Sun Microsystems 10 User Manual
Version 3.1-en
Solaris 10 Container Guide - 3.1 5. Cookbooks
Effective: 30/11/2009
5.2.7.6. Zones connected to independent customer networks using the shared IP instance
[dd/ug] Two local zones, zone1 and zone2, are located in separated networks and provide services
for a variety of customers in their own networks.
[dd/ug] Two local zones, zone1 and zone2, are located in separated networks and provide services
for a variety of customers in their own networks.
•
Each local zone should have its own physical interface in the network.
•
Additional customer networks are connected to the network segment.
•
Allocation of addresses in the networks is not coordinated; one address can be allocated
multiple times (once per customer network). Usually companies use private IP networks
(10.x.y.z, 192.168.x.y) internally, therefore the allocation of the same IP address at different
customers is highly probable.
multiple times (once per customer network). Usually companies use private IP networks
(10.x.y.z, 192.168.x.y) internally, therefore the allocation of the same IP address at different
customers is highly probable.
•
It should be possible to reach zones zone1 and zone2 from other networks.
•
Zones zone1 and zone2 should not be able to initiate connections to other networks.
•
There should be no communication between the local zones.
•
Communication between the global zone and the local zones is not intended.
Implementation:
•
The network interface provided for the local zone (e.g. bge1) must not be used elsewhere
in the global zone.
in the global zone.
•
To prepare for local zones, the interface must be plumbed (but not enabled):
ifconfig bge1 plumb down
Thereby, the interface gets the address 0.0.0.0 but is not active.
ifconfig bge1 plumb down
Thereby, the interface gets the address 0.0.0.0 but is not active.
•
The zones' network configuration is established by setting the zones to the ready state.
zoneadm -z zone1 ready
zoneadm -z zone2 ready
The addresses listed in the configuration of the zones (zone1: 192.168.201.1 and
zone2: 192.168.202.1) are now active.
zoneadm -z zone1 ready
zoneadm -z zone2 ready
The addresses listed in the configuration of the zones (zone1: 192.168.201.1 and
zone2: 192.168.202.1) are now active.
•
The routes of the local zones are specified with zonecfg:set defrouter.
set defrouter=192.168.201.2
set defrouter=192.168.202.2
set defrouter=192.168.201.2
set defrouter=192.168.202.2
•
So that no communication takes place between the local zones through the shared TCP/IP
stack, reject routes must be set in the global zone that prevent communication between two
IP addresses.
route add 192.168.201.1 192.168.202.1 -interface -reject
route add 192.168.202.1 192.168.201.1 -interface -reject
Alternatively the interzone loopback can be restricted:
ndd -set /dev/ip ip_restrict_interzone_loopback 1
stack, reject routes must be set in the global zone that prevent communication between two
IP addresses.
route add 192.168.201.1 192.168.202.1 -interface -reject
route add 192.168.202.1 192.168.201.1 -interface -reject
Alternatively the interzone loopback can be restricted:
ndd -set /dev/ip ip_restrict_interzone_loopback 1
•
The zones can now be booted for operation:
zoneadm -z zone1 boot
zoneadm -z zone2 boot
zoneadm -z zone1 boot
zoneadm -z zone2 boot
•
The default router is a NAT router that hides the IP address of the local zone from the
customer. On the customer's side, it is configured with an IP address from the customer's
network, thus, address conflicts can not occur.
customer. On the customer's side, it is configured with an IP address from the customer's
network, thus, address conflicts can not occur.
•
Option: To enable communication between the global and the local zone, an interface that is
located in the logical network of the local zone must be configured in the global zone.
located in the logical network of the local zone must be configured in the global zone.
88