Home.... | log in.... | Pub my question! | Sign-up....
Java-index >> Solaris Operating System >> Solaris 10 Features

? Routing between zones

FAQ and other (hopefully out-of-date) Solaris forum entries state that inter-zone routing happens internally to Solaris (i.e. packets do not go out over the wire). Is this still the case? If so, is there:

A) a reasonable (i.e. doesn't require separate subnets for every zone) workaround

B) plans to remove this limited behaviour

We have a requirement for all network traffic to (possibly) pass through network filter appliances and if all traffic is always internally routed, this precludes the use of zones on this security basis.

TIA,

Pete

[579 byte] By [BoothDudea] at [2007-11-27 11:09:23]
«« Cache
»» using filestream to send files over the internet
# 1

As best as I can tell, its not automagic, but then again, I can't work out how to get my zone who is in a different subnet to have any routing....

For the global zone, routing inwards seems to be automagic, but thats probably ok, coz if you are using zones, you probably don't want anything running on the global zone anyway.

jnawka at 2007-7-29 13:35:05 > top of Java-index,Solaris Operating System,Solaris 10 Features...
# 2

> FAQ and other (hopefully out-of-date) Solaris forum

> entries state that inter-zone routing happens

> internally to Solaris (i.e. packets do not go out

> over the wire). Is this still the case? If so, is

> there:

>

> A) a reasonable (i.e. doesn't require separate

> subnets for every zone) workaround

For traditional zones, no. Even adding subnets will not help. Zones don't do their own routing. So the single kernel "knows" that the traffic doesn't need to leave the box.It's possible that you could use a NAT device to change the address on both sides, fooling the interfaces into thinking that the traffic is off-host, but that's going to fall outside your request for "reasonable".

> B) plans to remove this limited behaviour

With current versions of Solaris Express, you can have "IP instances". This allows a zone to own an interface, including routing. At some point this should work with VNICs, so you don't need to assign a physical interface to each zone in question (I'm uncertain if this use of VNICs is working in Solaris Express yet or not).

See also:

http://blogs.sun.com/aland/resource/ipinstances-svosug.pdf

http://www.opensolaris.org/os/project/crossbow/Docs/si-interfaces.pdf

--

Darren

Darren_Dunhama at 2007-7-29 13:35:05 > top of Java-index,Solaris Operating System,Solaris 10 Features...
Solaris Operating System
Solaris 10 Features

Solaris Operating System Hot Topic

Solaris Operating System

All Classified