[zones-discuss] static routes vs default routes (zones in different subnets)
Hello, As I previously mentioned, I am working on the possibility of putting zones from different security contexts (front-end, application, back- end) into the same physical server, which is effectively putting zones in more than one subnet. We also like to use a load balancer, at least on the front-end net, and increasingly on the back-end nets as well. In order to use a load balancer, the general idea is that you set your default route on the "real server" to go through the load balancer. I am able to do this fine (s10u6), even without a "home brew" SMF service to add default routes after zones come up like I have had to use in the past. The problem I ran into this time was that static routes don't seem to use the same intelligence that default routes do. For example, in the global zone I have 4 default routers, each pointing to the default router of a local subnet (172.16.1.254/24, 172.16.2.254/24, and 172.16.3.254/24 (4th is not important at the moment). Inside a local- zone with an interface on the 172.16.1.0/24 network, it only sees the one default route that it can use (172.16.1.254). That's perfect. The problem comes in when I start looking at the "admin" network. I don't want to setup a load balancer service for SSH into each zone, so I generally set a static route in to get to the admin network using a different gateway (hard-firewall)... route -p add -net 172.16.250.0/24 172.16.1.1 ... of course if I have multiple subnets, I also have... route -p add -net 172.16.250.0/24 172.16.2.1 route -p add -net 172.16.250.0/24 172.16.3.1 this confuses zones in the .2 and .3 subnets, as they see all three routes and try to use the first one, even though they cannot reach 172.16.1.1. I know this would be made simpler with vnic and private IP stack, but in my world, shared-ip is the only thing available (feasible). Thanks in advance, Tommy ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] static routes vs default routes (zones in different subnets)
On Sun, Nov 9, 2008 at 10:34 PM, Tommy McNeely <[EMAIL PROTECTED]> wrote:
> The problem I ran into this time was that static routes don't seem to
> use the same intelligence that default routes do. For example, in the
At least as of 10U5 your observation is correct. I tried
getting Sun to recognize this issue via a support case, after 6 to 8
months of the case being opened, they told me that IP Exclusive was
the work around and that they would NOT even file a bug or an RFE on
the static route behavior. Unfortunately, this is a work around that
really hampers us due to the limitations of the number of physical
ethernet interfaces we can put in a single box (and the cabling mess
that goes with it). We have many different security requirements for
Internet exposed "servers", none of which has a particularly high
load, so it makes sense to put them all on zones on a moderate server
from a load perspective.
If this has changed, or is being worked on in OpenSolaris, I
would *love* to hear about it.
> I know this would be made simpler with vnic and private IP stack, but
> in my world, shared-ip is the only thing available (feasible).
--
{1-2-3-4-5-6-7-}
Paul Kraus
-> Facilities Coordinator, Albacon 2008
-> Business Manager, Delta-Xi cast of Alpha-Psi-Omega @ RPI
___
zones-discuss mailing list
zones-discuss@opensolaris.org
Re: [zones-discuss] static routes vs default routes (zones in different subnets)
On Nov 10, 2008, at 7:09 AM, Paul Kraus wrote:
> On Sun, Nov 9, 2008 at 10:34 PM, Tommy McNeely
> <[EMAIL PROTECTED]> wrote:
>
>> The problem I ran into this time was that static routes don't seem to
>> use the same intelligence that default routes do. For example, in the
>
>
>
>At least as of 10U5 your observation is correct. I tried
> getting Sun to recognize this issue via a support case, after 6 to 8
> months of the case being opened, they told me that IP Exclusive was
> the work around and that they would NOT even file a bug or an RFE on
> the static route behavior. Unfortunately, this is a work around that
> really hampers us due to the limitations of the number of physical
> ethernet interfaces we can put in a single box (and the cabling mess
> that goes with it). We have many different security requirements for
> Internet exposed "servers", none of which has a particularly high
> load, so it makes sense to put them all on zones on a moderate server
> from a load perspective.
... hence my "shared-ip is the only thing available (feasible)"
comment :)
>
>
>If this has changed, or is being worked on in OpenSolaris, I
> would *love* to hear about it.
Network interface virtualization!
http://opensolaris.org/os/project/crossbow/
I think some of the deep dark kernel stuff is integrated to
OpenSolaris (and thus Solaris Express), but not everything yet?
~tommy
>
>
>
>
>> I know this would be made simpler with vnic and private IP stack, but
>> in my world, shared-ip is the only thing available (feasible).
>
> --
> {1
> -2-3-4-5-6-7-}
> Paul Kraus
> -> Facilities Coordinator, Albacon 2008
> -> Business Manager, Delta-Xi cast of Alpha-Psi-Omega @ RPI
> ___
> zones-discuss mailing list
> zones-discuss@opensolaris.org
___
zones-discuss mailing list
zones-discuss@opensolaris.org
Re: [zones-discuss] static routes vs default routes (zones in different subnets)
Hi all, I'm pleased to read I'm not the sole victim of what I'm calling "the solaris zone route bug". Please take a look below to my comment. Le 10 nov. 08 à 17:51, Tommy McNeely a écrit : > On Nov 10, 2008, at 7:09 AM, Paul Kraus wrote: > >> On Sun, Nov 9, 2008 at 10:34 PM, Tommy McNeely >> <[EMAIL PROTECTED]> wrote: >> > ... hence my "shared-ip is the only thing available (feasible)" > comment :) > >> >> If this has changed, or is being worked on in OpenSolaris, I >> would *love* to hear about it. > > Network interface virtualization! > > http://opensolaris.org/os/project/crossbow/ > > I think some of the deep dark kernel stuff is integrated to > OpenSolaris (and thus Solaris Express), but not everything yet? Crossbow will be the solution. Sure ! But when ? And on which version of Solaris ? For now Exclusive-IP is a sort of workaround. Not a real one ! See why : - IPFilter rules are visible from the zone. With Shared-IP, they not. - If you need an IPMP configuration, you need to setup 2 physicals interfaces (or 801.1Q switch) and 3 IP-address per zone - Exclusive-IP are not available on all physical interfaces on S10 (I have an old qfe on my desk I'd love to use !) - When you just try to use default mechanisms (I mean shared-IP, default route defined on global zone), you're never sure of where you IP packets will be sent (thru which default router ?) To be short, Exclusive-IP is a great enhancement to S10, but we'll need at least two other stuff before crossbow : 1) Exclusive-IP for ANY NIC 2) A clever routing mechanism to associate different routing tables on different zones. My .02 euro-cents. Nico ___ zones-discuss mailing list zones-discuss@opensolaris.org
