How to Configure a Private Virtual Network

Language:

This procedure explains how to create a private virtual network and enable it to send network traffic beyond the system. Although the zone is part of the virtual network, it is inaccessible from external systems. To enable the isolated zone to send network traffic beyond the system, you must use network address translation (NAT). NAT translates the VNIC's private IP addresses to routeable IP addresses of the physical network interface. However, the private IP addresses are not visible from the external network. For more information about NAT, see Using IP Filter’s NAT Feature in Securing the Network in Oracle Solaris 11.2 .

The use of etherstubs constitutes the main difference between a virtual network and a private virtual network. In a private virtual network, the VNICs that are assigned to the zones are configured over an etherstub and are isolated from network traffic that flows through the system.

This procedure assumes that the zone already exists, but currently does not have any associated interface.

Become an administrator.
For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.2 .

Create the etherstub.

global# dladm create-etherstub etherstub

Create a VNIC over the etherstub.
```
global# dladm create-vnic -l etherstub VNIC
```
You will configure the VNIC's interface later in this procedure.

Assign the VNIC to the zone.

global# zonecfg -z zone
zonecfg:zone> add net
zonecfg:zone:net> set physical=VNIC
zonecfg:zone:net> end

Verify and commit the changes that you have implemented and then exit the zone.
```
zonecfg:zone> verify
zonecfg:zone> commit
zonecfg:zone> exit
```
Reboot the zone.
```
global# zoneadm -z zone reboot 
```
Log in to the zone.
```
global# zlogin zone
```
In the zone, create an IP interface over the VNIC that is now assigned to the zone.
```
zone# ipadm create-ip interface
```
Configure the VNIC with a static IP address or a DHCP IP address.
- Assign a static IP address.
```
zone# ipadm create-addr -a address interface
```
- Assign a DHCP IP address.
```
zone# ipadm create-addr -T dhcp interface
```
Exit the zone.
```
zone# exit
```
From the global zone, add the address information to the /etc/hosts file.
From the global zone, set the primary interface to perform IP forwarding.
```
global# ipadm set-ifprop -p forwarding=on -m ipv4 primary-interface
```
Note - In Oracle Solaris, the primary interface is the physical datalink of a NIC.
From the global zone, configure network address translation (NAT) in the /etc/ipnat.conf file for the primary interface.
Start the IP filter service to enable NAT.
```
global# svcadm enable network/ipfilter
```
Reboot the zone.
```
global# zoneadm -z zone reboot
```

Example 2-6 Configuring a Private Virtual Network

In this example, zone3 is configured to be isolated as a private network. NAT and IP forwarding are also configured to allow the private virtual network to send packets outside the host while still concealing its private address from the external network. The zone is already configured with an exclusive IP type. However, no IP interface is assigned to the zone.

global# dladm create-etherstub ether0
global# dladm create-vnic -l ether0 vnic3
global# zonecfg -z zone3
zonecfg:zone3> add net
zonecfg:zone3:net> set physical=vnic3
zonecfg:zone3:net> end
zonecfg:zone3> verify
zonecfg:zone3> commit
zonecfg:zone3> exit

global# zoneadm -z zone3 reboot 
global# zlogin zone3
zone3# ipadm create-ip vnic3
zone3# ipadm create-addr -a 192.168.0.10/24 vnic3
ipadm: vnic3/v4
zone3# exit

global# pfedit /etc/hosts
::1             localhost
127.0.0.1       localhost
192.168.3.70    loghost   #For net0
192.168.3.80    zone1   #using vnic1
192.168.3.85    zone2   #using vnic2
192.168.0.10    zone3   #using vnic3

global# ipadm set-ifprop -p forwarding=on -m ipv4 vnic3

global# pfedit /etc/ipf/ipnat.conf
map vnic3 192.168.0.0/24 -> 0/32  portmap tcp/udp auto
map vnic3 192.168.0.0/24 -> 0/32

global# svcadm enable network/ipfilter
global# zoneadm -z zone3 reboot