On 1/25/16 12:36 , the outsider wrote: > The good old Solaris 10 already "sensed" IP traffic from zones and kept all > IP-traffic that didn't have to go "on wire" inside its own hardware.
That was only because it had 'shared networking stacks'. Specifically during this time, all of the non-global zones shared the ARP/NDP tables, the routing tables, etc. This actually limited a lot of what these zones were able to do. Instead, 'exclusive networking stacks' were introduced. Here every zone has their own set of networking information, everything from IPF rulesets, to ARP/NDP tables, routing tables, tunables, etc. As a result of this, not every zone is necessarily considered for sending data from one to another at an IP layer. Which is rather important. This allows for the zones to be on different VLANs and even have the same IP addresses. This combined with the ability for the global zone to set antispoofing/link protection properties on the devices, means that even if the zone or KVM instance wants to change an IP or MAC address, it can't use them. > Good habit on hardware with multiple NICs is to keep a NIC unattached from > the network so you can assign it to every zone that doesn't need outgoing > traffic. By that you spare a port on the switch also. The NIC has to be up > and plumbed for zones to use it. Basically none of this is really needed anymore. If you want to have a group of zones isolated on a local-only network, you just create an etherstub and create VNICs over that. Also, in general, you don't need to ever explicitly bring links up or down (from an ifconfig sense) to use them with VNICs. I hope this helps clarify a bit about what's changed and how things work these days. Let me know if you have additional questions. Robert ------------------------------------------- smartos-discuss Archives: https://www.listbox.com/member/archive/184463/=now RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00 Modify Your Subscription: https://www.listbox.com/member/?member_id=25769125&id_secret=25769125-7688e9fb Powered by Listbox: http://www.listbox.com
