Version 3.1-enSolaris 10 Container Guide - 3.1 5. Cookbooks

Effective: 30/11/2009

5.2.7.6. Zones connected to independent customer networks using the shared IP instance

[dd/ug] Two local zones, zone1 and zone2, are located in separated networks and provide services for a variety of customers in their own networks.

Each local zone should have its own physical interface in the network.

Additional customer networks are connected to the network segment.

Allocation of addresses in the networks is not coordinated; one address can be allocated multiple times (once per customer network). Usually companies use private IP networks (10.x.y.z, 192.168.x.y) internally, therefore the allocation of the same IP address at different customers is highly probable.

It should be possible to reach zones zone1 and zone2 from other networks.

Zones zone1 and zone2 should not be able to initiate connections to other networks.

There should be no communication between the local zones.

Communication between the global zone and the local zones is not intended.

Implementation:

The network interface provided for the local zone (e.g. bge1) must not be used elsewhere in the global zone.

To prepare for local zones, the interface must be plumbed (but not enabled): ifconfig bge1 plumb down

Thereby, the interface gets the address 0.0.0.0 but is not active.

The zones' network configuration is established by setting the zones to the ready state. zoneadm -z zone1 ready

zoneadm -z zone2 ready

The addresses listed in the configuration of the zones (zone1: 192.168.201.1 and

zone2: 192.168.202.1) are now active.

The routes of the local zones are specified with zonecfg:set defrouter. set defrouter=192.168.201.2

set defrouter=192.168.202.2

So that no communication takes place between the local zones through the shared TCP/IP stack, reject routes must be set in the global zone that prevent communication between two IP addresses.

route add 192.168.201.1 192.168.202.1 -interface -reject route add 192.168.202.1 192.168.201.1 -interface -reject Alternatively the interzone loopback can be restricted: ndd -set /dev/ip ip_restrict_interzone_loopback 1

The zones can now be booted for operation: zoneadm -z zone1 boot zoneadm -z zone2 boot

The default router is a NAT router that hides the IP address of the local zone from the customer. On the customer's side, it is configured with an IP address from the customer's network, thus, address conflicts can not occur.

Option: To enable communication between the global and the local zone, an interface that is located in the logical network of the local zone must be configured in the global zone.

88

Page 95
Image 95
Sun Microsystems 10 manual Zone2 192.168.202.1 are now active