On 08/19/09 17:35, Steffen Weiberle wrote:
On 08/19/09 17:25, Robert Hartzell wrote:
You have given me much to think about ;). I'm going to set up a test
system this weekend and see what I can screw up...
If I can find a reasonable solution for this I will ping the list and
post a howto on my wiki.
again, thanks for helping out.
You are welcome. One other thing has come up, and I might have to try
this myself...
When you create more than one VNIC on top of a NIC, a virtual switch is
created, so that the VNICs can communicate with one another. (The
ethernet spec does not allow you to transmit a frame that is destined to
you, and if one VNIC user is sending to another, it must stay within the
system to not violate the spec.)
It gets interested since the global zone also is on that NIC, and
traffic between the global interface (your nic1) and the VNICs must not
go on the wire, for the above reason. However, I don't know that the
physical NIC is 'seen' as a member of the switch. (This is good for
security reason as well, it seems to me, except in situations like what
you are setting up.)
I will have to try it myself when I get done doing some VLAN over
aggregation stuff.
Steffen
_______________________________________________
zones-discuss mailing list
zones-discuss@opensolaris.org
I took the opportunity to try some of my previous suggestions out.
I believe it is independent of Erik's reply regarding SUNWroute, as I am
doing my work on SX-CE build 121, not OpenSolaris. I am not using a
routing daemon, so the differences hopefully are minimal. [1]
Using the following layout:
cable modem
|
|
firewall(10.0.0.1)
|
|
nic1 (10.0.0.2), vnic1 (10.0.0.3), vnic2 (10.0.0.4),
| vnic3 (10.0.0.5)
---bastion host----------
nic2(192.168.0.100)
|
|
switch
|
|
host1 host2 host3 host(n)
(all on 192.168.0.0/24)
Global zone had a default router (/etc/defaultrouter) of 10.0.0.1/24.
Initially, global zone has both nic1 and nic2 configured *without* the
'router' option. More on that later.
Zone vnic1 is an exclusive IP Instance zone using vnic1 on top of nic1.
The zone's default router is 10.0.0.1.
Zone vnic1 can ping 10.0.0.1, 10.0.0.2 [2], IP addresses beyond the
firewall at 10.0.0.1. It can not reach nodes on the 192.168.0.0/24
subnet. A traceroute shows attempts to go via the firewall, as expected
by the 'default' route.
In zone vnic1, issuing 'route add net 192.168.0.0 192.168.0.100' allows
me to reach 192.168.0.100, but not other hosts on that subnet. This is
because 192.168.0.100 does not require IP forwarding, other addresses do.
Issuing, in the global zone, 'ifconfig nic1 router ; ifconfig nic2
router' does allow zone vnic1 to reach all hosts on 192.168.0.0/24. This
is because the system is now configured to pass datagrams through using
both interfaces nic1 and nic2. This does make the system a general
router, without advertizing any route. That should not be an issue since
traffic from outside of the firewall should not be able to get into the
10.0.0.0 network, unless you have a forwarding rule in the firewall.
(This step is only necessary if the system on 192.168.0.0 need to access
the zones!)
I hope this helps with understanding how routing is working in Solaris
in general.
Steffen
blogs.sun.com/stw/
[1]http://pkg.opensolaris.org/release/manifest/0/SUNWroute%400.5.11%2C5.11-0.111%3A20090508T163227Z
includes in.route and in.rdisc, not the route(1M) command.
[2] This clarifies my question whether a VNIC on an interface can reach
the underlying interface. The answer is 'yes, it can.'
_______________________________________________
zones-discuss mailing list
zones-discuss@opensolaris.org
