On 6/19/10 3:37 PM, Al wrote: > Hi, > > With zones and IP instances support, can one Solaris system (including > Solaris 10) be configured with completely isolated IP stacks both in the > kernel and user space?
Note that this isn't the right list to discuss Solaris 10 issues. You'll want to contact BigAdmin or one of your local Oracle/Sun support people for that. For OpenSolaris, yes, the IP instances support gives you separate IP and ARP instances in kernel and user space. > Assuming each available NIC card is going to be used only by one IP > instance/zone, complete isolation means it's possible to use the same VLAN > IDs and IP addresses in several instances/zones. The assumption is that any > L3/L2 info/tables (routing daemons, routing table, ARP, MAC) are logically > separated in user and kernel space. Yes. > Can the above still be achieved when a NIC card is shared but with unique > VLAN IDs by each IP instances and zone? Does this require VNIC support? Yes. > In the above case, is there any limitation in using the pfhooks IP filtering > mechanism in the kernel? (given it does support IP instances) The modules using pfhooks need to be aware of zones to separate the traffic. Nothing inside the kernel is automatic -- there's only one kernel with OpenSolaris Zones. It requires specific code in kernel modules to read out the zoneid_t value where necessary, and use it to key into distinct data structures for each non-global zone. Unmodified kernel modules (those that weren't written with zones in mind) will generally behave as though all zones are in the global zone, even if they're used from within a zone created with an exclusive IP stack instance. If you need distinct kernel instances (e.g., so that you can load separate kernel modules in each instance), then you need a different kind of virtualization. You need either xVM/Xen, VirtualBox, or a third-party product like VMware. > In all cases, the assumption is that each IP instance / zone is connected to > a separate network than the others (hence any duplicate VLAN IDs or IP > addresses are not intermixed together). Right. They'd have to be. If they're on shared networks, then they have to (and will) behave as separate nodes on those networks. This means that they have to be configured appropriately for that case, just like any other nodes. For the same reason that you can't have two distinct computers plugged into the same network and using the same IP address, you can't have two distinct IP instances assigned to the same network with the same IP address. -- James Carlson 42.703N 71.076W <[email protected]> _______________________________________________ networking-discuss mailing list [email protected]
