Sun Microsystems 10 User Manual
Version 3.1-en
Solaris 10 Container Guide - 3.1 5. Cookbooks
Effective: 30/11/2009
5.2.6. IP filter between exclusive IP zones on a system
[dd] The usual configuration rules for IP filters must be followed for the use of IP filters in exclusive IP
zones. This is possible since, for exclusive IP instances, the physical network port was assigned to
the zone.
[dd] The usual configuration rules for IP filters must be followed for the use of IP filters in exclusive IP
zones. This is possible since, for exclusive IP instances, the physical network port was assigned to
the zone.
After configuring the IP filter per zone, IP filter is activated in each zone to work independently in each
IP instance. The corresponding command is: svcadm enable ipfilter
IP instance. The corresponding command is: svcadm enable ipfilter
5.2.7. Zones, networks and routing
[dd/ug] The following sections describe scenarios in zones, networks and routing settings. The
following restrictions exist:
[dd/ug] The following sections describe scenarios in zones, networks and routing settings. The
following restrictions exist:
•
In the directly connected networks, the same IP address must not be assigned twice. If this is
unavoidable due to organizational circumstances, NAT routers (scenario 3) must be used for
partitioning.
unavoidable due to organizational circumstances, NAT routers (scenario 3) must be used for
partitioning.
•
Routing between the addresses of zones with shared IP occurs in the system. External routing
can only be forced by means of a NAT router or by inhibiting routing between zones with ndd:
ndd -set /dev/ip ip_restrict_interzone_loopback 1
can only be forced by means of a NAT router or by inhibiting routing between zones with ndd:
ndd -set /dev/ip ip_restrict_interzone_loopback 1
•
The network separation s implemented in Solaris at the logical TCP/IP level. This is sufficient for
many cases of application.
many cases of application.
•
If separation is required at the physical network level, it can be implemented by separate
systems, Solaris domains or – since Solaris 10 8/07 – by exclusive IP instances.
systems, Solaris domains or – since Solaris 10 8/07 – by exclusive IP instances.
5.2.7.1. Global and local zone with shared network
[dd/ug] Two local zones, zone1 and zone2, are located in the same network segment as the global
zone.
[dd/ug] Two local zones, zone1 and zone2, are located in the same network segment as the global
zone.
•
Each local zone can use the same network interface as the global zone.
•
Routing set up for the global zone also applies to the local zones. All zones (global and local)
can communicate with each other.
Implementation:
•
Zones are set up with the network interface of the global zone; if this is bge0, the setup
set physical=bge0 is done with zonecfg: add net.
•
Each local zone must receive an address from the network of the global zone.
83
Figure 31: [dd] Global and local zone with shared network
192.168.1.0
Network
bge0 - 192.168.1.1
Global Zone
bge0:2 - 192.168.1.202
Zone 2
bge0:1 - 192.168.1.201
Zone 1