Version 3.1-en Solaris 10 Container Guide - 3.1 5. Cookbooks Effective: 30/11/2009
5.2.7.4. Zones in separate networks using the shared IP instance
[dd/ug] Two local zones, zone1 and zone2, are located in separated networks and provide services
for other networks.
− Each local zone should have its own physical interface in the network.
− Additional networks are connected to the network segment.
− Routing is used.
− There should be no communication between the local zones.
− Communication between the global zone and the local zones is not intended.
Implementation:
• The network interface intended for the local zone (e.g. bge1) must not be used
elsewhere in the global zone.
• To prepare for local zones, the interface for a local zone must be plumbed (but not
enabled):
ifconfig bge1 plumb down
Thereby, the interface gets the address 0.0.0.0 but is not active.
• The network configuration of the zones is established by setting the zones to the ready
status.
zoneadm -z zone1 ready
zoneadm -z zone2 ready
The addresses listed in the configuration (zone1: 192.168.201.1 and zone2:
192.168.202.1) are now active.
• The routes of the local zones are specified with zonecfg:set defrouter.
set defrouter=192.168.201.2
set defrouter=192.168.202.2
• In order to avoid communication between the local zones through the shared TCP/IP
stack, reject routes must be set in the global zone that prevent communication between
two IP addresses (or the use of ipfilter).
route add 192.168.201.1 192.168.202.1 -interface -reject
route add 192.168.202.1 192.168.201.1 -interface -reject
Alternatively the interzone loopback can be restricted:
ndd -set /dev/ip ip_restrict_interzone_loopback 1
• The zones can now be booted for operation:
zoneadm -z zone1 boot
zoneadm -z zone2 boot
• Option: To allow communication between the global and the local zone, an interface
which is located in the logical network of the local zone must be configured in the global
zone.
86
Figure 34: [dd] Zones in separate networks using the shared IP instance
192.168.201.0
Network
bge0 - 192.168.1.1
bge1 - 0.0.0.0
bge2 - 0.0.0.0
reject route 192.168.201.1 192.168.202.1
Global Zone
bge2:2 - 192.168.202.1
Def router - 192.168.202.2
Zone 2
bge1:1 - 192.168.201.1
Def router - 192.168.201.2
Zone 1
192.168.1.0
Network
192.168.202.0
Network