An exclusive-IP zone has its own IP-related state. The zone is assigned its own set of datalinks when the zone is configured.
Packets are transmitted on the physical link. Then, devices like Ethernet switches or IP routers can forward the packets toward their destination, which might be a different zone on the same system as the sender.
For virtual links, the packet is first sent to a virtual switch. If the destination link is over the same device, such as a VNIC on the same physical link or etherstub, the packet will go directly to the destination VNIC. Otherwise, the packet will go out the physical link underlying the VNIC.
For information on features that can be used in an exclusive-IP non-global zone, see Exclusive-IP Non-Global Zones in Oracle Solaris Zones Configuration Resources.
Exclusive-IP zones have separate TCP/IP stacks, so the separation reaches down to the datalink layer. One or more datalink names, which can be a NIC or a VLAN on a NIC, are assigned to an exclusive-IP zone by the global administrator. The zone administrator can configure IP on those datalinks with the same flexibility and options as in the global zone.
A datalink name must be assigned exclusively to a single zone.
The dladm show-link command can be used to display datalinks assigned to running zones.
sol-t2000-10{pennyc}1: dladm show-link
LINK CLASS MTU STATE OVER
vsw0 phys 1500 up --
net0 phys 1500 up --
netg2 phys 1500 up --
netg1 phys 1500 up --
netg3 phys 1500 up --
zoneA/net0 vnic 1500 up net0
zoneB/net0 vnic 1500 up net0
aggr1 aggr 1500 up net2 net3
vnic0 vnic 1500 up net1
zoneA/vnic0 vnic 1500 up net1
vnic1 vnic 1500 up net1
zoneB/vnic1 vnic 1500 up net1
vnic3 vnic 1500 up aggr1
vnic4 vnic 1500 up aggr1
zoneB/vnic4 vnic 1500 up aggr1
For more information, see dladm(1M).
There is no internal loopback of IP packets between exclusive-IP zones. All packets are sent down to the datalink. Typically, this means that the packets are sent out on a network interface. Then, devices like Ethernet switches or IP routers can forward the packets toward their destination, which might be a different zone on the same system as the sender.
You have the same IP Filter functionality that you have in the global zone in an exclusive-IP zone. IP Filter is also configured the same way in exclusive-IP zones and the global zone.
IP network multipathing (IPMP) provides physical interface failure detection and transparent network access failover for a system with multiple interfaces on the same IP link. IPMP also provides load spreading of packets for systems with multiple interfaces.
The datalink configuration is done in the global zone. First, multiple datalink interfaces are assigned to a zone using zonecfg. The multiple datalink interfaces must be attached to the same IP subnet. IPMP can then be configured from within the exclusive-IP zone by the zone administrator.