales Production Net 300… from the HMC HMC
  25. 25. © 2010 IBM Corporation AIM ENS Architecture Strategy and Design Restricted Distribution 25 Virtual Network Concepts – Adding Virtual Servers Virtual Networks consist of two key properties: 1. VLAN ID (IP subnet) 2. List of Authorized Servers Step 2. …as necessary …add (associate / authorize) Virtual Servers to the Virtual Network “Production Net” VLAN ID = 300 Server ID Add Hosts to Virtual Network… … once you have a Virtual Network…
  26. 26. © 2010 IBM Corporation AIM ENS Architecture Strategy and Design Restricted Distribution 26 Server E Server F Server G Server H Server I Server J Server K Server L single Virtual Network Single IP subnet and VLAN ID Server A Server B Server C Server D IP A IP B IP C IP D IP E IP F IP G IP H IP I IP J IP K IP L All servers can have a single IP interface and all IP address are from the same IP subnet (e.g. 9.27.200.xxxx) Multiple Interfaces are created for redundancy! TOR Switch Production Net (VLAN ID = 300”) Deploying a Virtual Network – Example 1
  27. 27. © 2010 IBM Corporation AIM ENS Architecture Strategy and Design Restricted Distribution 27 Server E Server F Server G Server H Server I Server J Server K Server L 1. Define Multiple Virtual Networks Server A Server B Server C Server D IP A IP B IP C IP D IP E IP F IP G IP H IP I IP J IP K IP L TOR Switch “Production Network” VLAN ID 300 Deploying Multiple Virtual Networks – Example 2 - Isolation “Development Network” VLAN ID 500 … each having unique VLAN IDs and IP subnets 2..Then add virtual servers to each virtual network as needed… …which isolates “Production Servers” from “Development Servers”
  28. 28. © 2010 IBM Corporation AIM ENS Architecture Strategy and Design Restricted Distribution 28 1. Define Multiple Virtual Networks TOR Switch “Marketing Network” VLAN ID 300 (subnet “A”) “Development Network” VLAN ID 500 (subnet “B”) … each having unique VLAN IDs and IP subnets 2..Then add virtual servers to each virtual network as needed… … zManager isolates “Marketing Servers” from “Development Servers” Server A IP@ A.1 Server B IP@ A.2 Server C IP@ A.3 Server D IP@ A.4 Server E IP@ A.5 Server F IP@ A.6 Server G IP@ B.1 Server H IP@ B.2 Server I IP@ B.3 Server J IP@ B.4 Server K IP@ B.5 Server L IP@ B.6 Deploying Multiple Virtual Networks – Isolation
  29. 29. © 2010 IBM Corporation AIM ENS Architecture Strategy and Design Restricted Distribution 29 P PR/SM OSX TOR VSwitch 2 VS 1 VS 4VS 3VS 2 z/VM ESM BLADE 2BLADE 1 Net A Net B Net C BC pHype xHype zBX VS 5 VS 6 VS 7 VS 8 VSwitch 1 VS 9 VS 10 VS 11 VS 12 VS 13 VS 14 SE zManager pushes virtual network access control information to the node and the SE propagates to control points (OSX and Hypervisors) zEnterprise Virtualization and Network Access Control HMC
  30. 30. © 2010 IBM Corporation AIM ENS Architecture Strategy and Design Restricted Distribution 30 Putting It All Together…with Secure Access Control! TOR A ESM A OSX OSA Blade A Port 2 OSA Port 0 zVM VSwitch B pHype VSwitch C z/OS Configure (allow) all VLANs NVM configures specific VLANs Server A (G0) Server B (G1) Server C (G2) Server D Server E Server F Server G External Ports VSwitch A TOR (A) Port 0 ESM (A) Port 0 Port 1 Blade A Image External Ports ISAOpt (Server ID Y) Internal Ports Blade B Port 2 SE BPH Ports Management Port Management Port Internal Ports Blade B Image IEDN Core Physical Network IEDN Physical Edge (System z side) IEDN Physical Edge (blade side) Optimizer ASystem z Blade Center Chassis zBX Note that all network components are duplicated to provide full redundancy.. redundancy is not shown zEnterprise zManager controls network access at the physical and at the virtual switches (hypervisors)! HMC
  31. 31. © 2010 IBM Corporation AIM ENS Architecture Strategy and Design Restricted Distribution 31 External Customer Data Network Virtual Server72B Hypervisor TCPIP1 (z/OS1) OSX Virtual Server Virtual Servers Top of Rack OSD External Customer Data Network IP Filtering IP Filtering MAC Filtering 1. Enter through zCPC via z/OS via an OSD. 2. Enter through a External Router to the zBX TOR. 1 2 Router Router VLAN Enforcement VLAN Enforcement * and* Network Access Control through RACF® LINUX 51 LINUX 55 VLAN Enforcement VLAN Enforcement VLAN A VLAN B IEDN zBX Connecting the Customer External Data Network to the intraensemble Data Network – Using Unique VLANs
  32. 32. © 2010 IBM Corporation AIM ENS Architecture Strategy and Design Restricted Distribution 32 External Customer Data Network Exploiting External Firewalls within the Ensemble Virtual Server72B Hypervisor TCPIP1 (z/OS1) OSX Virtual Server 22A Virtual Servers Top of Rack OSD External Customer Data Network IP Filtering MAC Filtering Server 72B uses external firewall and IP router to access server 22A External Firewall and IP Router are used to cross zones (VLANs) Router Router VLAN Enforcement VLAN Enforcement External Network Access Uses different VLANs LINUX 51 LINUX 55 VLAN Enforcement VLAN Enforcement VLAN A VLAN B IEDN zBX OSX 10.67.124.100 Eth1-192.12.144.100 10.55.100.1 VIPA 10.67.124.120 Eth2-10.24.104.108 VLAN C Eth1-10.24.104.104 192.12.144.110.67.124.1
  33. 33. © 2010 IBM Corporation AIM ENS Architecture Strategy and Design Restricted Distribution 33 Configuring TOR - External Network Access Two Use Cases: 1. z10™ Access 2. External IP Router
  34. 34. © 2010 IBM Corporation AIM ENS Architecture Strategy and Design Restricted Distribution 34 Hypervisors Energy Networks Performance Virtual Servers Operations Summary - Exploiting the intraensemble Data Network Once all hardware / physical installation and System z HCD configuration tasks are complete… then you are ready to exploit the IEDN: Key concepts / reminders: 1. All network traffic on the IEDN must use an “authorized” VLAN ID! 2. The VLAN ID maps to a corresponding Virtual Network 3. All host images (Operating Systems) on all platforms within the Ensemble are represented as a Virtual Server Key zManager network related configuration tasks: 1. Virtual Network Configuration (at the HMC) consist of: – defining a virtual network (VLAN ID) 2. Virtual Server configuration: – Define each virtual server – Associate each virtual server with the proper Virtual network 3. Virtual Switch configuration (if applicable – N/A to native LPs) Finally - Operating System network configuration tasks (IP address, VLAN ID, etc.) remain within the OS – the OS VLAN ID must match the HMC VLAN ID configuration
  35. 35. © 2010 IBM Corporation AIM ENS Architecture Strategy and Design Restricted Distribution 35 References
  36. 36. © 2010 IBM Corporation AIM ENS Architecture Strategy and Design Restricted Distribution 36 References (White Papers, FAQs, Presentations)  zEnterprise System Frequently Asked Questions (FAQs) – www.ibm.com/systems/z/faq  zEnterprise Network Security White Paper (ZSW03167-USEN-00) and Other Resources – www.ibm.com/systems/z/resources (Select “Literature” Entries) – http://www.ibm.com/common/ssi/cgi- bin/ssialias?infotype=SA&subtype=WH&appname=STGE_ZS_ZS_USEN&htmlfid=ZSW03167USEN &attachment=ZSW03167USEN.PDF  IBM zEnterprise System Network Virtualization, Management, and Security (Parts 1 and 2: Overview and Detail) – w3.ibm.com/support/techdocs  IBM System z Hardware Management Console Security White Paper – Author Kurt Schroeder (schroedk@us.ibm.com), Sept. 2008 – http://nascpok.pok.ibm.com/rsf/zHMCSecurityWhitepaper.pdf
  37. 37. © 2010 IBM Corporation AIM ENS Architecture Strategy and Design Restricted Distribution 37 References (Hardware)  zBX Publications – zBX Service Guide GC28-6884-01 – zBX Installation Manual (2458-002) GC27-2610-00 – zBX IMPP (2458-002) GC27-2611-00 – zBX Service Education SE245800 – zBX Safety Inspection (for mod 1 and 2) GC28-6889-00 – IBM License Agreement for Machine Code SC28-6872-00 – Systems Environmental Notices and User Guide Z125-5823-02 – Systems Safety Notices G229-9054-02  Redbooks (www.redbooks.ibm.com) – IBM zEnterprise Technical Introduction, SG24-7832 – IBM zEnterprise Technical Guide, SG24-7833 – IBM zEnterprise Configuration Setup, SG24-7834 – IBM zEnterprise Platform Management, SG24-7835 – IBM System p® Advanced POWER Virtualizaiton Best Practices, redp4194 – IBM BladeCenter JS12 and JS22 Implementation Guide, SG24-7655)  zBX 2458-002 SAPR Guide – SA10-006 2458 TDA Confirmation Form  System z and zEnterprise – Input/Output Configuration Program User's Guide for ICP IOCP, SB10-7037-08
  38. 38. © 2010 IBM Corporation AIM ENS Architecture Strategy and Design Restricted Distribution 38  z/OS Ensemble Implementation – z/OS Communications Server V1R12 SNA Network Implementation Guide (SC31-8777) – z/OS Communications Server V1R12 SNA Network Definition Reference (SC31-8778) – z/OS Communications Server V1R12 IP Configuration Guide (SC31-8775) – z/OS Communications Server V1R12 IP Configuration Reference (SC31-8776)  IPv6 Information – z/OS Communications Server V1R12 IPv6 Network and Application Design Guide (SC31-8885)  z/VM Ensemble Implementation • z/VM 6.1 with Small Programming Enhancement (SPE): CP Planning and Configuration (SC24-6083)  Introducing the IBM Security Framework and IBM Security Blueprint to Realize Business-Driven Security; IBM RedGuide REDP-4528-00, July 2009 – www.redbooks.ibm.com  Security on the IBM Mainframe, SG24-7803-00 Redbooks®, published 30 April 2010 – www.redbooks.ibm.com  Introduction to the New Mainframe: Security, SG24-6776-00 Redbooks, published 3 April 2007, last updated 26 April 2007 – www.redbooks.ibm.com References (Software and Security)
  39. 39. © 2010 IBM Corporation AIM ENS Architecture Strategy and Design Restricted Distribution 39 Questions ?? Thank You! gdente@us.ibm.com Available in Hard Copy Once Presented by the IBM Account Team ZSP03433-USEN-01
  40. 40. © 2010 IBM Corporation AIM ENS Architecture Strategy and Design Restricted Distribution 40 Available in Hard Copy Once Presented by the IBM Account Team Questions? - Thank You! sjerry@us.ibm.com ZSP03439-USEN-00

×