Skip Navigation Links | |
Exit Print View | |
Oracle Solaris Administration: Network Interfaces and Network Virtualization Oracle Solaris 11 Information Library |
1. Overview of the Networking Stack
Network Configuration in This Oracle Solaris Release
The Network Stack in Oracle Solaris
Network Devices and Datalink Names
Administration of Other Link Types
3. NWAM Configuration and Administration (Overview)
4. NWAM Profile Configuration (Tasks)
5. NWAM Profile Administration (Tasks)
6. About the NWAM Graphical User Interface
Part II Datalink and Interface Configuration
7. Using Datalink and Interface Configuration Commands on Profiles
8. Datalink Configuration and Administration
9. Configuring an IP Interface
10. Configuring Wireless Interface Communications on Oracle Solaris
12. Administering Link Aggregations
16. Exchanging Network Connectivity Information With LLDP
Part III Network Virtualization and Resource Management
17. Introducing Network Virtualization and Resource Control (Overview)
18. Planning for Network Virtualization and Resource Control
19. Configuring Virtual Networks (Tasks)
Configuring Components of Network Virtualization in Oracle Solaris
How to Create a Virtual Network Interface
Creating New Zones for Use With VNICs
How to Create and Configure the Exclusive IP Zone
Modifying the Configuration of Existing Zones to Use VNICs
How to Reconfigure a Zone to Use a VNIC
Creating a Private Virtual Network
How to Remove the Virtual Network Without Removing the Zones
20. Using Link Protection in Virtualized Environments
21. Managing Network Resources
This section shows you how you deploy the network virtualization components by configuring these components to be used by zones. This section provides two approaches when working with zones to use VNICs:
Creating entirely new zones and configuring VNICs over these zones
Modifying existing zone configurations to use VNICs.
When you first log in to a system, you are automatically in its global zone. You create VNICs on the global zone. Then you further configure these VNICs depending on whether they are to be used by the global zone or non-global exclusive type zones. For an introduction to zones, refer to Zones Overview in Oracle Solaris Administration: Oracle Solaris Zones, Oracle Solaris 10 Zones, and Resource Management.
Use this approach if no configured zones exist in the system, or if you want to create new zones to use VNICs.
To use VNICs, a zone must be configured as an exclusive IP zone. The steps that follow configure zone1 with vnic1. You must perform the same steps to configure zone2. For clarity, the prompts indicate in which zone a specific command is issued. However, the actual path that the prompts display might vary depending on the prompt settings of your specific system.
When creating zones, you can set several parameters. The zone procedures throughout this chapter focus only on those parameters that are relevant to make the zone operate with VNICs. For more detailed information about zone configuration, refer to Part II, Oracle Solaris Zones, in Oracle Solaris Administration: Oracle Solaris Zones, Oracle Solaris 10 Zones, and Resource Management.
Before You Begin
Make sure you have accomplished the following:
Created the VNICs for the zones, as explained in How to Create a Virtual Network Interface.
Defined the zone names.
Determined zone home directories.
Determined the specific VNIC to be associated with a specific zone.
Determined the IP addresses for the VNICs.
Obtained other network information such as router address to supply to the zone.
For more information, see How to Obtain Administrative Rights in Oracle Solaris Administration: Security Services.
global# zonecfg -z zone zonecfg:zone> create
zonecfg:zone> set zonepath=/home/export/zone
zonecfg:zone> set autoboot=true
zonecfg:zone> set ip-type=exclusive
zonecfg:zone> add net zonecfg:zone:net> set physical=vnic zonecfg:zone:net> end zonecfg:zone>
zonecfg:zone>verify zonecfg:zone> commit zonecfg:zone> exit global#
global# zonecfg -z zone info
Note - You can display the same information while running the zone configuration utility by typing the following:
zonecfg:zone> info
global# zoneadm -z zone install
Note - The installation process can take a while.
zoneadm list -iv
Note - The -iv option lists all configured zones regardless of whether they are running or not. At this stage, the status of the zone you just created will be “installed” rather than “running.” If you use the -v option, only zones that are running are listed, and the zone you just created will be excluded.
global# zoneadm -z zone boot
global# zoneadm list -v
# zlogin -C zone
Some of the information are terminal type, region, language, and so on. Most of the information is supplied by selecting from a list of choices. Typically, the default options suffice unless your system configuration requires otherwise.
The following information are relevant to the current procedure which you need to supply or verify:
Host name of the zone, for example zone1.
IP address of the zone which is based on the IP address of the zone's VNIC.
Whether IPv6 should be enabled.
Whether the system with the virtual network is part of a subnet.
Netmask of the IP address.
Default route, which can be the IP address of the physical interface on which the virtual network is built.
After you have supplied the required information for the zone, the zone is restarted.
Example 19-3 Configuring a Basic Virtual Network by Creating Zones and VNICs
This example consolidates all the steps that were previously provided to creating zones and VNICs to configure the virtual network. The example uses zone1 as the sample zone
The example is based on the following assumptions:
VNICs: vnic1
Zone names: zone1
Zone home directories: /home/export/zone-name.
VNIC zone assignments: vnic1 for zone1
IP addresses: vnic1 uses 192.168.3.80
Physical interface IP address: 192.168.3.70
Router address: 192.168.3.25
global# dladm show-phys LINK MEDIA STATE SPEED DUPLEX DEVICE net0 Ethernet up 1000 full e1000g0 net1 Ethernet unknown 1000 full bge0 global# dladm show-lnk LINK CLASS MTU STATE BRIDGE OVER net0 phys 1500 up -- -- net1 phys 1500 unknown -- -- global# ipadm show-if IFNAME CLASS STATE ACTIVE OVER lo0 loopback ok yes -- net0 ip ok yes -- global # ipadm show-addr ADDROBJ TYPE STATE ADDR lo0/? static ok 127.0.0.1/8 net0/v4addr static ok 192.168.3.70/24 global # dladm create-vnic -l net0 vnic1 global # dladm show-vnic LINK OVER SPEED MACADDRESS MACADDRTYPE vnic1 net0 1000 Mbps 2:8:20:5f:84:ff random global # ipadm create-ip vnic1 global # ipadm create-addr -T static -a 192.168.3.80/24 vnic1/v4address global # ipadm show-addr ADDROBJ TYPE STATE ADDR lo0/? static ok 127.0.0.1/8 net0/v4addr static ok 192.168.3.70/24 vnic1/v4address static ok 192.168.3.80/24 global # cat /etc/hosts ::1 localhost 127.0.0.1 localhost 192.168.3.70 loghost #For net0 192.168.3.80 zone1 #using vnic1 global # zonecfg -z zone1 zonecfg:zone1> create zonecfg:zone1> set zonepath=/export/home/zone1 zonecfg:zone1> seet autoboot=true zonecfg:zone1> set ip-type=exclusive zonecfg:zone1> add net zonecfg:zone1:net> set physical=vnic1 zonecfg:zone1:net> end zonecfg:zone1> verify zonecfg:zone1> info zonename: zone1 zonepath: /export/home/zone1 brand: native autoboot: true net: address not specified physical: vnic1 zonecfg:zone1> commit zonecfg:zone1> exit global# global# zoneadm -z zone1 verify WARNING: /export/home/zone1 does not exist, so it could not be verified. When 'zoneadm install' is run, 'install' will try to create /export/home/zone1, and 'verify' will be tried again, but the 'verify' may fail if: the parent directory of /export/home/zone1 is group- or other-writable or /export/home/zone1 overlaps with any other installed zones. global# zoneadm -z zone1 install Preparing to install zone <zone1> Creating list of files to copy from the global zone. . . Zone <zone1> is initialized. global# zoneadm list -iv ID NAME STATUS PATH BRAND IP 0 global running / native shared - zone1 installed /export/home/zone1 native excl global# zoneadm -z zone1 boot global# zoneadm list -v ID NAME STATUS PATH BRAND IP 0 global running / native shared 1 zone1 running /export/home/zone1 native excl zlogin -C zone1 What type of terminal are you using? . . . 8) Sun Workstation 9) Televideo 910 10) Televideo 925 11) Wyse Model 50 12) X Terminal Emulator (xterms) 13) CDE Terminal Emulator (dtterm) 14) Other Type the number of your choice and press Return: 13 . (More prompts) ..
Provide the information as prompted. For network information, supply the following:
Hostname: zone1 IP address: 192.168.3.80 System part of a subnet: Yes Netmask: 255.255.255.0 Enable IPv6: No Default route: 192.168.3.70 Router IP address: 192.168.3.25
Next Steps
You can use various tools to observe network traffic and take statistics on zone usage.
To verify that your network is properly configured, refer to Chapter 5, Administering a TCP/IP Network, in Oracle Solaris Administration: IP Services.
To observe traffic over the network, refer to Monitoring Packet Transfers With the snoop Command in Oracle Solaris Administration: IP Services.
To manage how the network uses system resources, refer to Chapter 21, Managing Network Resources.
To obtain statistics for accounting purposes, refer to Chapter 22, Monitoring Network Traffic and Resource Usage.
If you need to disassemble the virtual network, refer to How to Remove the Virtual Network Without Removing the Zones.
Use this approach if you want existing zones to use VNICs. In this case, the zones already have zone names and their home directories or zonepaths are already defined.
Before You Begin
Make sure you have accomplished the following:
Created the VNICs for the zones, as explained in How to Create a Virtual Network Interface.
Determined the specific VNIC to be associated with a specific zone.
Determined the IP addresses for the VNICs.
Obtained other network information such as router address to supply to the zone.
For more information, see How to Obtain Administrative Rights in Oracle Solaris Administration: Security Services.
global# zoneadm list -v
Note - The -v option lists only zones that are running. To list all configured zones including those that have not been started, use the -iv option.
global# zonecfg -z zone info
Check the information about IP type and network interface. The network interface is designated by the parameter physical. For a zone to be configured with a VNIC, the zone must be an exclusive IP zone and the network interface must specify the VNIC.
global# zonecfg -z zone zonecfg:zone1> set ip-type=exclusive zonecfg:zone1>
zonecfg:zone1> remove net physical=non-vnic-interface zonecfg:zone1> add net zonecfg:zone1:net> set physical=vnic zonecfg:zone1:net> end zonecfg:zone1>
zonecfg:zone1 verify zonecfg:zone1> commit zonecfg:zone1> exit global#
global# zoneadm -z zone reboot
global# zonecfg -z zone info ip-type global# zonecfg -z zone info net
The information must show that the zone's IP type is exclusive and that it uses the designated VNIC.
global# zlogin zone
If you are assigning a static address to the VNIC, you would type the following:
zone# ipadm create-addr -T static -a address addrobj
where address can use CIDR notation while addrobj follows the naming convention interface/user-defined-string.
zone# ipadm show-if
or
zone# ipadm show-addr
Example 19-4 Configuring a Basic Virtual Network by Modifying Zone Configuration to Use VNICs
This example uses the same system and operates on the same assumptions as the previous example. Suppose that in this system, zone2 already exists as a shared zone. You want to modify zone2 to use vnic2.
global# dladm show-link LINK CLASS MTU STATE BRIDGE OVER net0 phys 1500 up -- -- net1 phys 1500 unknown -- -- vnic1 vnic 1500 up -- e1000g0 global# ipadm show-if IFNAME CLASS STATE ACTIVE OVER lo0 loopback ok yes -- net0 ip ok yes -- vnic1 ip ok yes -- global # ipadm show-addr ADDROBJ TYPE STATE ADDR lo0/? static ok 127.0.0.1/8 net0/v4addr static ok 192.168.3.70/24 vnic1/v4address static ok 192.168.3.80/24 global # dladm create-vnic -l net0 vnic2 global # dladm show-vnic LINK OVER SPEED MACADDRESS MACADDRTYPE vnic1 net0 1000 Mbps 2:8:20:5f:84:ff random vnic2 net0 1000 Mbps 2:8:20:54:f4:74 random global# zoneadm list -v ID NAME STATUS PATH BRAND IP 0 global running / native shared 1 zone1 running /export/home/zone1 native excl 2 zone2 running /export/home/zone2 native shared global# zonecfg -z zone2 info zonename: zone2 zonepath: /export/home/zone2 brand: native autoboot: true bootargs: pool: z2-pool limitpriv: scheduling-class: ip-type: shared hostid: inherit-pkg-dir: dir: /lib inherit-pkg-dir: dir: /platform inherit-pkg-dir: dir: /sbin inherit-pkg-dir: dir: /usr inherit-pkg-dir: dir: /etc/crypto net: address not specified physical: e1000g0 defrouter not specified global# global# zonecfg -z zone2 zonecfg:zone1> set ip-type=exclusive zonecfg:zone1> remove net physical=net0 zonecfg:zone1> add net zonecfg:zone1:net> set physical=vnic2 zonecfg:zone1:net> end zonecfg:zone1> verify zonecfg:zone1> commit zonecfg:zone1> exit global# global# zonecfg -z zone2 info ip-type ip-type: exclusive global# global# zonecfg -z zone2 info net net: address ot specified physical: vnic2 defrouter not specified global# global# zlogin zone2 zone2# ipadm create-ip vnic2 zone2# ipadm create-addr -T static -a 192.168.3.85/24 vnic2/v4address zone2# ipadm show-addr ADDROBJ TYPE STATE ADDR lo0/v4 static ok 127.0.0.1/8 vnic2/v4address static ok 192.168.3.85/24 zone1# exit global# global# vi /etc/hosts # ::1 localhost 127.0.0.1 localhost 192.168.3.70 loghost #For e1000g0 192.168.3.80 zone1 #using vnic1 192.168.3.85 zone2 #using vnic2
Next Steps
You can either configure the network setup further to customize use of system resources, or use various tools to observe network traffic and take statistics on resource usage.
To verify that your network is properly configured, refer to
To observe traffic over the network, refer to
To manage how the network uses system resources, refer to
To obtain statistics for accounting purposes, refer to
If you need to disassemble the virtual network, refer to How to Remove the Virtual Network Without Removing the Zones
The example in this section shows how to configure a private virtual network on a single system. Private virtual networks are different from virtual private networks (VPNs). VPN software creates a secure point-to-point link between two endpoint systems. The private network configured by the tasks in this section is a virtual network on a box that cannot be accessed by external systems.
To allow the zones of the private network to send packets beyond the host, configure a network address translation (NAT) device. NAT translates the VNIC's private IP addresses to routeable IP addresses of the physical network interface, but without exposing the private IP addresses to the external network. Routing configuration is also included in the following example.
Example 19-5 Creating a Private Virtual Network Configuration
The following example uses the same system and proceeds on the same assumptions as the previous examples. Specifically, zone1 and zone2 are now configured as virtual networks. Suppose that zone3 already exists in the system. You will modify zone3 to become a private network isolated from the rest of the network. Then you will configure NAT and IP forwarding to allow the virtual private network to send packets outside the host but still concealing its private address from the external network.
global# dladm create-etherstub stub0 global# dladm create-vnic -l etherstub0 vnic3 global# dladm show-vnic LINK OVER SPEED MACADDRESS MACADDRTYPE vnic1 net0 1000 Mbps 2:8:20:5f:84:ff random vnic2 net0 1000 Mbps 2:8:20:54:f4:74 random vnic3 stub0 0 Mbps 2:8:20:6b:8:ab random global# vi /etc/hosts # ::1 localhost 127.0.0.1 localhost 192.168.3.70 loghost #For e1000g0 192.168.3.80 zone1 #using vnic1 192.168.3.85 zone2 #using vnic2
At this stage, you modify zone3 to become an exclusive IP zone over vnic3.
global# zonecfg -z zone3 zonecfg:zone3> set ip-type=exclusive zonecfg:zone3> remove net physical=e1000g0 zonecfg:zone3> add net zonecfg:zone3:net> set physical=vnic3 zonecfg:zone3:net> end zonecfg:zone3> verify zonecfg:zone3> commit zonecfg:zone3> exit global# global# zonecfg -z zone3 info ip-type ip-type: exclusive global# global# zonecfg -z zone3 info net net: address ot specified physical: vnic3 defrouter not specified global# global# zlogin zone3 zone3# ipadm create-ip vnic3 zone3# ipadm create-addr -T static -a 192.168.0.10/24 vnic3/privaddr zone3# ipadm show-addr ADDROBJ TYPE STATE ADDR lo0/v4 static ok 127.0.0.1/8 vnic3/privaddr static ok 192.168.0.10/24 zone3# exit global# ipadm show-addr ADDROBJ TYPE STATE ADDR lo0/v4 static ok 127.0.0.1/8 net0/v4addr static ok 192.168.3.70/24 vnic1/v4address static ok 192.168.3.80/24 vnic2/v4address static ok 192.168.3.85/24 vnic3/privaddr static ok 192.168.0.10/24 global# vi /etc/hosts ::1 localhost 127.0.0.1 localhost 192.168.3.70 loghost #For e1000g0 192.168.3.80 zone1 #using vnic1 192.168.3.85 zone2 #using vnic2 192.168.0.10 zone3 #using vnic3 global# routeadm Configuration Current Current Option Configuration System State --------------------------------------------------------------- IPv4 routing enabled enabled IPv6 routing disabled disabled IPv4 forwarding disabled disabled IPv6 forwarding disabled disabled Routing services "route:default ripng:default" global# ipadm set-ifprop -p forwarding=on -m ipv4 e1000g0 global# vi /etc/ipf/ipnat.conf map e1000g0 192.168.0.0/24 -> 0/32 portmap tcp/udp auto map e1000g0 192.168.0.0/24 -> 0/32 global# svcadm enable network/ipfilter global# zoneadm -z zone1 boot global# zoneadm -z zone2 boot global# zoneadm -z zone3 boot
The following procedure shows how to disable a zone's virtual network but maintain the zone intact.
Use this procedure if you must do any of the following:
Use the existing zones in a different configuration. For example, you might need to configure the zones as part of a private network that would require the zone to be created by using an etherstub.
Migrate the zones to another network.
Move the zones to a different zone path.
Clone the zones, as explained in Cloning a Non-Global Zone on the Same System in Oracle Solaris Administration: Oracle Solaris Zones, Oracle Solaris 10 Zones, and Resource Management.
Before You Begin
This task assumes that you have a running virtual network that consists of exclusive IP zones.
For more information, see How to Obtain Administrative Rights in Oracle Solaris Administration: Security Services.
# zoneadm list -v
Information similar to the following is displayed:
ID NAME STATUS PATH BRAND IP 0 global running / native shared 1 zone1 running /export/home/zone1 native excl 2 zone2 running /export/home/zone2 native excl 3 zone3 running /export/home/zone3 native excl
Issue the following command separately for each zone to be halted.
global# zoneadm -z zone-name halt
When you halt the zone, you remove the zone's application environment and terminate a number of system activities, as explained in Halting a Zone in Oracle Solaris Administration: Oracle Solaris Zones, Oracle Solaris 10 Zones, and Resource Management.
# zoneadm list -iv ID NAME STATUS PATH BRAND IP 0 global running / native shared - zone1 installed /export/home/zone1 native excl - zone2 installed /export/home/zone2 native excl - zone3 installed /export/home/zone3 native excl
Note that the zones are no longer running, although they remain installed. To reboot a halted zone, refer to How to Boot a Zone in Oracle Solaris Administration: Oracle Solaris Zones, Oracle Solaris 10 Zones, and Resource Management.
# dladm show-vnic LINK OVER SPEED MACADDRESS MACADDRTYPE vnic1 net0 1000 Mbps 2:8:20:5f:84:ff random vnic2 net1 1000 Mbps 2:8:20:54:f4:74 random vnic3 stub0 1000 MBps 2:8:20:c2:39:38 random
The resulting output shows that the VNICs are still configured as datalinks in the global zone. However, their corresponding IP interfaces were created and enabled on the zones with which these VNICs are associated, and not on the global zone. These non–global zones are now halted.
# dladm delete-vnic vnic
For example, you would type the following to delete the VNICs in the zones in Figure 18-1.
# dladm delete-vnic vnic1 # dladm delete-vnic vnic2