beautypg.com

Ip filter between exclusive ip zones on a system, Zones, networks and routing, Global and local zone with shared network – Sun Microsystems SOLARIS 10 User Manual

Page 90

background image

Version 3.1-en

Solaris 10 Container Guide - 3.1 5. Cookbooks

Effective: 30/11/2009

5.2.6. IP filter between exclusive IP zones on a system
[dd] The usual configuration rules for IP filters must be followed for the use of IP filters in exclusive IP
zones. This is possible since, for exclusive IP instances, the physical network port was assigned to
the zone.

After configuring the IP filter per zone, IP filter is activated in each zone to work independently in each
IP instance. The corresponding command is: svcadm enable ipfilter

5.2.7. Zones, networks and routing
[dd/ug] The following sections describe scenarios in zones, networks and routing settings. The
following restrictions exist:

In the directly connected networks, the same IP address must not be assigned twice. If this is
unavoidable due to organizational circumstances, NAT routers (scenario 3) must be used for
partitioning.

Routing between the addresses of zones with shared IP occurs in the system. External routing
can only be forced by means of a NAT router or by inhibiting routing between zones with ndd:
ndd -set /dev/ip ip_restrict_interzone_loopback 1

The network separation s implemented in Solaris at the logical TCP/IP level. This is sufficient for
many cases of application.

If separation is required at the physical network level, it can be implemented by separate
systems, Solaris domains or – since Solaris 10 8/07 – by exclusive IP instances.

5.2.7.1. Global and local zone with shared network
[dd/ug] Two local zones, zone1 and zone2, are located in the same network segment as the global
zone.

Each local zone can use the same network interface as the global zone.

Routing set up for the global zone also applies to the local zones. All zones (global and local)

can communicate with each other.

Implementation:

Zones are set up with the network interface of the global zone; if this is bge0, the setup

set physical=bge0 is done with zonecfg: add net.

Each local zone must receive an address from the network of the global zone.

83

Figure 31: [dd] Global and local zone with shared network

192.168.1.0

Network

bge0 - 192.168.1.1

Global Zone

bge0:2 - 192.168.1.202

Zone 2

bge0:1 - 192.168.1.201

Zone 1

See also other documents in the category Sun Microsystems Hardware: