Go to main content

Creating and Using Oracle® Solaris Zones

Exit Print View

Updated: August 2019
 
 

Networking in Exclusive-IP Non-Global Zones

Network in exclusive-IP zones is similar to networking in the global zone. Some administration of exclusive-IP networking is done in the zone, and some is done from the global zone.

Overview of Networking in Exclusive-IP Zones

An exclusive-IP zone has its own IP-related state. The zone is assigned its own set of datalinks when the zone is configured.

Packets are transmitted on the physical link. Then, devices like Ethernet switches or IP routers can forward the packets toward their destination, which might be a different zone on the same system as the sender.

For virtual links, the packet is first sent to a virtual switch. If the destination link is over the same device, such as a VNIC on the same physical link or etherstub, the packet will go directly to the destination VNIC. Otherwise, the packet will go out the physical link underlying the VNIC.

For information about features that can be used in an exclusive-IP non-global zone, see Exclusive-IP Non-Global Zones in Oracle Solaris Zones Configuration Resources.

Exclusive-IP Zone Partitioning

Exclusive-IP zones have separate TCP/IP stacks, so the separation reaches down to the datalink layer. One or more datalink names, which can be a NIC or a VLAN on a NIC, are assigned to an exclusive-IP zone by the global administrator. The zone administrator can configure IP on those datalinks with the same flexibility and options as in the global zone.

Exclusive-IP Datalink Interfaces

A datalink name must be assigned exclusively to a single zone.

The dladm show-link command displays datalinks assigned to running zones, similar to the following example:

example-114{jdoe}1: dladm show-link
LINK                CLASS     MTU    STATE    OVER
vsw0                phys      1500   up       --
net0                phys      1500   up       --
netg2               phys      1500   up       --
netg1               phys      1500   up       --
netg3               phys      1500   up       --
zoneA/net0          vnic      1500   up       net0
zoneB/net0          vnic      1500   up       net0
aggr1               aggr      1500   up       net2 net3
vnic0               vnic      1500   up       net1
zoneA/vnic0         vnic      1500   up       net1
vnic1               vnic      1500   up       net1
zoneB/vnic1         vnic      1500   up       net1
vnic3               vnic      1500   up       aggr1
vnic4               vnic      1500   up       aggr1
zoneB/vnic4         vnic      1500   up       aggr1

For more information, see the dladm(8) man page.

Exclusive-IP Zones Traffic, Traffic Security, and IPMP Configuration

  • Traffic Between Zones – There is no internal loopback of IP packets between exclusive-IP zones. All packets are sent down to the datalink. Typically, this means that the packets are sent out on a network interface. Then, devices like Ethernet switches or IP routers can forward the packets toward their destination, which might be a different zone on the same system as the sender.

  • IPsec and IKE – You have the same IPsec and IKE functionality that you have in the global zone in an exclusive-IP zone. PF is also configured the same way in exclusive-IP zones and the global zone. See IPsec Reference in Securing the Network in Oracle Solaris 11.4.

  • Packet Filter Firewall – You have the same Packet Filter (PF) functionality that you have in the global zone in an exclusive-IP zone. PF is also configured the same way in exclusive-IP zones and the global zone. See Chapter 5, Configuring the Firewall in Oracle Solaris in Securing the Network in Oracle Solaris 11.4.

  • IP Network Multipathing (IPMP) – The datalink configuration is done in the global zone. First, multiple datalink interfaces are assigned to a zone by using the zonecfg command. The multiple datalink interfaces must be attached to the same IP subnet. IPMP can then be configured from within the exclusive-IP zone by the zone administrator.

    IPMP is used for physical interface failure detection and transparent network access failover for a system with multiple interfaces on the same IP link. IPMP also provides load spreading of packets for systems with multiple interfaces.