zones +default gateway - Solaris

This is a discussion on zones +default gateway - Solaris ; I'd like to create a zone with that's on a netblock outside that of the global zone. It would be like this: global = 1.2.3.4/28 zone1 = 2.3.4.5/27 Is this possible using the same physical interface? All routing between global ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: zones +default gateway

  1. zones +default gateway


    I'd like to create a zone with that's on a netblock outside that of the
    global zone. It would be like this:

    global = 1.2.3.4/28
    zone1 = 2.3.4.5/27

    Is this possible using the same physical interface? All routing between
    global and zone1 can be handled by an exernal router. If so, how is the
    default gateway for zone1 even defined?




  2. Re: zones +default gateway

    > global = 1.2.3.4/28
    > zone1 = 2.3.4.5/27
    >
    > Is this possible using the same physical interface?


    Perfectly possible. You only need to do some routing-fu in order to make this
    work in a way where the global zone can reach the non-global. So, for example,
    you'd need to setup something in the likes of:

    route add 1.2.3.0/24 2.3.4.5 -iface

    Also; if you're going to utilize a (default) gateway which lies outside of that
    one you'll also need to make sure it has a static arp entry. I haven't looked
    into this deep enough to determine if this is triggered by different networks
    or not, but thats how it works for me. My global zone resides on the LAN (A),
    my non-global zone on the 'zones.lan' (B) and finally my inet connection
    resides on a whole different network (C) and is also the default gateway. All
    connections use ethernet btw.

    So in order to give my non-global zone access to the internet I had to make
    sure that my "internet gateway" has a static arp entry.

    > All routing between global and zone1 can be handled by an exernal router. If
    > so, how is the default gateway for zone1 even defined?


    All routing between global & zone1 can never be handled by an external router
    since this data will never leave the box. Its one kernel which takes care of
    the routing internally.


    --
    Groetjes, Peter

    ..\\ PGP/GPG key: http://www.catslair.org/pubkey.asc

  3. Re: zones +default gateway

    hello

    In article ,
    Cydrome Leader wrote:
    >
    >I'd like to create a zone with that's on a netblock outside that of the
    >global zone. It would be like this:
    >
    >global = 1.2.3.4/28
    >zone1 = 2.3.4.5/27
    >
    >Is this possible using the same physical interface? All routing between
    >global and zone1 can be handled by an exernal router. If so, how is the
    >default gateway for zone1 even defined?


    i am not the expert with zones but as far i can see, there is
    only one routing, as there is also only one kernel.
    it would be the next great challenge for sun for the
    next design change, to do a zone-based routing, if even possible.
    there are several limits without this.

    i have a similar situation the other way around. i have
    3 interfaces ( one physical in 3 different vlans ) in global zone.
    if i want reach each network of the global zone in
    non-global zones, i have to define as much interfaces
    in each non-global zone as in the global zone.

    so what can _you_ do ? first you have to use a nic, which can
    understand vlan-tags. and of course a switch, which can do
    this. ( there are no problems with cisco ) you have to define
    an interface in the global zone within the network-class
    of zone1. setting up routing reasonable.
    next setting up the interfaces in zone1. that's it.
    if you still don't wont, that zone1 does not reach network 1.2.3.0/28 you
    have to setup ipfilter, which does not permit this. ( of
    course in the global zone for the ip-addr for zone1 )
    access-lists in the routing engine outside the solaris box
    can only permit, that networks behind 1.2.3.0/28 cannot be
    reached.

    i hope, i didn't confuse you.

    best regards
    hans

    --


  4. Re: zones +default gateway

    In alt.solaris.x86 hans m42 wrote:
    > hello
    >
    > In article ,
    > Cydrome Leader wrote:
    >>
    >>I'd like to create a zone with that's on a netblock outside that of the
    >>global zone. It would be like this:
    >>
    >>global = 1.2.3.4/28
    >>zone1 = 2.3.4.5/27
    >>
    >>Is this possible using the same physical interface? All routing between
    >>global and zone1 can be handled by an exernal router. If so, how is the
    >>default gateway for zone1 even defined?

    >
    > i am not the expert with zones but as far i can see, there is
    > only one routing, as there is also only one kernel.
    > it would be the next great challenge for sun for the
    > next design change, to do a zone-based routing, if even possible.
    > there are several limits without this.
    >
    > i have a similar situation the other way around. i have
    > 3 interfaces ( one physical in 3 different vlans ) in global zone.
    > if i want reach each network of the global zone in
    > non-global zones, i have to define as much interfaces
    > in each non-global zone as in the global zone.


    I never though about using vlans. I cannot figure out why it's a big deal
    if possible to have a zone sit on a network with no relation to the global
    zone. Considering the effort needed, and because the machine can be
    completely moved to the new netblock, this is what will happen.


    >
    > so what can _you_ do ? first you have to use a nic, which can
    > understand vlan-tags. and of course a switch, which can do
    > this. ( there are no problems with cisco ) you have to define
    > an interface in the global zone within the network-class
    > of zone1. setting up routing reasonable.
    > next setting up the interfaces in zone1. that's it.
    > if you still don't wont, that zone1 does not reach network 1.2.3.0/28 you
    > have to setup ipfilter, which does not permit this. ( of
    > course in the global zone for the ip-addr for zone1 )
    > access-lists in the routing engine outside the solaris box
    > can only permit, that networks behind 1.2.3.0/28 cannot be
    > reached.
    >
    > i hope, i didn't confuse you.
    >
    > best regards
    > hans
    >


+ Reply to Thread