test

System Administration Guide: Network Interfaces and Network Virtualization

Chapter 11 Configuring Virtual Networks (Tasks)

This chapter contains tasks for configuring internal virtual networks, or “networks in a box.” The topics that are covered include:

Virtual Networks Task Map

This table lists the tasks for configuring a virtual network, including links to the specific tasks. Note that not all tasks will apply to your virtual network scenario.

Task 

Description 

For Instructions 

Begin creating a virtual network on a single host with access to the external network. 

Create one or more virtual network interfaces (VNICs). VNICs are the pseudo-interfaces upon which you build the virtual network 

How to Create a Virtual Network Interface

Create exclusive IP zones as the containers for the virtual network. 

Note –

Use these tasks only if you want zones as the containers in the virtual network. To set up Sun xVM Server domains for network virtualization, refer to the Sun xVM Server Information Wiki.

Create, install, and boot one or more exclusive IP zones. 

How to Create an Exclusive IP Zone Over a VNIC and How to Install the Exclusive IP Zone on a VNIC

Complete virtual network configuration. 

Complete initial zone configuration through the zone console, or manually configure IP addresses for the VNICs, and update the associated network databases. 

How to Configure an Exclusive IP Zone Over a VNIC Through the Zone Console or How to Manually Configure the VNIC and Exclusive IP Zone

Verify that the exclusive IP zone and VNIC are configured properly. 

Perform a series of checks to validate the zone and VNIC configuration. 

How to Verify the Exclusive IP Zone Over VNIC Configuration

Take down the existing virtual network. 

Delete the VNICs and halt the zones prior to reconfiguration or other purposes. 

How to Remove the Virtual Network Without Removing the Zones

Create a private virtual network on a single host. 

Create the etherstub pseudo-interface that isolates the private network, plus the VNICs, and zones that complete the private network's structure. 

How to Create Etherstubs and VNICs for the Private Virtual Network

Configure network-address translation and routing on the private virtual network. 

Allow outbound traffic from the private network while denying inbound traffic from the external network. 

How to Configure Routing and Network Address Translation for the Private Virtual Network

Configuring a Basic Virtual Network

This section contains tasks for configuring a basic virtual network. For a topology diagram of a virtual network, see Figure 10–1. Use the following tasks to build the virtual network.

Tip –

The steps in all tasks in this chapter use the vi text editor in a terminal window. Alternatively, you can use the text editor of your choice.

ProcedureHow to Create a Virtual Network Interface

This procedure shows how to create a virtual network interface card (VNIC). VNICs are pseudo-interfaces upon which to build the containers of the virtual network. The resulting VNIC has an automatically generated MAC address. Depending on the network interface in use, you can instead explicitly assign a MAC address to a VNIC, as described in the dladm(1M).

When you first log in to a system, you are automatically in its global zone, which is where you configure VNICs. You can use VNICs in the global zone or as the building blocks for a particular type of non-global zone, the exclusive IP zone. For an introduction to zones, refer to Zones Overview in System Administration Guide: Virtualization Using the Solaris Operating System.

  1. Become superuser or assume the equivalent root role.

    To create and assign the root role, see How to Make root User Into a Role in System Administration Guide: Security Services.

  2. View information about the system's available physical interfaces.


    # dladm show-phys
LINK         MEDIA                STATE      SPEED DUPLEX   DEVICE
e1000g2      Ethernet             unknown    0    half      e1000g2
e1000g0      Ethernet             up         1000 full      e1000g0

    Currently the system has two installed interfaces, e1000g0 and e1000g2.

  3. Check the status of the data links on the system.


    # dladm show-link
LINK        CLASS    MTU    STATE    OVER
e1000g2     phys     1500   unknown  --
e1000g0     phys     1500   up       --

    Only the e1000g0 data link is running over that interface and is configured “UP”.

    Unless you create customized names for your data links, the data link has the same name as the network interface device name that is displayed by dladm show-phys. For example, network interface e1000g0 has the data link name e1000g0 until you customize it. For more information on customized data link names, refer to Data Link and IP Interface Configuration (Tasks).

  4. Check the status of any interfaces on the IP layer.


    # ifconfig -a
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
         inet 127.0.0.1 netmask ff000000
e1000g0: flags=201000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4,CoS> mtu 1500 index 2
        inet 192.168.3.70 netmask ffffff00 broadcast 192.168.3.255
        ether 0:14:4f:94:d0:40

    The output indicates that interface e1000g0 has the IP address 192.168.3.70. Therefore, the system is connected to the 192.168.3.0/24 network. e1000g0 has the MAC address 0:14:4f:94:d0:40.

  5. Create a VNIC in the system's global zone.


    # dladm create-vnic -l data-link vnic-name

    • data-link is the name of the interface where the VNIC is to be configured.

    • vnic-name is the name that you want to give the VNIC.

    For example, to create a VNIC named vnic0 on interface e1000g0, you would type the following:


    # dladm create-vnic -l e1000g0 vnic0

    Repeat this step for all planned VNICs in the virtual network.

  6. Plumb the VNIC and assign it an IP address.

    All VNICs must be configured and plumbed on the IP level. VNICs that are used in conjunction with an exclusive IP zone can be plumbed as part of the initial zone configuration or manually, using the steps in How to Manually Configure the VNIC and Exclusive IP Zone.

    For VNICs to be configured in the global zone, do the following:

    1. Use the ifconfig command as shown to configure the interface.


      # ifconfig vnic-name plumb
# ifconfig vnic-name IP-address
# ifconfig vnic-name  up

      For example, you would configure and plumb vnic0 over interface e1000g0as follows:


      # ifconfig vnic0 plumb
# ifconfig vnic0 192.168.3.250
# ifconfig vnic0 up

    2. Verify that the VNIC is configured and plumbed.


      # ifconfig -a

      Your output should resemble the following:


      lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> 
        mtu 8232 index 1
        inet 127.0.0.1 netmask ff000000
e1000g0:flags=201100843<UP,BROADCAST,RUNNING,MULTICAST,ROUTER,IPv4,CoS>
        mtu 1500 index 2
        inet 192.168.3.70 netmask ffffff00 broadcast 192.168.3.255
        ether 0:14:4f:94:d0:40
vnic0: flags=201100843<UP,BROADCAST,RUNNING,MULTICAST,ROUTER,IPv4,CoS> 
        mtu 9000 index 5
        inet 192.168.3.250 netmask ffffff00 broadcast 192.168.0.255
        ether 2:8:20:c2:39:38

      Look for the VNIC that you just configured in the ifconfig output. For example, vnic0 is in the previous output. The IP address that you specified and the ifconfig “UP” flag in the output must also be present. These items indicate that the VNIC is correctly configured and plumbed.

  7. Ensure that the VNIC configuration persists across reboots

    Create the file /etc/hostname.vnic-name.

    • In the global zone, do the following:


      # cd /etc
# vi hostname.vnic-name
IP address of vnic-name

      For example, you type the following:


      # cd /etc
# vi hostname.vnic0
192.168.3.250

    • Update the /etc/inet/hosts file with entries for all the VNICs you have created.

      The entries in the file should have the following format:


      vnic-IP-address      zoneID-vnic-IP-address

      For example, you might create the following entries:


      192.168.3.250      zone0-192-168-3-250
      Note –

      When creating the zone alias entry, be sure to put a dash after the zoneID. Additionally, substitute dashes for the dot delimeters in the IP address, as shown previously.

    • For exclusive IP zones, refer to the instructions in How to Verify the Exclusive IP Zone Over VNIC Configuration

  8. Verify that the new VNIC is created.


    # dladm show-vnic
LINK       SPEED  MACADDRESS         MACADDRTYPE
vnic0      0 Mbps  2:8:20:c2:39:38    random
Example 11–1 Creating Virtual Network Interfaces (VNIC)

This example contains the commands to use to create and verify three VNICs. One VNIC is used in the global zone. Two other VNICs are used with the exclusive IP zones in the upcoming tasks. This example illustrates the steps in Configuring a Basic Virtual Network to accomplish the following:


# dladm show-phys
LINK         MEDIA                STATE      SPEED DUPLEX   DEVICE
e1000g2      n                    unknown    0    half      e1000g2
e1000g0      Ethernet             up         1000 full      e1000g0
# dladm show-link
LINK        CLASS    MTU    STATE    OVER
e1000g2     phys     1500   unknown  --
e1000g0     phys     1500   up       --
# ifconfig -a
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
         inet 127.0.0.1 netmask ff000000
e1000g0: flags=201000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4,CoS> mtu 1500 index 2
        inet 192.168.3.70 netmask ffffff00 broadcast 192.168.3.255
        ether 0:14:4f:94:d0:40
 

# dladm create-vnic -l e1000g0 vnic0
# dladm create-vnic -l e1000g0 vnic1
# dladm create-vnic -l e1000g0 vnic2
# dladm show-vnic

LINK        OVER             SPEED  MACADDRESS         MACADDRTYPE
vnic0       e1000g0      1000 Mbps  2:8:20:c2:39:38    random
vnic1       e1000g0      1000 Mbps  2:8:20:5f:84:ff    random
vnic2       e1000g0      1000 Mbps  2:8:20:54:f4:74    random
 

# ifconfig vnic0 plumb
# ifconfig vnic0 192.168.3.250
# ifconfig vnic0 up


# ifconfig -a


lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
        inet 127.0.0.1 netmask ff000000
e1000g0:flags=201100843<UP,BROADCAST,RUNNING,MULTICAST,ROUTER,IPv4,CoS>mtu 1500 index 2
        inet 192.168.3.70 netmask ffffff00 broadcast 192.168.3.255
        ether 0:14:4f:94:d0:40
vnic0: flags=201100843<UP,BROADCAST,RUNNING,MULTICAST,ROUTER,IPv4,CoS> mtu 9000 index 5
        inet 192.168.3.250 netmask ffffff00 broadcast 192.168.0.255
        ether 2:8:20:c2:39:38
 

# vi /etc/hostname.vnic0
192.168.3.250
# vi /etc/inet/hosts
# Internet host table
#
::1     localhost
127.0.0.1       localhost
192.168.3.70    myhost     loghost
192.168.3.250      zone0-192-168-3-250
Next Steps

ProcedureHow to Create an Exclusive IP Zone Over a VNIC

The following task explains how to create two exclusive IP zones for a virtual network. If you want to use zones as the containers for the virtual network, always use exclusive IP zones. You cannot create non–global shared IP zones over VNICs in a virtual network scenario.

As an alternative, you can useSun xVM domains as the containers in the virtual network. For information about configuring Sun xVM Server and its domains, refer to theSun xVM Server Information Wiki.

Before You Begin

This procedure assumes that you have already configured at least two VNICs over a data link, as shown in Example 11–1. The VNICs are named vnic0, vnic1, and vnic2.

  1. On the system where you create the virtual network, become superuser or assume the equivalent root role.

    To create and assign the root role, see How to Make root User Into a Role in System Administration Guide: Security Services.

  2. View the state of the VNICs on the system.


    # dladm show-vnic

LINK        OVER             SPEED  MACADDRESS         MACADDRTYPE
vnic1       e1000g0      1000 Mbps  2:8:20:5f:84:ff    random
vnic2       e1000g0      1000 Mbps  2:8:20:54:f4:74    random

    The output indicates that vnic1 and vnic2 are currently configured over interface e1000g0.

  3. Begin the creation process for the exclusive IP zone by running the zonecfg interactive utility.

    Tip –

    Alternatively, you can run zonecfg as a command with appropriate subcommands and options to create the zone. For more information, refer to How to Configure the Zone in System Administration Guide: Virtualization Using the Solaris Operating System and the zonecfg(1M) man page.


    # zonecfg -z zoneID

    where ID represents the number to identify the zone. For example, the following command creates “zone1.”


    # zonecfg -z zone1

    The zonecfg program runs and prompts for information about the new zone.


    zonecfg:zone1>

  4. Start zone creation through the zonecfg interactive utility.


    zonecfg:zone1> create

    The remaining steps show how to create the exclusive IP zone and set other parameters. For a detailed description of parameters available for the zone, see How to Configure the Zone in System Administration Guide: Virtualization Using the Solaris Operating System.

  5. Create the zone path by setting a home directory for the zone, and then enable automatic booting.


    zonecfg:zone1> set zonepath=zone-home-directory
zonecfg:zone1> set autoboot=true

    For example, zone-home-directory might be /export/home/zone1.

    The global zone will include home directories for all zones that you create through zonecfg. Thus, the /export/home directory in the global zone must contain an entry for zone1.

  6. Create the zone as exclusive IP.


    zonecfg:zone1> set ip-type=exclusive

  7. Create the network interface for the zone. 


    zonecfg:zone1> add net

    This response starts the network configuration subprogram of zonecfg.

  8. Set the previously configured VNIC as the interface for the zone.


    zonecfg:zone1:net> set physical=vnic-data-link

    For example, you create vnic1 for zone1 as follows:


    zonecfg:zone1:net> set physical=vnic1
    Note –

    Although zonecfg has many options for describing a network interface, only use the set-physical parameter of add net for an IP exclusive zone.

  9. Complete zone configuration and verify the results.


    zonecfg:zone1:net> end
zonecfg:zone1> verify

    The verify command checks for any configuration errors. If you have received errors, fix the configuration. If verify does not respond, assume the configuration is correct and continue.

  10. View information about the zone you just created.

    Use the info directive, as shown below:


    zonecfg:zone1> info
zonename: zone1
zonepath: /export/home/zone1
brand: native
autoboot: true
.
.
net:
        address not specified
        physical: vnic1

    The message “address not specified” verifies that you have not specified an IP address for the zone. You create IP addresses for the zone's VNIC outside the zonecfg utility, as described in the upcoming procedure How to Configure an Exclusive IP Zone Over a VNIC Through the Zone Console.

    If info displays other incorrect information, you can modify the parameters, as explained in Using the zonecfg Command to Modify a Zone Configuration in System Administration Guide: Virtualization Using the Solaris Operating System. If the information is correct, continue to the next step.

  11. Commit the zone and close zonecfg.


    zonecfg:zone1> commit
zonecfg:zone1> exit

    Be sure to commit the zone before exiting zonecfg.

  12. Create more zones, as needed, by following Steps 3 through 11.

Example 11–2 Creating an Exclusive IP Zone Over a VNIC

The following example contains the commands for creating a zone using the zonecfg utility. When the example is complete, the result is a zone called zone1 that is configured on vnic1. This example assumes that the VNIC is already created, as shown in Example 11–1. You can use this example for configuring as many exclusive IP zones over VNICs as you need for your virtual network. For an illustration of a basic virtual network, refer to Figure 10–1.

You must log in to the global zone of the system as superuser or equivalent role to run the next commands. 


# dladm show-vnic

LINK        OVER             SPEED  MACADDRESS         MACADDRTYPE
vnic1       e1000g0      1000 Mbps  2:8:20:5f:84:ff    random
vnic2       e1000g0      1000 Mbps  2:8:20:54:f4:74    random
 

# zonecfg -z zone1

zonecfg:zone1> create
zonecfg:zone1> set zonepath=/export/home/zone1
zonecfg:zone1> set autoboot=true
zonecfg:zone1> set ip-type=exclusive
zonecfg:zone1> add net
zonecfg:zone1:net> set physical=vnic1
zonecfg:zone1:net> end
zonecfg:zone1> verify


zonecfg:zone1> info
zonename: zone1
zonepath: /export/home/zone1
brand: native
autoboot: true
.
.
net:
        address not specified
        physical: vnic1
 

zonecfg:zone1> commit
zonecfg:zone1> exit
Next Steps

ProcedureHow to Install the Exclusive IP Zone on a VNIC

Before You Begin

This procedure assumes that you have completed VNIC creation, as described in How to Create a Virtual Network Interface. You also must have created and committed an exclusive IP zone, as described in How to Create an Exclusive IP Zone Over a VNIC.

In this procedure you install the newly created zone1 over vnic1.

  1. On the system where you create the virtual network, become superuser or assume the equivalent root role.

    To create and assign the root role, see How to Make root User Into a Role in System Administration Guide: Security Services.

    Note –

    When you first log in to a system, you are automatically in its global zone. For an introduction to zones, refer to Zones Overview in System Administration Guide: Virtualization Using the Solaris Operating System.

  2. Verify that the new zone exists.


    # zoneadm -z zoneID verify

    The zoneadm command displays output similar to the following for a zone that is not yet installed:


    WARNING: /export/home/zone1 does not exist, so it could not be verified.
When 'zoneadm install' is run, 'install' will try to create
/export/home/zone1, and 'verify' will be tried again,
but the 'verify' may fail if:
the parent directory of /export/home/zone1 is group- or other-writable
or
/export/home/zone1 overlaps with any other installed zones.

    This message indicates that zone is ready to be installed.

  3. Install the new zone.

    Use the following syntax:


    # zoneadm -z zoneID install

    For example, you would type:


    # zoneadm -z zone1 install
Preparing to install zone <zone1>
Creating list of files to copy from the global zone.
.
.

Zone <zone1> is initialized.

  4. Verify that the zone is installed.


    zoneadm list -iv

    You receive output similar to the following:


     ID NAME              STATUS     PATH                           BRAND    IP
   0 global           running    /                              native   shared
   - zone1            installed  /export/home/zone1             native   excl

    The output indicates that the exclusive IP zone is installed but not yet running.

  5. Boot the zone and then observe its new status.


    # zoneadm -z zone1 boot
# zoneadm list -v
  ID NAME             STATUS     PATH                           BRAND    IP
   0 global           running    /                              native   shared
   1 zone1            running    /export/home/zone1             native   excl

    Note that zone1 has changed its state to running.

  6. Repeat this procedure for all exclusive IP zones in your virtual network.

Example 11–3 Installing and Booting an Exclusive IP Zone Over a VNIC

The following example contains the zoneadm and zlogin -C commands for installing the exclusive IP zone zone1 that is configured over vnic1. This example assumes that both the VNIC and zone are created, as shown in Example 11–2. You can use this example for installing every exclusive IP zone over a VNIC for your virtual network. For an illustration of a basic virtual network, refer to Figure 10–1.

You must log in to the global zone of the system as superuser or equivalent role to run the next commands. 


# zoneadm -z zone1 verify
WARNING: /export/home/zone1 does not exist, so it could not be verified.
When 'zoneadm install' is run, 'install' will try to create
/export/home/zone1, and 'verify' will be tried again,
but the 'verify' may fail if:
the parent directory of /export/home/zone1 is group- or other-writable
or
/export/home/zone1 overlaps with any other installed zones.
 

# zoneadm -z zone1 install
Preparing to install zone <zone1>.
Creating list of files to copy from the global zone.
.
.
Zone <zone1> is initialized. 

zoneadm list -iv
  ID NAME             STATUS     PATH                           BRAND    IP
   0 global           running    /                              native   shared
   - zone1            installed  /export/home/zone1             native   excl
  

# zoneadm -z zone1 boot
# zoneadm list -v
  ID NAME             STATUS     PATH                           BRAND    IP
   0 global           running    /                              native   shared
   1 zone1            running    /export/home/zone1             native   excl
Next Steps

After booting the zone, you need to perform initial configuration steps for the exclusive IP zone over a VNIC. Use one of the following methods to complete zone configuration:

ProcedureHow to Configure an Exclusive IP Zone Over a VNIC Through the Zone Console

After you have installed and booted all zones for the virtual network, your final step is to configure the zones.

Before You Begin

You must have created, installed, and booted exclusive IP zones over VNICs, as explained in the following procedures:

  1. On the system where you create the virtual network, become superuser or assume the equivalent root role.

    To create and assign the root role, see How to Make root User Into a Role in System Administration Guide: Security Services.

  2. Log in to the console of a zone

    Begin initial zone configuration through the zone console.


    # zlogin -C zone-name

    where zone-name represents the name of the zone that you want to configure. For example, to log in to the console for zone1, type the following:


    # zlogin -C zone1

    Depending on your system, you might receive prompts from the console to set language preference and other parameters. Answer these prompts and continue.

  3. Select a terminal type.

    The zone configuration program offers choices such as the following


    What type of terminal are you using?
      1) ANSI Standard CRT
      2) DEC VT52
.
.
      8) Sun Workstation
      9) Televideo 910
      10) Televideo 925
      11) Wyse Model 50
      12) X Terminal Emulator (xterms)

    Type the number for the console terminal type for your system, for example 12 for an X terminal window.

  4. Confirm or change the information displayed by the zone configuration program.

    You receive a series of prompts for information about the new zone. Most of the responses are automatically generated. If the information is incorrect, you can press F4 and supply the correct information. Otherwise, press F2 to accept and continue to the next parameter.

    The information that you need to supply or verify includes:

    • IP address for the zone. Each exclusive IP zone and its corresponding VNIC must have a unique IP address. You can use a DHCP address or a static IP address.

    • Host name. Enter the host name for the zone, for example, zone1.

    • Whether the system with the virtual network is part of a subnet.

    • Netmask of the IP address.

    • Default route. You can use the IP address of the interface on which the virtual network is built.

    • IP address of a router on the system's network

    When you are finished configuring the zone, the system reboots. After the reboot, the zone is ready for use.

  5. Repeat the initial configuration steps for all zones in the virtual network.

Example 11–4 Final Configuration of an Exclusive IP Zone Over a VNIC

This example shows a typical zone configuration session using the zone console configuration program.


# zlogin -C zone1
What type of terminal are you using?
.
.
.
8) Sun Workstation
9) Televideo 910
10) Televideo 925
11) Wyse Model 50
12) X Terminal Emulator (xterms)
13) CDE Terminal Emulator (dtterm)
14) Other
Type the number of your choice and press Return: 13
.
.
IP address for zone1: 192.168.3.20
.
Confirm the following information. If it is correct, press F2;
to change any information, press F4.

Hostname: zone1
IP address: 192.168.3.20
System part of a subnet: Yes
Netmask: 255.255.255.0
Enable IPv6: No
Default route: 192.168.3.70
Router IP address: 192.168.3.25

System reboots.

Next Steps

Verify that zone configuration is correct, as explained in How to Verify the Exclusive IP Zone Over VNIC Configuration.

ProcedureHow to Manually Configure the VNIC and Exclusive IP Zone

This procedure explains how to manually configure IP addresses for VNICs and their associated zones. If you configured zones through the zone console after the initial booting, these addresses are configured automatically. You need to follow the next steps only if one of the following conditions is true:

Before You Begin

The procedure assumes that both the VNIC and zone are created, installed, and booted in the global zone.

  1. On the system where you create the virtual network, become superuser or assume the equivalent root role.

    To create and assign the root role, see How to Make root User Into a Role in System Administration Guide: Security Services.

  2. Log in to the zone.

    For example, you would type:


    # zlogin zone1
# pwd
/

  3. Verify that the VNIC is configured.


    # ifconfig -a
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
	     inet 127.0.0.1 netmask ff000000
lo0: flags=2002000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv6,VIRTUAL> mtu 8252 index 1
     inet6 ::1/128

    In this output, only the IPv4 and IPv6 loopback addresses are plumbed and up. No entry exists for the VNIC.

  4. Manually configure and plumb the VNIC from within the exclusive IP zone.

    You must plumb a VNIC in the following order for it to function properly in the virtual network.


    # ifconfig vnic-data-link plumb
# ifconfig vnic-data-link IP-address
# ifconfig vnic-data-link up

    For example, to add IP address 192.168.3.20 to vnic1, do the following:


    # ifconfig vnic1 plumb
# ifconfig vnic1 192.168.3.20
# ifconfig vnic1 up

  5. Verify that the VNIC is now configured and plumbed.


    # ifconfig -a
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
	     inet 127.0.0.1 netmask ff000000
vnic1: flags=201000842<UP,BROADCAST,RUNNING,MULTICAST,IPv4,CoS> mtu 1500 index 2
           inet 192.168.3.20 netmask ffffff00 broadcast 192.168.3.255
           ether 2:8:20:54:f4:74

  6. Exit the exclusive IP zone, and go to the zone's subdirectory tree in the global zone.


    # exit
# cd /export/home/zone1

  7. Create a hostname.vnic–name file for the VNIC.


    # cd root/etc
# vi hostname.vnic1
zoneID-IP address

    For example, for zone1 you type:


    zone1-192.183.3.20

  8. Add an entry for the zone in the root/etc/inet/hosts file.


    # cd inet
# vi hosts
# Internet host table
#
::1                  localhost
127.0.0.1            localhost
192.168.3.20  zone1  loghost

  9. If the entry does not already exist, add the VNIC and its zone to the global zone's /etc/inet/hosts file.


    # cd /etc/inet
# vi hosts
# Internet host table
#
::1     localhost
127.0.0.1         localhost
192.168.3.70      myhost     loghost
192.168.3.20      zone1-192-168-3-20
Example 11–5 Manually Configuring a VNIC and Exclusive IP Zone

This example illustrates the following procedures:

You must log in to the global zone of the system as superuser or equivalent role to run the next commands. 


# zlogin zone1
/
# ifconfig vnic1 plumb
# ifconfig vnic1 192.168.3.20
# ifconfig vnic1 up
# ifconfig -a
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
	     inet 127.0.0.1 netmask ff000000
vnic1: flags=201000842<UP,BROADCAST,RUNNING,MULTICAST,IPv4,CoS> mtu 1500 index 2
           inet 192.168.3.20 netmask ffffff00 broadcast 192.168.3.255
           ether 2:8:20:54:f4:74
# exit
# cd /export/home
# cd zone1/root/etc
# vi hostname.vnic1
zone1-192.168.3.20
 

# vi inet/hosts
# Internet host table
#
::1                  localhost
127.0.0.1            localhost
192.168.3.20  zone1  loghost


# cd /etc/inet
# vi hosts
# Internet host table
#
::1     localhost
127.0.0.1         localhost
192.168.3.70      myhost     loghost
192.168.3.20      zone1-192-168-3-20
Next Steps

After you are finished, verify that your configuration is correct, as explained in How to Verify the Exclusive IP Zone Over VNIC Configuration.

ProcedureHow to Verify the Exclusive IP Zone Over VNIC Configuration

After you complete zone configuration, confirm that the zones and VNICs are now configured as you expected.

Before You Begin

The procedures in this task assume that you have installed and configured two or more exclusive IP zones over a VNIC. If you have not done this, perform the following procedures, in sequential order:

  1. On the system where you build the virtual network, become superuser or assume the equivalent root role in the global zone.

    To create and assign the root role, see How to Make root User Into a Role in System Administration Guide: Security Services.

  2. Go to the parent directory for all zones that you created.

    You supply this directory to the zonecfg command as the first part of the zone path. 


    # cd parent-zone-path

    For example, to access the parent directory for both zones created in the procedure How to Create an Exclusive IP Zone Over a VNIC, type:


    # cd /export/home

    If the parent directory for the zones does not exist, check your zone configuration.

  3. Verify that the zone home directory trees exist in the correct parent directory in the global zone.


    # pwd
/export/home
# ls
zone-name

    For example, to verify that the zone subdirectories have been created in the parent /export/home directory, in the global zone, type: 


    # ls
zone1 zone2

    The subdirectories for the two new zones have been created. If these subdirectories do not exist, check your zone configuration.

  4. Verify that the hostname.vnic-name file exists and that its entry is correct.

    Each VNIC that you configure for a zone requires a hostname.vnic-name file to ensure that the IP address of the VNIC and zone persist after reboots. First, verify that a hostname.vnic-name file exists:


    cd /export/home/zone-name/root/etc
# ls host*
 hostname.vnic1  hosts

    This output indicates that a hostname.vnic1 file exists. The file should contain one entry with the name of the zone, for example: 


    cat hostname.vnic1
zone1

    If this file does not exist, create it as shown in How to Manually Configure the VNIC and Exclusive IP Zone.

  5. Check the contents of the zone's hosts file.


    # pwd
/export/home/zone-name/root/etc/
# cat hosts
# Internet host table
#
::1                  localhost
127.0.0.1            localhost
192.168.3.20  zone1  loghost

    In this output, the entry 192.168.3.20 zone1 loghost shows the address that is assigned to the VNIC for zone1. Your output should have a similar entry for the zone and VNIC.

    If this file does not have an entry for the zone, refer to the appropriate step in How to Manually Configure the VNIC and Exclusive IP Zone.

  6. Add the IP addresses of the VNICs and names of their associated zones to the /etc/inet/hosts file in the global zone.

    Note –

    Be sure that you are in the hosts file for the global zone, not the host file in a subdirectory tree for a zone.


    # cd /etc/inet
# vi hosts
# Internet host table
#
::1     localhost
127.0.0.1       localhost
192.168.3.70    myhost     loghost

    The only non-loopback IP address in this output is 192.168.3.70, the address associated with the system's network interface. Add entries for all VNICs associated with zones to this file, using the following format:


    VNIC-IP-address        zone-name- IP address

    For example, you would type the following entry for vnic1 and zone1:


    192.168.3.20    zone1-192-168-3-20

  7. Log in to the new zone and verify that you are in its home directory:

    For example, for zone1 you would type:


    # zlogin zone1
# pwd
/

    You are now in the root directory of zone1. If you cannot log in to the zone, check your zone configuration.

  8. Verify that the VNIC you previously defined for the zone is now configured as an IP interface.

    Your output should resemble the following:


    # ifconfig -a
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
	     inet 127.0.0.1 netmask ff000000
vnic1: flags=201000842<UP,BROADCAST,RUNNING,MULTICAST,IPv4,CoS> mtu 1500 index 2
           inet 192.168.3.20 netmask ffffff00 broadcast 192.168.3.255
           ether 2:8:20:54:f4:74

    In the output, vnic1 is configured with the IP address that you specified during zone configuration. vnic1 also has an automatically generated unique MAC address ether 2:8:20:54:f4:74 . Note that there are no entries for the system's network interfaces or for VNICs that are configured for other zones.

    If you do not have an entry for the VNIC associated with the zone, you need to plumb the VNIC. In particular, you will have these results if you chose not to perform initial VNIC configuration from the zone console. For instructions for plumbing the VNIC, refer to the appropriate step in How to Manually Configure the VNIC and Exclusive IP Zone.

  9. Exit the current zone.

    Return to the global zone, where you can repeat the previous steps to confirm that all VNICs and zones are properly configured.

Next Steps

You can use various tools to observe network traffic and take statistics on zone usage.

If you need to disassemble the virtual network, refer to How to Remove the Virtual Network Without Removing the Zones.

Complete Example for Creating a Virtual Network

This section contains a complete set of commands for configuring a virtual network.

Example 11–6 Basic Virtual Network

This example shows how to implement the virtual network scenario shown in Figure 10–1. The example elaborates on the tasks presented in Configuring a Basic Virtual Network. The commands do the following:


# dladm show-phys
# dladm show-link
# ifconfig -a
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
         inet 127.0.0.1 netmask ff000000
e1000g0: flags=201000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4,CoS> mtu 1500 index 2
        inet 192.168.3.70 netmask ffffff00 broadcast 192.168.3.255
        ether 0:14:4f:94:d0:40

# dladm create-vnic -l e1000g0 vnic1
# dladm create-vnic -l e1000g0 vnic2
# dladm show-vnic
LINK        OVER             SPEED  MACADDRESS         MACADDRTYPE
vnic1       e1000g0      1000 Mbps  2:8:20:5f:84:ff    random
vnic2       e1000g0      1000 Mbps  2:8:20:54:f4:74    random

# zonecfg -z zone1
zonecfg:zone1> create
zonecfg:zone1> set zonepath=/export/home/zone1
zonecfg:zone1> set autoboot=true
zonecfg:zone1> set ip-type=exclusive
zonecfg:zone1> add net
zonecfg:zone1:net> set physical=vnic1
zonecfg:zone1:net> end
zonecfg:zone1> verify

zonecfg:zone1> info
zonename: zone1
zonepath: /export/home/zone1
brand: native
autoboot: true
.
.
net:
        address not specified
        physical: vnic1

zonecfg:zone1> commit
zonecfg:zone1> exit

# zoneadm -z zone1 verify
WARNING: /export/home/zone1 does not exist, so it could not be verified.
When 'zoneadm install' is run, 'install' will try to create
/export/home/zone1, and 'verify' will be tried again,
but the 'verify' may fail if:
the parent directory of /export/home/zone1 is group- or other-writable
or
/export/home/zone1 overlaps with any other installed zones.

# zoneadm -z zone1 install
Preparing to install zone <zone1>.
Creating list of files to copy from the global zone.
.
.
Zone <zone1> is initialized. 


zoneadm list -iv
  ID NAME             STATUS     PATH                           BRAND    IP
   0 global           running    /                              native   shared
   - zone1            installed  /export/home/zone1             native   excl

# zoneadm -z zone1 boot

# zoneadm list -v
  ID NAME             STATUS     PATH                           BRAND    IP
   0 global           running    /                              native   shared
   1 zone1            running    /export/home/zone1             native   excl

# zlogin zone1
# ifconfig -a
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
inet 127.0.0.1 netmask ff000000
lo0: flags=2002000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv6,VIRTUAL> mtu 8252 index 1
 inet6 ::1/128

# ifconfig vnic1 plumb
# ifconfig vnic1 192.168.3.20
# ifconfig vnic1 up

# ifconfig -a
.
vnic1: flags=201000842<UP,BROADCAST,RUNNING,MULTICAST,IPv4,CoS> mtu 1500 index 2
        inet 192.168.3.20 netmask ffffff00 broadcast 192.168.3.255
        ether 2:8:20:54:f4:74

# pwd
vnic1/
# cd root/etc
# vi hostname.vnic1
zone1-192.183.3.20

# vi /etc/inet/hosts
# Internet host table
#
::1     localhost
127.0.0.1         localhost
192.168.3.70      myhost     loghost
192.168.3.20      zone1-192-168-3-20

After you repeat the same steps to create zone2 and to assign vnic2 to zone2, the following example shows you how to verify that the two zones are properly configured with their respective VNICs.


# zoneadm list -v
  ID NAME             STATUS     PATH                           BRAND    IP
   0 global           running    /                              native   shared
   1 zone1            running    /export/home/zone1             native   excl
   2 zone2            running    /export/home/zone2             native   excl

# vi /etc/inet/hosts
# Internet host table
#
::1     localhost
127.0.0.1         localhost
192.168.3.70      myhost     loghost
192.168.3.20      zone1-192-168-3-20
192.168.3.22      zone2-192-168-3-22

ProcedureHow to Remove the Virtual Network Without Removing the Zones

The following procedure shows how to take down a virtual network while leaving its zones intact. The instructions refer to the virtual network that is configured in Configuring a Basic Virtual Network.

Use this procedure if you must do any of the following:

Before You Begin

This task assumes that you have a running virtual network that consists of exclusive IP zones.

  1. On the system with the virtual network, become superuser or assume the equivalent root role in the global zone.

    To create and assign the root role, see How to Make root User Into a Role in System Administration Guide: Security Services.

  2. Verify the state of the currently configured zones.


    # zoneadm list -v

    For example, you receive output similar to the following:


    ID  NAME     STATUS       PATH                           BRAND            IP
 0  global   running      /                              native           shared
 1  zone1    running      /export/home/zone1             native           excl 
 2  zone2    running      /export/home/zone2             native           excl

  3. Halt the exclusive IP zones of the virtual network.

    Issue the following command separately for each zone to be halted. 


    # zoneadm -z zone-name halt

    Replace zone-name with the name of each zone.

    When you halt the zone, you remove the zone's application environment and terminate a number of system activities, as explained in Halting a Zone in System Administration Guide: Virtualization Using the Solaris Operating System.

  4. Verify that the zones have been halted.


    # zoneadm list -iv

    You receive output similar to the following:


    ID NAME             STATUS     PATH                           BRAND    IP
   0 global           running    /                              native   shared
   - zone1            installed  /export/home/zone1             native   excl
   - zone2            installed  /export/home/zone2             native   excl

    Note that the zones are no longer running, although they remain installed. To reboot a halted zone, refer to How to Boot a Zone in System Administration Guide: Virtualization Using the Solaris Operating System.

  5. Review the state of the VNICs that were configured for the halted zones.


    # dladm show-vnic

    You receive output similar to the following:


    LINK        OVER             SPEED  MACADDRESS         MACADDRTYPE
vnic1       e1000g0      1000 Mbps  2:8:20:5f:84:ff    random
vnic2       e1000g0      1000 Mbps  2:8:20:54:f4:74    random

    The resulting output shows that the VNICs are still configured as data links in the global zone. These VNICs were only plumbed and up in their associated exclusive IP zones, which are now halted. These VNICs are not plumbed in the global zones.

  6. Delete the VNICs.


    # dladm delete-vnic vnic-link-name

    For example, you would type the following to delete the VNICs in the zones in Figure 10–1.


    # dladm delete-vnic vnic1
# dladm delete-vnic vnic1
Next Steps

You can perform further operations on the existing zones, as required.

Configuring a Private Virtual Network

The tasks in this section explain how to configure a private virtual network on a single system. If you need to isolate a software development environment from the external network, consider creating a private virtual network on a single host.

Note –

Private virtual networks are quite different from private virtual networks (VPNs). VPN software creates a secure point-to-point link between two endpoint systems. The private network configured by the tasks in this section is a virtual network on a box that cannot be accessed by external systems.

Pseudo-network interfaces called etherstubs are the building blocks of private virtual networks, as shown in Private Virtual Network on a Single System. You create VNICs over the etherstub, and then configure the containers over the VNICs. A firewall or similar network address translation (NAT) device translates the VNIC's private IP addresses to the routable IP address of the network interface. This enables the containers of the private network to send packets beyond the host without exposing the VNICs' private IP addresses to the external network.

ProcedureHow to Create Etherstubs and VNICs for the Private Virtual Network

This procedure uses exclusive IP zones as the containers for the private virtual network. Solaris IP Filter software performs NAT for outgoing packets from the private network.

Before You Begin

For the VNICs in the private network configuration, be sure to create private IP addresses that cannot be forwarded by the default router of the external network. However, for the network interface, use an IP address that is routable on the host's external network.

  1. On the system where you create the private virtual network, become superuser or assume the equivalent root role.

    To create and assign the root role, see How to Make root User Into a Role in System Administration Guide: Security Services.

  2. Create the etherstub for the private virtual network.


    # dladm create-etherstub etherstub-link-name

    For example, to create an etherstub called etherstub0, you would type the following:


    # dladm create-etherstub etherstub0

  3. Verify that the etherstub was created.


    # dladm show-etherstub

    You should receive output similar to the following:


    LINK
etherstub0

  4. Create VNICs over the etherstub.


    # dladm create-vnic -l etherstub-link-name vnic-link-name

    For example, you might type the following:


    # dladm create-vnic -l etherstub0 vnic0

    Reserve one VNIC for the global zone. The global zone consists of all applications and services of a system's working environment that have not been delegated to a zone or virtual machine.

    Then, create at least two more VNICs for the exclusive IP zones of the private network. The virtual switch is automatically created with the first VNIC.

  5. Verify that the VNICs are correctly created over the etherstub.


    # dladm show-link

    You should receive output similar to the following:


    LINK        CLASS    MTU    STATE    OVER
e1000g0     phys     1500   up       --
vnic0       vnic     9000   up       etherstub0

    The “OVER” column contains the entry etherstub0 in the vnic0 row, indicating that vnic0 is created over etherstub0.

  6. Create the exclusive IP zones.

  7. Install the zones.

    Use Steps 1–4 in the procedure How to Install the Exclusive IP Zone on a VNIC

    Note –

    Do not boot the zones at this time. You boot them as part of the next procedure,How to Configure Routing and Network Address Translation for the Private Virtual Network.

ProcedureHow to Configure Routing and Network Address Translation for the Private Virtual Network

Before You Begin

This procedure assumes that you have created the etherstub, VNICs, and exclusive IP zones or virtual machines for the private network, as described in How to Create Etherstubs and VNICs for the Private Virtual Network.

  1. On the system where you create the private virtual network, become superuser or assume the equivalent root role.

    To create and assign the root role, see How to Make root User Into a Role in System Administration Guide: Security Services.

  2. Check the status of the host's network interface.


    # ifconfig -a

    You should receive output similar to the following:


    lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
        inet 127.0.0.1 netmask ff000000
e1000g0: flags=201000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4,CoS> mtu 1500 index 2
        inet 192.168.3.70 netmask ffffff00 broadcast 192.168.3.255
        ether 0:14:4f:94:d0:40

    The interface, e1000g0 in this case, must be configured and plumbed before you can use it as part of the virtual network.

  3. Assign an IP address to the VNIC that you reserved for the global zone.

    Make sure that all IP addresses that you assign to the VNICs on this host are private, reserved for use on this host only. Do not use the IP address prefix of the public network to which the network interface is connected as the network portion of the VNIC's IP address.

    For example, the ifconfig -a command above shows the IP address 192.168.3.70 for interface e1000g0. The output indicates that the interface is on local network 192.168.3.0/24. Therefore, do not assign the IP address 192.168.3.x to the VNIC. A safer choice might be 192.168.0.250, assuming that there is no 192.168.0.0/24 network that is known to the default router.

    For specific instructions on assigning the IP address to the VNIC, refer to Steps 5 through 7 of How to Create a Virtual Network Interface.

  4. Check the status of routing protocols on the system.


    # routeadm

    You should receive output similar to the following:


      Configuration   Current              Current
                     Option   Configuration        System State
---------------------------------------------------------------
               IPv4 routing   enabled              enabled
               IPv6 routing   disabled             disabled
            IPv4 forwarding   disabled             disabled
            IPv6 forwarding   disabled             disabled

           Routing services   "route:default ripng:default"

    Note that routing is enabled but packet forwarding is disabled. You need to enable IPv4 forwarding in the global zone before you set up NAT or other rules through the IP Filter firewall.

  5. Enable IP forwarding.


    # routeadm -u -e ipv4-forwarding

  6. Create the basic packet filtering file /etc/ipf/ipnat.conf to provide network address translation.

    The next steps use Solaris IP Filter to perform NAT for outgoing packets originated from inside the private network. For an introduction to IP Filter, refer to Chapter 24, Solaris IP Filter (Overview), in System Administration Guide: IP Services 


    # cd /etc/ipf
# vi ipnat.conf
map e1000g0 192.168.0.0/24 -> 0/32 portmap tcp/udp auto
map e1000g0 192.168.0.0/24 -> 0/32

    This rule set tells the IP Filter software how to translate the IP addresses of outgoing packets when they arrive at interface e1000g0. Any TCP and UDP packets that arrive from private network 192.168.0.0/24 have their IP addresses translated to the address of the global zone before exiting the system. The global zone has the same IP address as network interface e1000g0, 192.168.3.70. This interface is connected to external network 192.168.3.0/24, which is known to the network's default router.

    The rule set above implements a simple NAT scenario, but you can also add packet filtering rules to /etc/ipf/ipnat.conf, if required. For more information, see Configuring Solaris IP Filter in System Administration Guide: IP Services.

  7. Start IP Filter and verify that the rules in /etc/ipf/ipnat.conf are active.


    # svcadm enable network/ipfilter
# ipnat -l
List of active MAP/Redirect filters:
map e1000g0 192.168.0.0/24 -> 0.0.0.0/32 portmap tcp/udp auto
map e1000g0 192.168.0.0/24 -> 0.0.0.0/32

List of active sessions:

  8. Boot an already-installed exclusive IP zone.


    # zoneadm -z zone-name boot

    Repeat this step for all zones to be part of the private virtual network.

  9. Log in to each exclusive IP zone and plumb its associated VNIC.


    # zlogin zone-name
# ifconfig vnic-link-name plumb
#ifconfig vnic-link-name vnic-IP-address
# ifconfig vnic-link-name up

  10. Exit the final zone that you configured and return to the global zone.

  11. Add entries for all VNICs in the /etc/inet/hosts file, as shown in How to Manually Configure the VNIC and Exclusive IP Zone.

  12. Edit the /etc/hostname/vnic-name files, as shown in How to Manually Configure the VNIC and Exclusive IP Zone.

Example 11–7 Private Virtual Network Configuration

The following example shows the commands to implement the private virtual network that is shown in Figure 10–2.

To use the commands, you must first log in to the system's global zone as superuser or equivalent role.


# dladm create-etherstub etherstub0
# dladm show-etherstub
LINK
etherstub0
# dladm create-vnic -l etherstub0 vnic0
# dladm create-vnic -l etherstub0 vnic1
# dladm create-vnic -l etherstub0 vnic2


# dladm show-vnic
LINK        OVER             SPEED  MACADDRESS         MACADDRTYPE
vnic0       etherstub0      0 Mbps  2:8:20:c2:39:38    random
vnic1       etherstub0      0 Mbps  2:8:20:45:8f:c9    random
vnic2       etherstub0      0 Mbps  2:8:20:6b:8:ab     random

# dladm show-link
LINK        CLASS    MTU    STATE    OVER
e1000g0     phys     1500   up       --
vnic0       vnic     9000   up       etherstub0
vnic1       vnic     9000   up       etherstub0
vnic2       vnic     9000   up       etherstub0

At this stage, you configure exclusive IP zones over VNICs, configure them, and assign IP addresses to them, as explained in Configuring a Basic Virtual Network.


# ifconfig -a
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
        inet 127.0.0.1 netmask ff000000
e1000g0:flags=201100843<UP,BROADCAST,RUNNING,MULTICAST,ROUTER,IPv4,CoS>mtu 1500 index 2
        inet 192.168.3.70 netmask ffffff00 broadcast 192.168.3.255
        ether 0:14:4f:94:d0:40
lo0: flags=2002000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv6,VIRTUAL> mtu 8252 index 1
        inet6 ::1/128
 

# ifconfig vnic0 plumb
# ifconfig vnic0 192.168.0.250
# ifconfig vnic0 up


# ifconfig -a
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
        inet 127.0.0.1 netmask ff000000
e1000g0:flags=201100843<UP,BROADCAST,RUNNING,MULTICAST,ROUTER,IPv4,CoS>mtu 1500 index 2
        inet 192.168.3.70 netmask ffffff00 broadcast 192.168.3.255
        ether 0:14:4f:94:d0:40
vnic0: flags=201100843<UP,BROADCAST,RUNNING,MULTICAST,ROUTER,IPv4,CoS> mtu 9000 index 5
        inet 192.168.0.250 netmask ffffff00 broadcast 192.168.0.255
        ether 2:8:20:c2:39:38
lo0: flags=2002000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv6,VIRTUAL> mtu 8252 index 1
        inet6 ::1/128
 

# routeadm
              Configuration   Current              Current
                     Option   Configuration        System State
---------------------------------------------------------------
               IPv4 routing   enabled              enabled
               IPv6 routing   disabled             disabled
            IPv4 forwarding   disabled             disabled
            IPv6 forwarding   disabled             disabled

           Routing services   "route:default ripng:default"
 

# routeadm -u -e ipv4-forwarding


# cd /etc/ipf
# vi ipnat.conf
map e1000g0 192.168.0.0/24 -> 0/32  portmap tcp/udp auto
map e1000g0 192.168.0.0/24 -> 0/32
# svcadm enable network/ipfilter


# zoneadm -z zone1 boot
# zoneadm -z zone2 boot
Next Steps