Setup: Global zone, multiple labeled zones, each labeled zone configured more or less identically. Each labeled zone connects to a different network. Each labeled zone has a process that needs to be accessed by the global zone via a network socket. This process and socket must not be visible on the labeled zone network.
Requirement: Allow global zone to connect to labeled zone sockets. What I have now: Global Zone: all-zones is configured on a real interface, e1000g3 each labeled zone has an interface to connect to zone network, e.g. e1000g1:1, e1000g2:1, etc. each labeled zone has a virtual interface vni1:1, vni2:2 etc. route is added in global zone to each of the vni IP addresses: route add host <vni address> <all-zones address> each zone has an MLP entry in tnzonecfg: "<zone>: 0x0023-08-0000000010:0:<port>/tcp:" With this setup, I can ping each vni address from global zone and can connect to each MLP, BUT, if i run "svcadm restart tnctl" at any point, I lose the ability to communicate from the global zone to the vni addresses. I don't understand what happens when I restart tnctl that causes things to "break." My approach might be completely wrong here, if so, any and all help is welcome. Wayne
