Sun Microsystems 10

Version 3.1-en Solaris 10 Container Guide - 3.1 5. Cookbooks Effective: 30/11/2009

•In order to avoid communication between the local zones through the shared TCP/IP stack,

reject routes must be set in the global zone that prevent communication between the IP

addresses of the two zones (or the use of ipfilter).

route add 192.168.201.1 192.168.202.1 -interface -reject

route add 192.168.202.1 192.168.201.1 -interface -reject

route add 192.168.200.1 192.168.202.1 -interface -reject

route add 192.168.202.1 192.168.200.1 -interface -reject

•Zones can now be booted up for operation:

zoneadm -z zone1 boot, zoneadm -z zone2 boot

•The reject route leads to the complete prevention of communication between zone1 and

zone2 which, however, is required in this scenario according to the above specifications.

Therefore, the conf igured default router must support NAT. It must convert the address

192.168.102.1 into the address 192.168.202.1.

Communication via the NAT router thereby bypasses the reject routes.

•Option: To allow communication between the global and t he local zone, an interface that is

located in the logical network of the local zone must be configured in the global zone.

The procedure is as follows:

•An HTTP request is made to zone zone1 from the outside.

•It is able to process parts of the request by itself but another part must come from the

application server that is addressed via the address 192.168.102.1.

•This address is routed via the NAT router which converts the address into the address

192.168.202.1 on the other side.

•This is the address of zone zone2 which carries the application server that processes the

missing parts of the request and sends them back through the existing connection.

bge0 - 192.168.1.1

bge1 - 0.0.0.0

bge2 - 0.0.0.0

bge3 - 0.0.0.0

reject route 192.168.201.1 ↔ 192.168.202.1

reject route 192.168.200.1 ↔ 192.168.202.1

Global Zone

bge2:2 - 192.168.202.1

Zone 2

bge1:1 - 192.168.201.1

bge3:1 - 192.168.200.1

Def router - 192.168.200.2

Zone 1

192.168.1.0

Network

192.168.201.0

Network

NAT

router

NAT: 192.168.102.1 --> 192.168.202.1

192.168.202.0

Network

192.168.202.2

192.168.201.2

Addressing

zone 2 as

192.168.102.1

192.168.200.2