This procedure assumes that you have created the etherstub, VNICs, and exclusive IP zones or virtual machines for the private network, as described in How to Create Etherstubs and VNICs for the Private Virtual Network.
On the system where you create the private virtual network, become superuser or assume the equivalent root role.
To create and assign the root role, see How to Make root User Into a Role in System Administration Guide: Security Services.
Check the status of the host's network interface.
# ifconfig -a |
You should receive output similar to the following:
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000 e1000g0: flags=201000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4,CoS> mtu 1500 index 2 inet 192.168.3.70 netmask ffffff00 broadcast 192.168.3.255 ether 0:14:4f:94:d0:40 |
The interface, e1000g0 in this case, must be configured and plumbed before you can use it as part of the virtual network.
Assign an IP address to the VNIC that you reserved for the global zone.
Make sure that all IP addresses that you assign to the VNICs on this host are private, reserved for use on this host only. Do not use the IP address prefix of the public network to which the network interface is connected as the network portion of the VNIC's IP address.
For example, the ifconfig -a command above shows the IP address 192.168.3.70 for interface e1000g0. The output indicates that the interface is on local network 192.168.3.0/24. Therefore, do not assign the IP address 192.168.3.x to the VNIC. A safer choice might be 192.168.0.250, assuming that there is no 192.168.0.0/24 network that is known to the default router.
For specific instructions on assigning the IP address to the VNIC, refer to Steps 5 through 7 of How to Create a Virtual Network Interface.
Check the status of routing protocols on the system.
# routeadm |
You should receive output similar to the following:
Configuration Current Current Option Configuration System State --------------------------------------------------------------- IPv4 routing enabled enabled IPv6 routing disabled disabled IPv4 forwarding disabled disabled IPv6 forwarding disabled disabled Routing services "route:default ripng:default" |
Note that routing is enabled but packet forwarding is disabled. You need to enable IPv4 forwarding in the global zone before you set up NAT or other rules through the IP Filter firewall.
Enable IP forwarding.
# routeadm -u -e ipv4-forwarding |
Create the basic packet filtering file /etc/ipf/ipnat.conf to provide network address translation.
The next steps use Solaris IP Filter to perform NAT for outgoing packets originated from inside the private network. For an introduction to IP Filter, refer to Chapter 24, Solaris IP Filter (Overview), in System Administration Guide: IP Services
# cd /etc/ipf # vi ipnat.conf map e1000g0 192.168.0.0/24 -> 0/32 portmap tcp/udp auto map e1000g0 192.168.0.0/24 -> 0/32 |
This rule set tells the IP Filter software how to translate the IP addresses of outgoing packets when they arrive at interface e1000g0. Any TCP and UDP packets that arrive from private network 192.168.0.0/24 have their IP addresses translated to the address of the global zone before exiting the system. The global zone has the same IP address as network interface e1000g0, 192.168.3.70. This interface is connected to external network 192.168.3.0/24, which is known to the network's default router.
The rule set above implements a simple NAT scenario, but you can also add packet filtering rules to /etc/ipf/ipnat.conf, if required. For more information, see Configuring Solaris IP Filter in System Administration Guide: IP Services.
Start IP Filter and verify that the rules in /etc/ipf/ipnat.conf are active.
# svcadm enable network/ipfilter # ipnat -l List of active MAP/Redirect filters: map e1000g0 192.168.0.0/24 -> 0.0.0.0/32 portmap tcp/udp auto map e1000g0 192.168.0.0/24 -> 0.0.0.0/32 List of active sessions: |
Boot an already-installed exclusive IP zone.
# zoneadm -z zone-name boot |
Repeat this step for all zones to be part of the private virtual network.
Log in to each exclusive IP zone and plumb its associated VNIC.
# zlogin zone-name # ifconfig vnic-link-name plumb #ifconfig vnic-link-name vnic-IP-address # ifconfig vnic-link-name up |
Exit the final zone that you configured and return to the global zone.
Add entries for all VNICs in the /etc/inet/hosts file, as shown in How to Manually Configure the VNIC and Exclusive IP Zone.
Edit the /etc/hostname/vnic-name files, as shown in How to Manually Configure the VNIC and Exclusive IP Zone.
The following example shows the commands to implement the private virtual network that is shown in Figure 10–2.
To use the commands, you must first log in to the system's global zone as superuser or equivalent role.
# dladm create-etherstub etherstub0 # dladm show-etherstub LINK etherstub0 # dladm create-vnic -l etherstub0 vnic0 # dladm create-vnic -l etherstub0 vnic1 # dladm create-vnic -l etherstub0 vnic2 |
# dladm show-vnic LINK OVER SPEED MACADDRESS MACADDRTYPE vnic0 etherstub0 0 Mbps 2:8:20:c2:39:38 random vnic1 etherstub0 0 Mbps 2:8:20:45:8f:c9 random vnic2 etherstub0 0 Mbps 2:8:20:6b:8:ab random # dladm show-link LINK CLASS MTU STATE OVER e1000g0 phys 1500 up -- vnic0 vnic 9000 up etherstub0 vnic1 vnic 9000 up etherstub0 vnic2 vnic 9000 up etherstub0 |
At this stage, you configure exclusive IP zones over VNICs, configure them, and assign IP addresses to them, as explained in Configuring a Basic Virtual Network.
# ifconfig -a lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000 e1000g0:flags=201100843<UP,BROADCAST,RUNNING,MULTICAST,ROUTER,IPv4,CoS>mtu 1500 index 2 inet 192.168.3.70 netmask ffffff00 broadcast 192.168.3.255 ether 0:14:4f:94:d0:40 lo0: flags=2002000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv6,VIRTUAL> mtu 8252 index 1 inet6 ::1/128 |
# ifconfig vnic0 plumb # ifconfig vnic0 192.168.0.250 # ifconfig vnic0 up |
# ifconfig -a lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000 e1000g0:flags=201100843<UP,BROADCAST,RUNNING,MULTICAST,ROUTER,IPv4,CoS>mtu 1500 index 2 inet 192.168.3.70 netmask ffffff00 broadcast 192.168.3.255 ether 0:14:4f:94:d0:40 vnic0: flags=201100843<UP,BROADCAST,RUNNING,MULTICAST,ROUTER,IPv4,CoS> mtu 9000 index 5 inet 192.168.0.250 netmask ffffff00 broadcast 192.168.0.255 ether 2:8:20:c2:39:38 lo0: flags=2002000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv6,VIRTUAL> mtu 8252 index 1 inet6 ::1/128 |
# routeadm Configuration Current Current Option Configuration System State --------------------------------------------------------------- IPv4 routing enabled enabled IPv6 routing disabled disabled IPv4 forwarding disabled disabled IPv6 forwarding disabled disabled Routing services "route:default ripng:default" |
# routeadm -u -e ipv4-forwarding |
# cd /etc/ipf # vi ipnat.conf map e1000g0 192.168.0.0/24 -> 0/32 portmap tcp/udp auto map e1000g0 192.168.0.0/24 -> 0/32 # svcadm enable network/ipfilter |
# zoneadm -z zone1 boot # zoneadm -z zone2 boot |
Test the connectivity of the private network by using the various observability tasks in Chapter 12, Administering Virtual Networks and Resource Controls (Tasks).
Create a firewall that filters outgoing packets from the private network. For more information, see Configuring Solaris IP Filter in System Administration Guide: IP Services.