Sun Microsystems 10 manual Zoneadm -z zone1 boot, zoneadm -z zone2 boot

∙In order to avoid communication between the local zones through the shared TCP/IP stack, reject routes must be set in the global zone that prevent communication between the IP addresses of the two zones (or the use of ipfilter).

route add 192.168.201.1 192.168.202.1 -interface -reject route add 192.168.202.1 192.168.201.1 -interface -reject route add 192.168.200.1 192.168.202.1 -interface -reject route add 192.168.202.1 192.168.200.1 -interface -reject

∙Zones can now be booted up for operation:

zoneadm -z zone1 boot, zoneadm -z zone2 boot

∙The reject route leads to the complete prevention of communication between zone1 and zone2 which, however, is required in this scenario according to the above specifications. Therefore, the configured default router must support NAT. It must convert the address

192.168.102.1 into the address 192.168.202.1. Communication via the NAT router thereby bypasses the reject routes.

∙Option: To allow communication between the global and the local zone, an interface that is located in the logical network of the local zone must be configured in the global zone.

The procedure is as follows:

∙An HTTP request is made to zone zone1 from the outside.

∙It is able to process parts of the request by itself but another part must come from the application server that is addressed via the address 192.168.102.1.

∙This address is routed via the NAT router which converts the address into the address 192.168.202.1 on the other side.

∙This is the address of zone zone2 which carries the application server that processes the missing parts of the request and sends them back through the existing connection.

92