Building Virtual Networks

A virtual network combines zones and the components of virtualization. You create as many zones as you require and as the system can support. Each zone has its own virtual interface. The zones in the system can communicate with each other. The virtual network as a whole connects to destinations on the larger external network.

Building a virtual network consists of one or more steps to configure etherstubs or VNICs as well as steps to configure zones. Although these are independent sets of procedures, both must be performed to complete the construction of the virtual network.

The procedures in this section proceed based on the following assumptions:

• The virtual network on the system consists of three zones. The zones are in different stages of configuration: the first zone is created as a new zone, the second zone already exists on the system and needs to be reconfigured to use a VNIC, and the third zone is designated to be a private virtual network. Thus, the procedures demonstrate various ways to prepare zones for the virtual network.

• The system's physical interface is configured with the IP address 192.168.3.70

• The router's IP address is 192.168.3.25

In each procedure in this section, more details are added to the scenario to provide a more concrete context to the steps.

When building the virtual network, some steps are performed in the global zone, and some steps are performed in a non-global zone. For clarity, the prompts in the examples after each procedure indicate in which zone a specific command is issued. However, the actual path that the prompts display might vary depending on the prompts specified for your system.

In this section, the following procedures are discussed:

• How to Configure a Zone for the Virtual Network

• How to Reconfigure a Zone to Use a VNIC

• How to Create a Private Virtual Network

How to Configure a Zone for the Virtual Network

This procedure explains how to configure a new zone with a new VNIC. Note that only the steps related to network virtualization are included in the procedure. For more detailed instructions on configuring zones, refer to Chapter 17, Planning and Configuring Non-Global Zones (Tasks), in Oracle Solaris 11.1 Administration: Oracle Solaris Zones, Oracle Solaris 10 Zones, and Resource Management.

The procedure assumes that this first zone for the virtual network is created as a fresh zone.

1. Become an administrator.

   For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services.

2. Configure the VNIC.

   See How to Configure VNICs and Etherstubs. However, for this specific procedure, omit the step to create an etherstub.

3. Create the zone.

   global# zonecfg -z zone

   When creating the zone, make sure that you set the ip-type parameter to exclusive, and that you assign the VNIC you had just created to be the zone's physical interface.

4. To exit the zone configuration mode, verify and then commit the configuration.
5. Install the zone.

   global# zoneadm -z zone install

   ---

   Note - The installation process can take a while.

   ---

6. Start the zone.

   global# zoneadm -z zone boot

7. After the zone completely boots up, log in to the zone.

   # zlogin -C zone

8. Supply the information as you are prompted.

   Most of the information is supplied by selecting from a list of choices. Typically, the default options suffice. To configure the virtual network, you must supply or verify the following information:

   • Host name of the zone, for example zone1.

   • IP address of the zone which is based on the IP address of the zone's VNIC.

   • Whether IPv6 should be enabled.

   • Whether the system with the virtual network is part of a subnet.

   • Netmask of the IP address.

   • Default route, which can be the IP address of the physical interface on which the virtual network is built.

   After you have supplied the required information, the zone restarts.

Example 2-2 Configuring a Zone for the Virtual Network

This example includes detailed steps to create zone1. However, only the zone parameters that are relevant to the creation of a virtual network are listed.

global # zonecfg -z zone1
zonecfg:zone1> create
zonecfg:zone1> set zonepath=/export/home/zone1
zonecfg:zone1> set autoboot=true
zonecfg:zone1> set ip-type=exclusive
zonecfg:zone1> add net
zonecfg:zone1:net> set physical=vnic1
zonecfg:zone1:net> end
zonecfg:zone1> verify
zonecfg:zone1> commit
zonecfg:zone1> exit

global# zoneadm -z zone1 install
Preparing to install zone <zone1>
Creating list of files to copy from the global zone.
.
.
Zone <zone1> is initialized.

global# zoneadm -z zone1 boot

zlogin -C zone1
What type of terminal are you using?
.
.
.
8) Sun Workstation
9) Televideo 910
10) Televideo 925
11) Wyse Model 50
12) X Terminal Emulator (xterms)
13) CDE Terminal Emulator (dtterm)
14) Other
Type the number of your choice and press Return: 13
.
(More prompts)
..

For network information, the following information is supplied:

Hostname: zone1
IP address: 192.168.3.80
System part of a subnet: Yes
Netmask: 255.255.255.0
Enable IPv6: No
Default route: 192.168.3.70
Router IP address: 192.168.3.25

How to Reconfigure a Zone to Use a VNIC

This procedure refers to the second zone in the virtual network. The zone already exists, but its current configuration prevents it from becoming a part of the virtual network. Specifically, the zone's IP type is a shared type and its current interface is net0. Both of these configurations must be changed.

1. Become an administrator.

   For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services.

2. Create the VNIC.

   global# dladm create-vnic [-v vid] -l datalink vnic

   where vid refers to the VLAN ID that you assign to the VNIC. Specify the VLAN ID only if you want to create the VNIC as a VLAN.

   Do not configure the VNIC's interface yet. You will perform this step later in this procedure.

3. Change the zone's IP type from shared to exclusive.

   global# zonecfg -z zone
   zonecfg:zone1> set ip-type=exclusive
   zonecfg:zone1>

4. Change the zone's interface to use a VNIC.

   zonecfg:zone1> remove net physical=NIC
   zonecfg:zone1> add net
   zonecfg:zone1:net> set physical=vnic
   zonecfg:zone1:net> end
   zonecfg:zone1>

5. Verify and commit the changes you have implemented and then exit the zone.

   zonecfg:zone1 verify
   zonecfg:zone1> commit
   zonecfg:zone1> exit
   global#

6. Reboot the zone.

   global# zoneadm -z zone reboot

7. Log in to the zone.

   global# zlogin zone

8. Configure the VNIC with a valid IP address.

   If you are assigning a static address to the VNIC, you would type the following:

   zone# ipadm create-addr -a address interface

   where address can use CIDR notation.

9. From the global zone, add the address information to the /etc/hosts file.

Example 2-3 Reconfiguring a Zone Configuration to Use a VNIC

In this example, zone2 already exists as a shared zone. The zone also uses the primary interface of the system rather than a virtual link. You need to modify zone2 to use vnic2. To use vnic2, zone2's IP type must first be changed to exclusive. Note that some of the output is truncated to focus on the relevant information that relates to virtual networks.

global# dladm create-vnic -l net0 vnic2

global# zonecfg -z zone2
zonecfg:zone1> set ip-type=exclusive
zonecfg:zone1> remove net physical=net0
zonecfg:zone1> add net
zonecfg:zone1:net> set physical=vnic2
zonecfg:zone1:net> end
zonecfg:zone1> verify
zonecfg:zone1> commit
zonecfg:zone1> exit
global# zoneadm -z zone2 reboot

global# zlogin zone2
zone2# ipadm create-ip vnic2
zone2# ipadm create-addr -a 192.168.3.85/24 vnic2
ipadm: vnic2/v4

zone2# exit

global# vi /etc/hosts
#
::1             localhost
127.0.0.1       localhost
192.168.3.70    loghost   #For net0
192.168.3.80    zone1   #using vnic1
192.168.3.85    zone2   #using vnic2

How to Create a Private Virtual Network

The following procedure explains how to configure the third zone of the virtual network. Although the zone is part of the virtual network, it will be inaccessible from external systems. To enable the isolated zone to send network traffic beyond the system, then you must use network address translation (NAT). NAT translates the VNIC's private IP addresses to routeable IP addresses of the physical network interface. However, the private IP addresses themselves are not visible from the external network. For more information about NAT, see Using IP Filter’s NAT Feature in Securing the Network in Oracle Solaris 11.1.

The use of etherstubs constitutes the main difference between a regular virtual network and a private virtual network. In a private virtual network, the VNICs that are assigned to the zones are configured over an etherstub. Thus, they are isolated from network traffic that flows through the system.

This procedure assumes that the zone already exists, but currently does not have any associated interface.

1. Become an administrator.

   For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services.

2. Create the etherstub.

   global# dladm create-etherstub etherstub

3. Create a VNIC over the etherstub.

   global# dladm create-vnic -l etherstub vnic

   Do not configure the VNIC's interface yet. You will perform this step later in this procedure.

4. Assign the VNIC to the zone.

   global# zonecfg -z zone
    zone# set physical=vnic

5. Verify and commit the changes you have implemented and then exit the zone.

   zonecfg:zone1 verify
   zonecfg:zone1> commit
   zonecfg:zone1> exit
   global#

6. Log in to the zone.

   # zlogin zone

7. In the zone, create an IP interface over the VNIC that is now assigned to the zone.

   # ipadm create-ip interface

8. Configure the VNIC with a valid IP address.

   If you are assigning a static address to the VNIC, you would type the following:

   zone# ipadm create-addr -a address interface

   where address can use CIDR notation.

9. From the global zone, add the address information to the /etc/hosts file.
10. From the global zone, set the primary interface to perform IP forwarding.

    # ipadm set-ifprop -p forwarding=on -m ipv4 primary-interface

    ---

    Note - Typically in Oracle Solaris 11, the primary interface uses the name net0.

    ---

11. From the global zone, configure network address translation (NAT) in the /etc/ipnat.conf file for the primary interface.
12. Start the IP filter service to enable NAT.

    # svcadm enable network/ipfilter

13. Reboot the zone.

    # zoneadm -z zone reboot

Example 2-4 Creating a Private Virtual Network Configuration

In this example, zone3 is configured to be isolated as a private network. NAT and IP forwarding are also configured to allow the virtual private network to send packets outside the host while still concealing its private address from the external network. The zone is already configured with an exclusive IP type. However, no IP interface is assigned to it.

global# dladm create-etherstub ether0
global# dladm create-vnic -l ether0 vnic3
global# zonecfg -z zone3
zonecfg:zone3> add net
zonecfg:zone3:net> set physical=vnic3
zonecfg:zone3:net> end
zonecfg:zone3> verify
zonecfg:zone3> commit
zonecfg:zone3> exit
global#

global# zlogin zone3
zone3# ipadm create-ip vnic3
zone3# ipadm create-addr -a 192.168.0.10/24 vnic3
ipadm: vnic3/v4
zone3# exit

global# cat /etc/hosts
::1             localhost
127.0.0.1       localhost
192.168.3.70    loghost   #For net0
192.168.3.80    zone1   #using vnic1
192.168.3.85    zone2   #using vnic2
192.168.0.10    zone3   #using vnic3

global# ipadm set-ifprop -p forwarding=on -m ipv4 vnic3

global# vi /etc/ipf/ipnat.conf
map vnic3 192.168.0.0/24 -> 0/32  portmap tcp/udp auto
map vnic3 192.168.0.0/24 -> 0/32

global# svcadm enable network/ipfilter
global# zoneadm -z zone3 boot