Manualshelf

Computer Hardware User Manual

ManualsBrandsSun Microsystems ManualsComputer HardwareSOLARIS 10
919293949596979899100
Version 3.1-en Solaris 10 Container Guide - 3.1 5. Cookbooks Effective: 30/11/2009
5.2.7.6. Zones connected to independent customer networks using the shared IP instance
[dd/ug] Two local zones, zone1 and zone2, are located in separated networks and provide services
for a variety of customers in their own networks.
Each local zone should have its own physical interface in the network.
Additional customer networks are connected to the network segment.
Allocation of addresses in the networks is not coordinated; one address can be allocated
multiple times (once per customer network). Usually companies use private IP networks
(10.x.y.z, 192.168.x.y) internally, therefore the allocation of the same IP address at different
customers is highly probable.
It should be possible to reach zones zone1 and zone2 from other networks.
Zones zone1 and zone2 should not be able to initiate connections to other networks.
There should be no communication between the local zones.
Communication between the global zone and the local zones is not intended.
Implementation:
The network interface provided for the local zone (e.g. bge1 ) must not be used elsewhere
in the global zone.
To prepare for local zones, the interface must be plumbed (but not enabled):
ifco n fig b ge1 p l umb d own
Thereby, the interface gets the address 0.0.0.0 but is not active.
The zones' network configuration is established by setting the zones to the re ady state.
zone a dm -z zone 1 rea d y
zone a dm -z zone 2 rea d y
The addresses listed in the configuration of the zones (z o ne1: 192.1 68.20 1.1 and
zone 2 : 192 .168. 2 02.1 ) are now active.
The routes of the local zones are specified with zon e cfg:s et de frout e r.
set d efrou ter=1 9 2.16 8 .201. 2
set d efrou ter=1 9 2.16 8 .202. 2
So that no communication takes place between the local zones through the shared TCP/IP
stack, reject routes must be set in the global zone that prevent communication between two
IP addresses.
rout e add 192.1 6 8.20 1 .1 19 2.168 .202. 1 -in t erfac e -re j ect
rout e add 192.1 6 8.20 2 .1 19 2.168 .201. 1 -in t erfac e -re j ect
Alte r nativ ely t h e in t erzon e loo pback can b e res trict e d:
ndd - set / dev/i p ip_ r estri ct_in terzo n e_lo o pback 1
The zones can now be booted for operation:
zone a dm -z zone 1 boo t
zone a dm -z zone 2 boo t
The default router is a NAT router that hides the IP address of the local zone from the
customer. On the customer's side, it is configured with an IP address from the customer's
network, thus, address conflicts can not occur.
Option: To enable communication between the global and the local zone, an interface that is
located in the logical network of the local zone must be configured in the global zone.
88