Shared-IP Zones Traffic, Traffic Security, and IPMP Configuration

• Traffic Between Zones – A shared-IP zone can reach any given IP destination if there is a usable route for that destination in its routing table. To view the routing table, use the netstat -r command from within the zone. The IP forwarding rules are the same for IP destinations in other zones or on other systems.

• IPsec and IKE – IPsec relies on the Internet Key Exchange (IKE) protocol to manage keys. If you are configuring IPsec in a shared-IP zone, configure IKE in the global zone and use the source address that corresponds to the non-global zone that you are configuring. See IPsec Reference in Securing the Network in Oracle Solaris 11.4.

• Packet Filter Firewall – PF can be enabled in non-global zones by turning on loopback filtering as described in Chapter 5, Configuring the Firewall in Oracle Solaris in Securing the Network in Oracle Solaris 11.4.

• IP Network Multipathing (IPMP) – You configure IPMP in the global zone. Then, you extend the functionality to non-global zones. The functionality is extended by assigning one of the IPMP interface's data addresses to the zone. In a given non-global zone, only the interfaces associated with the zone are visible through the ipadm command.

  For further information, review the following:

  • How to Extend IP Network Multipathing Functionality to Shared-IP Non-Global Zones

  • Chapter 2, About IPMP Administration in Administering TCP/IP Networks, IPMP, and IP Tunnels in Oracle Solaris 11.4

  • How to Create and Deploy a Non-Global Zone