| Skip Navigation Links | |
| Exit Print View | |
|
Oracle Solaris Administration: Network Interfaces and Network Virtualization Oracle Solaris 11 Express 11/10 |
| Skip Navigation Links | |
| Exit Print View | |
|
|
Oracle Solaris Administration: Network Interfaces and Network Virtualization Oracle Solaris 11 Express 11/10 |
2. NWAM Configuration and Administration (Overview)
3. NWAM Profile Configuration (Tasks)
4. NWAM Profile Administration (Tasks)
5. About the NWAM Graphical User Interface
Part II Administering Single Interfaces
6. Overview of the Networking Stack
7. Datalink Configuration and Administration
8. Configuring an IP Interface
9. Configuring Wireless Interface Communications on Oracle Solaris
Part III Administering Interface Groups
11. Administering Link Aggregations
Part IV Network Virtualization and Resource Management
15. Introducing Network Virtualization and Resource Control (Overview)
16. Planning for Network Virtualization and Resource Control
17. Configuring Virtual Networks (Tasks)
Configuring Components of Network Virtualization in Oracle Solaris
How to Create a Virtual Network Interface
Creating New Zones for Use With VNICs
How to Create and Configure the Exclusive IP Zone
Modifying the Configuration of Existing Zones to Use VNICs
How to Reconfigure a Zone to Use a VNIC
Creating a Private Virtual Network
How to Remove the Virtual Network Without Removing the Zones
18. Using Link Protection in Virtualized Environments
19. Managing Network Resources
This section shows you how you deploy the network virtualization components by configuring these components to be used by zones. This section provides two approaches when working with zones to use VNICs:
Creating entirely new zones and configuring VNICs over these zones
Modifying existing zone configurations to use VNICs.
When you first log in to a system, you are automatically in its global zone. You create VNICs on the global zone. Then you further configure these VNICs depending on whether they are to be used by the global zone or non-global exclusive type zones. For an introduction to zones, refer to Zones Overview in System Administration Guide: Oracle Solaris Zones, Oracle Solaris 10 Containers, and Resource Management.
Use this approach if no configured zones exist in the system, or if you want to create new zones to use VNICs.
To use VNICs, a zone must be configured as an exclusive IP zone. The steps that follow configure zone1 with vnic1. You must perform the same steps to configure zone2. For clarity, the prompts indicate in which zone a specific command is issued. However, the actual path that the prompts display might vary depending on the prompt settings of your specific system.
When creating zones, you can set several parameters. The zone procedures throughout this chapter focus only on those parameters that are relevant to make the zone operate with VNICs. For more detailed information about zone configuration, refer to Part II, Oracle Solaris Zones, in System Administration Guide: Oracle Solaris Zones, Oracle Solaris 10 Containers, and Resource Management.
Make sure you have accomplished the following:
Created the VNICs for the zones, as explained in How to Create a Virtual Network Interface.
Defined the zone names.
Determined zone home directories.
Determined the specific VNIC to be associated with a specific zone.
Determined the IP addresses for the VNICs.
Obtained other network information such as router address to supply to the zone.
For more information, see How to Obtain Administrative Rights in System Administration Guide: Security Services.
global# zonecfg -z zone zonecfg:zone> create
zonecfg:zone> set zonepath=/home/export/zone
zonecfg:zone> set autoboot=true
zonecfg:zone> set ip-type=exclusive
zonecfg:zone> add net zonecfg:zone:net> set physical=vnic zonecfg:zone:net> end zonecfg:zone>
zonecfg:zone>verify zonecfg:zone> commit zonecfg:zone> exit global#
global# zonecfg -z zone info
Note - You can display the same information while running the zone configuration utility by typing the following:
zonecfg:zone> info
global# zoneadm -z zone install
Note - The installation process can take a while.
zoneadm list -iv
Note - The -iv option lists all configured zones regardless of whether they are running or not. At this stage, the status of the zone you just created will be “installed” rather than “running.” If you use the -v option, only zones that are running are listed, and the zone you just created will be excluded.
global# zoneadm -z zone boot
global# zoneadm list -v
# zlogin -C zone
Some of the information are terminal type, region, language, and so on. Most of the information is supplied by selecting from a list of choices. Typically, the default options suffice unless your system configuration requires otherwise.
The following information are relevant to the current procedure which you need to supply or verify:
Host name of the zone, for example zone1.
IP address of the zone which is based on the IP address of the zone's VNIC.
Whether IPv6 should be enabled.
Whether the system with the virtual network is part of a subnet.
Netmask of the IP address.
Default route, which can be the IP address of the physical interface on which the virtual network is built.
After you have supplied the required information for the zone, the zone is restarted.
Example 17-3 Configuring a Basic Virtual Network by Creating Zones and VNICs
This example consolidates all the steps that were previously provided to creating zones and VNICs to configure the virtual network. The example uses zone1 as the sample zone
The example is based on the following assumptions:
VNICs: vnic1
Zone names: zone1
Zone home directories: /home/export/zone-name.
VNIC zone assignments: vnic1 for zone1
IP addresses: vnic1 uses 192.168.3.80
Physical interface IP address: 192.168.3.70
Router address: 192.168.3.25
global# dladm show-phys
LINK MEDIA STATE SPEED DUPLEX DEVICE
e1000g0 Ethernet up 1000 full e1000g0
bge0 Ethernet unknown 1000 full bge0
global# dladm show-lnk
LINK CLASS MTU STATE BRIDGE OVER
e1000g0 phys 1500 up -- --
bge0 phys 1500 unknown -- --
global# ipadm show-if
IFNAME STATE CUTTENT PERSISTENT
lo0 ok -m-v-----46 ---
e1000g0 ok bm-------46 -46
global # ipadm show-addr
ADDROBJ TYPE STATE ADDR
lo0/? static ok 127.0.0.1/8
e1000g0/v4addr static ok 192.168.3.70/24
global # dladm create-vnic -l e1000g0 vnic1
global # dladm show-vnic
LINK OVER SPEED MACADDRESS MACADDRTYPE
vnic1 e1000g0 1000 Mbps 2:8:20:5f:84:ff random
global # ipadm create-addr -T static -a 192.168.3.80/24 vnic1/v4address
global # ipadm show-addr
ADDROBJ TYPE STATE ADDR
lo0/? static ok 127.0.0.1/8
e1000g0/v4addr static ok 192.168.3.70/24
vnic1/v4address static ok 192.168.3.80/24
global # cat /etc/hosts
::1 localhost
127.0.0.1 localhost
192.168.3.70 loghost #For e1000g0
192.168.3.80 zone1 #using vnic1
global # zonecfg -z zone1
zonecfg:zone1> create
zonecfg:zone1> set zonepath=/export/home/zone1
zonecfg:zone1> seet autoboot=true
zonecfg:zone1> set ip-type=exclusive
zonecfg:zone1> add net
zonecfg:zone1:net> set physical=vnic1
zonecfg:zone1:net> end
zonecfg:zone1> verify
zonecfg:zone1> info
zonename: zone1
zonepath: /export/home/zone1
brand: native
autoboot: true
net:
address not specified
physical: vnic1
zonecfg:zone1> commit
zonecfg:zone1> exit
global#
global# zoneadm -z zone1 verify
WARNING: /export/home/zone1 does not exist, so it could not be verified.
When 'zoneadm install' is run, 'install' will try to create
/export/home/zone1, and 'verify' will be tried again,
but the 'verify' may fail if:
the parent directory of /export/home/zone1 is group- or other-writable
or
/export/home/zone1 overlaps with any other installed zones.
global# zoneadm -z zone1 install
Preparing to install zone <zone1>
Creating list of files to copy from the global zone.
.
.
Zone <zone1> is initialized.
global# zoneadm list -iv
ID NAME STATUS PATH BRAND IP
0 global running / native shared
- zone1 installed /export/home/zone1 native excl
global# zoneadm -z zone1 boot
global# zoneadm list -v
ID NAME STATUS PATH BRAND IP
0 global running / native shared
1 zone1 running /export/home/zone1 native excl
zlogin -C zone1
What type of terminal are you using?
.
.
.
8) Sun Workstation
9) Televideo 910
10) Televideo 925
11) Wyse Model 50
12) X Terminal Emulator (xterms)
13) CDE Terminal Emulator (dtterm)
14) Other
Type the number of your choice and press Return: 13
.
(More prompts)
..
Provide the information as prompted. For network information, supply the following:
Hostname: zone1 IP address: 192.168.3.80 System part of a subnet: Yes Netmask: 255.255.255.0 Enable IPv6: No Default route: 192.168.3.70 Router IP address: 192.168.3.25
You can use various tools to observe network traffic and take statistics on zone usage.
To verify that your network is properly configured, refer to
To observe traffic over the network, refer to
To manage how the network uses system resources, refer to
To obtain statistics for accounting purposes, refer to
If you need to disassemble the virtual network, refer to How to Remove the Virtual Network Without Removing the Zones.
Use this approach if you want existing zones to use VNICs. In this case, the zones already have zone names and their home directories or zonepaths are already defined.
Make sure you have accomplished the following:
Created the VNICs for the zones, as explained in How to Create a Virtual Network Interface.
Determined the specific VNIC to be associated with a specific zone.
Determined the IP addresses for the VNICs.
Obtained other network information such as router address to supply to the zone.
For more information, see How to Obtain Administrative Rights in System Administration Guide: Security Services.
global# zoneadm list -v
Note - The -v option lists only zones that are running. To list all configured zones including those that have not been started, use the -iv option.
global# zonecfg -z zone info
Check the information about IP type and network interface. The network interface is designated by the parameter physical. For a zone to be configured with a VNIC, the zone must be an exclusive IP zone and the network interface must specify the VNIC.
global# zonecfg -z zone zonecfg:zone1> set ip-type=exclusive zonecfg:zone1>
zonecfg:zone1> remove net physical=non-vnic-interface zonecfg:zone1> add net zonecfg:zone1:net> set physical=vnic zonecfg:zone1:net> end zonecfg:zone1>
zonecfg:zone1 verify zonecfg:zone1> commit zonecfg:zone1> exit global#
global# zoneadm -z zone reboot
global# zonecfg -z zone info ip-type global# zonecfg -z zone info net
The information must show that the zone's IP type is exclusive and that it uses the designated VNIC.
global# zlogin zone
If you are assigning a static address to the VNIC, you would type the following:
zone# ipadm create-addr -T static -a address addrobj
where address can use CIDR notation while addrobj follows the naming convention interface/user-defined-string.
zone# ipadm show-if
or
zone# ipadm show-addr
Example 17-4 Configuring a Basic Virtual Network by Modifying Zone Configuration to Use VNICs
This example uses the same system and operates on the same assumptions as the previous example. Suppose that in this system, zone2 already exists as a shared zone. You want to modify zone2 to use vnic2.
global# dladm show-link
LINK CLASS MTU STATE BRIDGE OVER
e1000g0 phys 1500 up -- --
bge0 phys 1500 unknown -- --
vnic1 vnic 1500 up -- e1000g0
global# ipadm show-if
IFNAME STATE CUTTENT PERSISTENT
lo0 ok -m-v-----46 ---
e1000g0 ok bm-------46 -46
vnic1 ok bm-------46 -46
global # ipadm show-addr
ADDROBJ TYPE STATE ADDR
lo0/? static ok 127.0.0.1/8
e1000g0/v4addr static ok 192.168.3.70/24
vnic1/v4address static ok 192.168.3.80/24
global # dladm create-vnic -l e1000g0 vnic2
global # dladm show-vnic
LINK OVER SPEED MACADDRESS MACADDRTYPE
vnic1 e1000g0 1000 Mbps 2:8:20:5f:84:ff random
vnic2 e1000g0 1000 Mbps 2:8:20:54:f4:74 random
global# zoneadm list -v
ID NAME STATUS PATH BRAND IP
0 global running / native shared
1 zone1 running /export/home/zone1 native excl
2 zone2 running /export/home/zone2 native shared
global# zonecfg -z zone2 info
zonename: zone2
zonepath: /export/home/zone2
brand: native
autoboot: true
bootargs:
pool: z2-pool
limitpriv:
scheduling-class:
ip-type: shared
hostid:
inherit-pkg-dir:
dir: /lib
inherit-pkg-dir:
dir: /platform
inherit-pkg-dir:
dir: /sbin
inherit-pkg-dir:
dir: /usr
inherit-pkg-dir:
dir: /etc/crypto
net:
address not specified
physical: e1000g0
defrouter not specified
global#
global# zonecfg -z zone2
zonecfg:zone1> set ip-type=exclusive
zonecfg:zone1> remove net physical=e1000g0
zonecfg:zone1> add net
zonecfg:zone1:net> set physical=vnic2
zonecfg:zone1:net> end
zonecfg:zone1> verify
zonecfg:zone1> commit
zonecfg:zone1> exit
global#
global# zonecfg -z zone2 info ip-type
ip-type: exclusive
global#
global# zonecfg -z zone2 info net
net:
address ot specified
physical: vnic2
defrouter not specified
global#
global# zlogin zone2
zone2# ipadm create-addr -T static -a 192.168.3.85/24 vnic2/v4address
zone2# ipadm show-addr
ADDROBJ TYPE STATE ADDR
lo0/v4 static ok 127.0.0.1/8
vnic2/v4address static ok 192.168.3.85/24
zone1# exit
global#
global# vi /etc/hosts
#
::1 localhost
127.0.0.1 localhost
192.168.3.70 loghost #For e1000g0
192.168.3.80 zone1 #using vnic1
192.168.3.85 zone2 #using vnic2You can either configure the network setup further to customize use of system resources, or use various tools to observe network traffic and take statistics on resource usage.
To verify that your network is properly configured, refer to
To observe traffic over the network, refer to
To manage how the network uses system resources, refer to
To obtain statistics for accounting purposes, refer to
If you need to disassemble the virtual network, refer to How to Remove the Virtual Network Without Removing the Zones
The example in this section shows how to configure a private virtual network on a single system. Private virtual networks are different from private virtual networks (VPNs). VPN software creates a secure point-to-point link between two endpoint systems. The private network configured by the tasks in this section is a virtual network on a box that cannot be accessed by external systems.
To allow the zones of the private network to send packets beyond the host, configure a network address translation (NAT) device. NAT translates the VNIC's private IP addresses to routable IP addresses of the physical network interface, but without exposing the private IP addresses to the external network. Routing configuration is also included in the following example.
Example 17-5 Creating a Private Virtual Network Configuration
The following example uses the same system and proceeds on the same assumptions as the previous examples. Specifically, zone1 and zone2 are now configured as virtual networks. Suppose that zone3 already exists in the system. You will modify zone3 to become a private network isolated from the rest of the network. Then you will configure NAT and IP forwarding to allow the virtual private network to send packets outside the host but still concealing its private address from the external network.
global# dladm create-etherstub stub0 global# dladm create-vnic -l etherstub0 vnic3 global# dladm show-vnic LINK OVER SPEED MACADDRESS MACADDRTYPE vnic1 e1000g0 1000 Mbps 2:8:20:5f:84:ff random vnic2 e1000g0 1000 Mbps 2:8:20:54:f4:74 random vnic3 stub0 0 Mbps 2:8:20:6b:8:ab random global# vi /etc/hosts # ::1 localhost 127.0.0.1 localhost 192.168.3.70 loghost #For e1000g0 192.168.3.80 zone1 #using vnic1 192.168.3.85 zone2 #using vnic2
At this stage, you modify zone3 to become an exclusive IP zone over vnic3.
global# zonecfg -z zone3
zonecfg:zone3> set ip-type=exclusive
zonecfg:zone3> remove net physical=e1000g0
zonecfg:zone3> add net
zonecfg:zone3:net> set physical=vnic3
zonecfg:zone3:net> end
zonecfg:zone3> vereify
zonecfg:zone3> commit
zonecfg:zone3> exit
global#
global# zonecfg -z zone3 info ip-type
ip-type: exclusive
global#
global# zonecfg -z zone3 info net
net:
address ot specified
physical: vnic3
defrouter not specified
global#
global# zlogin zone3
zone3# ipadm create-addr -T static -a 192.168.0.10/24 vnic3/privaddr
zone3# ipadm show-addr
ADDROBJ TYPE STATE ADDR
lo0/v4 static ok 127.0.0.1/8
vnic3/privaddr static ok 192.168.0.10/24
zone3# exit
global# ipadm show-addr
ADDROBJ TYPE STATE ADDR
lo0/v4 static ok 127.0.0.1/8
e1000g0/v4addr static ok 192.168.3.70/24
vnic1/v4address static ok 192.168.3.80/24
vnic2/v4address static ok 192.168.3.85/24
vnic3/privaddr static ok 192.168.0.10/24
global# vi /etc/hosts
::1 localhost
127.0.0.1 localhost
192.168.3.70 loghost #For e1000g0
192.168.3.80 zone1 #using vnic1
192.168.3.85 zone2 #using vnic2
192.168.0.10 zone3 #using vnic3
global# routeadm
Configuration Current Current
Option Configuration System State
---------------------------------------------------------------
IPv4 routing enabled enabled
IPv6 routing disabled disabled
IPv4 forwarding disabled disabled
IPv6 forwarding disabled disabled
Routing services "route:default ripng:default"
global# ipadm set-ifprop -p forwarding=yes -m ipv4 e1000g0
global# vi /etc/ipf/ipnat.conf
map e1000g0 192.168.0.0/24 -> 0/32 portmap tcp/udp auto
map e1000g0 192.168.0.0/24 -> 0/32
global# svcadm enable network/ipfilter
global# zoneadm -z zone1 boot
global# zoneadm -z zone2 boot
global# zoneadm -z zone3 boot
The following procedure shows how to disable a zone's virtual network but maintain the zone intact.
Use this procedure if you must do any of the following:
Use the existing zones in a different configuration. For example, you might need to configure the zones as part of a private network that would require the zone to be created by using an etherstub.
Migrate the zones to another network.
Move the zones to a different zone path.
Clone the zones, as explained in Cloning a Non-Global Zone on the Same System in System Administration Guide: Oracle Solaris Zones, Oracle Solaris 10 Containers, and Resource Management.
This task assumes that you have a running virtual network that consists of exclusive IP zones.
For more information, see How to Obtain Administrative Rights in System Administration Guide: Security Services.
# zoneadm list -v
Information similar to the following is displayed:
ID NAME STATUS PATH BRAND IP 0 global running / native shared 1 zone1 running /export/home/zone1 native excl 2 zone2 running /export/home/zone2 native excl 3 zone3 running /export/home/zone3 native excl
Issue the following command separately for each zone to be halted.
global# zoneadm -z zone-name halt
When you halt the zone, you remove the zone's application environment and terminate a number of system activities, as explained in Halting a Zone in System Administration Guide: Oracle Solaris Zones, Oracle Solaris 10 Containers, and Resource Management.
# zoneadm list -iv ID NAME STATUS PATH BRAND IP 0 global running / native shared - zone1 installed /export/home/zone1 native excl - zone2 installed /export/home/zone2 native excl - zone3 installed /export/home/zone3 native excl
Note that the zones are no longer running, although they remain installed. To reboot a halted zone, refer to How to Boot a Zone in System Administration Guide: Oracle Solaris Zones, Oracle Solaris 10 Containers, and Resource Management.
# dladm show-vnic LINK OVER SPEED MACADDRESS MACADDRTYPE vnic1 e1000g0 1000 Mbps 2:8:20:5f:84:ff random vnic2 e1000g0 1000 Mbps 2:8:20:54:f4:74 random vnic3 stub0 1000 MBps 2:8:20:c2:39:38 random
The resulting output shows that the VNICs are still configured as datalinks in the global zone. However, their corresponding IP interfaces were created and enabled on the zones with which these VNICs are associated, and not on the global zone. These non–global zones are now halted.
# dladm delete-vnic vnic
For example, you would type the following to delete the VNICs in the zones in Figure 16-1.
# dladm delete-vnic vnic1 # dladm delete-vnic vnic2
|