“Old” Solaris approach: a zone with exclusive IP-stack requires a separate physical network interface.
“New” Solaris 11 (project Crossbow, beginning b105) approach: you have one physical interface and you do with it whatever you want. You can create a whole network within your single box and a single network card.
Here’s an example on how to migrate your existing zones with shared stack to “independent” zones.
Old configuration: one global zone (system name xeon), one non-global zone (dmz), one physical interface (e1000g0), two VLAN’s (1 and 10):
e1000g1000: #VLAN 1 (global zone)
flags=201000843 mtu 9000 index 3
inet 10.0.1.100 netmask ffffff00 broadcast 10.0.1.255
ether 0:18:f3:ef:2a:d0
e1000g1000:1: #VLAN 1 (zone dmz)
flags=201000843 mtu 9000 index 3
inet 10.0.1.101 netmask ffffff00 broadcast 10.0.1.255
ether 0:18:f3:ef:2a:d0
e1000g10000: #VLAN 10 (zone dmz)
flags=201000842 mtu 9000 index 5
inet 10.0.0.100 netmask 0
ether 0:18:f3:ef:2a:d0
xeon# cd /etc/zones
xeon# more dmz.xml
. . .
. . .
“Defrouters” are defined in the global zone. So, if the global zone has a defaultrouter set to 10.0.1.1, you will have this route in zone “dmz”. You can’t get rid of it and force the traffic to 10.0.0.1. Instead you will have two default routes in both zones.
Now, let’s have a look at the virtual interfaces (a part of the new concept).
Currently we do not have any:
xeon#
Let’s create two virtual interfaces, each of them will belong to a separate VLAN. You can choose a name for a virtual interface and call it whatever (almost 😉 ) you want:
xeon# dladm create-vnic -l e1000g0 -v 1 dmz1
xeon# dladm show-vnic
LINK OVER SPEED MACADDRESS MACADDRTYPE VID
dmz1 e1000g0 1000 2:8:20:fb:6a:82 random 1
dmz0 e1000g0 1000 2:8:20:52:8e:c5 random 10
Now we have two virtual interfaces:
- dmz1 – VLAN 1
- dmz0 – VLAN 10
with randomly assigned MAC addresses. You can assign an arbitrary MAC address to a virtual interface or use a factory one. (see man dladm).
Reconfigure the zone:
zonecfg:dmz> info
. . .
net:
address: 10.0.0.100
physical: e1000g10000
defrouter: 10.0.0.1
net:
address: 10.0.1.101
physical: e1000g1000
defrouter: 10.0.1.1
. . .
zonecfg:dmz> set ip-type=exclusive
zonecfg:dmz> remove net address=10.0.0.100
zonecfg:dmz> remove net address=10.0.1.10
zonecfg:dmz> add net
zonecfg:dmz:net> set physical=dmz0
zonecfg:dmz:net> end
zonecfg:dmz> add net
zonecfg:dmz:net> set physical=dmz1
zonecfg:dmz:net> end
zonecfg:dmz> info
. . .
ip-type: exclusive
. . .
net:
address not specified
physical: dmz0
defrouter not specified
net:
address not specified
physical: dmz1
defrouter not specified
zonecfg:dmz> commit
zonecfg:dmz> exit
Now, (re)boot your zone and configure the network interfaces and default routes as if they were on a standalone system.
default 10.0.1.1 UG 1 12408
xeon# zlogin -C dmz
. . .
dmz# ifconfig -a
dmz0: flags=201000843 mtu 9000 index 2
inet 10.0.0.100 netmask ffffff00 broadcast 10.0.0.255
ether 2:8:20:52:8e:c5
dmz1: flags=201000843 mtu 9000 index 3
inet 10.0.1.101 netmask ffffff00 broadcast 10.0.1.255
ether 2:8:20:fb:6a:82
dmz# netstat -rn | fgrep defa
default 10.0.0.1 UG 1 5156
Nice! I love Solaris …