Configuring a Private Virtual Network

The tasks in this section explain how to configure a private virtual network on a single system. If you need to isolate a software development environment from the external network, consider creating a private virtual network on a single host.

Private virtual networks are quite different from private virtual networks (VPNs). VPN software creates a secure point-to-point link between two endpoint systems. The private network configured by the tasks in this section is a virtual network on a box that cannot be accessed by external systems.

Pseudo-network interfaces called etherstubs are the building blocks of private virtual networks, as shown in Private Virtual Network on a Single System. You create VNICs over the etherstub, and then configure the containers over the VNICs. A firewall or similar network address translation (NAT) device translates the VNIC's private IP addresses to the routable IP address of the network interface. This enables the containers of the private network to send packets beyond the host without exposing the VNICs' private IP addresses to the external network.

How to Create Etherstubs and VNICs for the Private Virtual Network

This procedure uses exclusive IP zones as the containers for the private virtual network. Solaris IP Filter software performs NAT for outgoing packets from the private network.

Before You Begin

For the VNICs in the private network configuration, be sure to create private IP addresses that cannot be forwarded by the default router of the external network. However, for the network interface, use an IP address that is routable on the host's external network.

1. On the system where you create the private virtual network, become superuser or assume the equivalent root role.

   To create and assign the root role, see How to Make root User Into a Role in System Administration Guide: Security Services.

2. Create the etherstub for the private virtual network.

   # dladm create-etherstub etherstub-link-name

   For example, to create an etherstub called etherstub0, you would type the following:

   # dladm create-etherstub etherstub0

3. Verify that the etherstub was created.

   # dladm show-etherstub

   You should receive output similar to the following:

   LINK etherstub0

4. Create VNICs over the etherstub.

   # dladm create-vnic -l etherstub-link-name vnic-link-name

   For example, you might type the following:

   # dladm create-vnic -l etherstub0 vnic0

   Reserve one VNIC for the global zone. The global zone consists of all applications and services of a system's working environment that have not been delegated to a zone or virtual machine.

   Then, create at least two more VNICs for the exclusive IP zones of the private network. The virtual switch is automatically created with the first VNIC.

5. Verify that the VNICs are correctly created over the etherstub.

   # dladm show-link

   You should receive output similar to the following:

   LINK CLASS MTU STATE OVER e1000g0 phys 1500 up -- vnic0 vnic 9000 up etherstub0

   The “OVER” column contains the entry etherstub0 in the vnic0 row, indicating that vnic0 is created over etherstub0.

6. Create the exclusive IP zones.

   • For instructions, refer to How to Create an Exclusive IP Zone Over a VNIC.

   • Be sure to type the associated VNIC data link name for the zone in the set-physical parameter of add-net.

7. Install the zones.

   Use Steps 1–4 in the procedure How to Install the Exclusive IP Zone on a VNIC

   ---

   Note –

   Do not boot the zones at this time. You boot them as part of the next procedure,How to Configure Routing and Network Address Translation for the Private Virtual Network.

   ---

How to Configure Routing and Network Address Translation for the Private Virtual Network

Before You Begin

This procedure assumes that you have created the etherstub, VNICs, and exclusive IP zones or virtual machines for the private network, as described in How to Create Etherstubs and VNICs for the Private Virtual Network.

1. On the system where you create the private virtual network, become superuser or assume the equivalent root role.

   To create and assign the root role, see How to Make root User Into a Role in System Administration Guide: Security Services.

2. Check the status of the host's network interface.

   # ifconfig -a

   You should receive output similar to the following:

   lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000 e1000g0: flags=201000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4,CoS> mtu 1500 index 2 inet 192.168.3.70 netmask ffffff00 broadcast 192.168.3.255 ether 0:14:4f:94:d0:40

   The interface, e1000g0 in this case, must be configured and plumbed before you can use it as part of the virtual network.

3. Assign an IP address to the VNIC that you reserved for the global zone.

   Make sure that all IP addresses that you assign to the VNICs on this host are private, reserved for use on this host only. Do not use the IP address prefix of the public network to which the network interface is connected as the network portion of the VNIC's IP address.

   For example, the ifconfig -a command above shows the IP address 192.168.3.70 for interface e1000g0. The output indicates that the interface is on local network 192.168.3.0/24. Therefore, do not assign the IP address 192.168.3.x to the VNIC. A safer choice might be 192.168.0.250, assuming that there is no 192.168.0.0/24 network that is known to the default router.

   For specific instructions on assigning the IP address to the VNIC, refer to Steps 5 through 7 of How to Create a Virtual Network Interface.

4. Check the status of routing protocols on the system.

   # routeadm

   You should receive output similar to the following:

   Configuration Current Current Option Configuration System State --------------------------------------------------------------- IPv4 routing enabled enabled IPv6 routing disabled disabled IPv4 forwarding disabled disabled IPv6 forwarding disabled disabled Routing services "route:default ripng:default"

   Note that routing is enabled but packet forwarding is disabled. You need to enable IPv4 forwarding in the global zone before you set up NAT or other rules through the IP Filter firewall.

5. Enable IP forwarding.

   # routeadm -u -e ipv4-forwarding

6. Create the basic packet filtering file /etc/ipf/ipnat.conf to provide network address translation.

   The next steps use Solaris IP Filter to perform NAT for outgoing packets originated from inside the private network. For an introduction to IP Filter, refer to Chapter 24, Solaris IP Filter (Overview), in System Administration Guide: IP Services

   # cd /etc/ipf # vi ipnat.conf map e1000g0 192.168.0.0/24 -> 0/32 portmap tcp/udp auto map e1000g0 192.168.0.0/24 -> 0/32

   This rule set tells the IP Filter software how to translate the IP addresses of outgoing packets when they arrive at interface e1000g0. Any TCP and UDP packets that arrive from private network 192.168.0.0/24 have their IP addresses translated to the address of the global zone before exiting the system. The global zone has the same IP address as network interface e1000g0, 192.168.3.70. This interface is connected to external network 192.168.3.0/24, which is known to the network's default router.

   The rule set above implements a simple NAT scenario, but you can also add packet filtering rules to /etc/ipf/ipnat.conf, if required. For more information, see Configuring Solaris IP Filter in System Administration Guide: IP Services.

7. Start IP Filter and verify that the rules in /etc/ipf/ipnat.conf are active.

   # svcadm enable network/ipfilter # ipnat -l List of active MAP/Redirect filters: map e1000g0 192.168.0.0/24 -> 0.0.0.0/32 portmap tcp/udp auto map e1000g0 192.168.0.0/24 -> 0.0.0.0/32 List of active sessions:

8. Boot an already-installed exclusive IP zone.

   # zoneadm -z zone-name boot

   Repeat this step for all zones to be part of the private virtual network.

9. Log in to each exclusive IP zone and plumb its associated VNIC.

   # zlogin zone-name # ifconfig vnic-link-name plumb #ifconfig vnic-link-name vnic-IP-address # ifconfig vnic-link-name up

10. Exit the final zone that you configured and return to the global zone.

11. Add entries for all VNICs in the /etc/inet/hosts file, as shown in How to Manually Configure the VNIC and Exclusive IP Zone.

12. Edit the /etc/hostname/vnic-name files, as shown in How to Manually Configure the VNIC and Exclusive IP Zone.

Example 11–7 Private Virtual Network Configuration

The following example shows the commands to implement the private virtual network that is shown in Figure 10–2.

To use the commands, you must first log in to the system's global zone as superuser or equivalent role.

# dladm create-etherstub etherstub0
# dladm show-etherstub
LINK
etherstub0
# dladm create-vnic -l etherstub0 vnic0
# dladm create-vnic -l etherstub0 vnic1
# dladm create-vnic -l etherstub0 vnic2

# dladm show-vnic
LINK        OVER             SPEED  MACADDRESS         MACADDRTYPE
vnic0       etherstub0      0 Mbps  2:8:20:c2:39:38    random
vnic1       etherstub0      0 Mbps  2:8:20:45:8f:c9    random
vnic2       etherstub0      0 Mbps  2:8:20:6b:8:ab     random

# dladm show-link
LINK        CLASS    MTU    STATE    OVER
e1000g0     phys     1500   up       --
vnic0       vnic     9000   up       etherstub0
vnic1       vnic     9000   up       etherstub0
vnic2       vnic     9000   up       etherstub0

At this stage, you configure exclusive IP zones over VNICs, configure them, and assign IP addresses to them, as explained in Configuring a Basic Virtual Network.

# ifconfig -a
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
        inet 127.0.0.1 netmask ff000000
e1000g0:flags=201100843<UP,BROADCAST,RUNNING,MULTICAST,ROUTER,IPv4,CoS>mtu 1500 index 2
        inet 192.168.3.70 netmask ffffff00 broadcast 192.168.3.255
        ether 0:14:4f:94:d0:40
lo0: flags=2002000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv6,VIRTUAL> mtu 8252 index 1
        inet6 ::1/128

# ifconfig vnic0 plumb
# ifconfig vnic0 192.168.0.250
# ifconfig vnic0 up

# ifconfig -a
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
        inet 127.0.0.1 netmask ff000000
e1000g0:flags=201100843<UP,BROADCAST,RUNNING,MULTICAST,ROUTER,IPv4,CoS>mtu 1500 index 2
        inet 192.168.3.70 netmask ffffff00 broadcast 192.168.3.255
        ether 0:14:4f:94:d0:40
vnic0: flags=201100843<UP,BROADCAST,RUNNING,MULTICAST,ROUTER,IPv4,CoS> mtu 9000 index 5
        inet 192.168.0.250 netmask ffffff00 broadcast 192.168.0.255
        ether 2:8:20:c2:39:38
lo0: flags=2002000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv6,VIRTUAL> mtu 8252 index 1
        inet6 ::1/128

# routeadm
              Configuration   Current              Current
                     Option   Configuration        System State
---------------------------------------------------------------
               IPv4 routing   enabled              enabled
               IPv6 routing   disabled             disabled
            IPv4 forwarding   disabled             disabled
            IPv6 forwarding   disabled             disabled

           Routing services   "route:default ripng:default"

# routeadm -u -e ipv4-forwarding

# cd /etc/ipf
# vi ipnat.conf
map e1000g0 192.168.0.0/24 -> 0/32  portmap tcp/udp auto
map e1000g0 192.168.0.0/24 -> 0/32
# svcadm enable network/ipfilter

# zoneadm -z zone1 boot
# zoneadm -z zone2 boot

Next Steps

• Test the connectivity of the private network by using the various observability tasks in Chapter 12, Administering Virtual Networks and Resource Controls (Tasks).

• Create a firewall that filters outgoing packets from the private network. For more information, see Configuring Solaris IP Filter in System Administration Guide: IP Services.