Torsten, you're basically right. You need to configure a dedicated interconnect and use utadm -L on to allow Sun Rays from any network to connect to it. Nevertheless, because of the issues you found, it's best to put all SunRays in their own VLAN(s) with their own numeric ranges.
Next, you need to make sure *all* your subnets are properly defined in /etc/netmasks, especially if you're using the 10.0.0.0/8 A-class ranges. Also this requires your DHCP to be configured properly. We always find it most convenient not to let the Sun Ray Servers do the DHCP'ing but a true dhcpd cluster and then use the DNS for the Sun Rays to find their servers for AMGHing. Next is good network design. Our Sun Rays are in dozens of different subnets across four locations, but because they're all always within the 128.0/17 range, which is uniquely their own, we need only make four static routes for the Sun Rays, and, just to be on the safe side, we made four for the internal nets, which always reside in .0.0/17 range. The rest is default gateway which resides in the internal range as well. So, an example /etc/inet/static_routes: 10.10.0.0/17 10.10.49.1 10.30.0.0/17 10.10.49.1 10.50.0.0/17 10.10.49.1 10.60.0.0/17 10.10.49.1 10.10.128.0/17 10.10.57.1 10.30.128.0/17 10.10.57.1 10.50.128.0/17 10.10.57.1 10.60.128.0/17 10.10.57.1 Where all Sun Rays will come in from some 10.10/30/50/60.128-255.0-255 to the dedicated interconnect on 10.10.57.something The rest is firewalling/ACLing, where the Sun Ray ranges can basically do squat except get DHCP and connect to the dedicated interface VLAN. On 13 April 2010 11:14, Torsten Kasch <[email protected]> wrote: > Hi, > > we are currently evaluating the various network setup scenarios for > renewing > our existing SunRay infrastructure and came across a question for which I > didn't find an answer yet: > > Is it possible to have a combination of "dedicated interconnect" and > "remote > shared subnet"? > > In other words, we are looking for a scenario where we can separate > the "SunRay network traffic" from all other traffic to be directed through > different interfaces. The "classic" dedicated interconnect setup (with > RFC1918 addresses) which we are running now is not sufficient any longer > since we need to be much more flexible with respect to the DTU locations. > The > primary goals of this setup is to ease the maintenance of router/firewall > ACLs and not having to expose (parts of) the primary LAN of the SunRay > servers. > > We have done various experiments with a test setup, but it seems that for > a "dedicated network" (utadm -a) our DTUs won't connect via a remote > (routed) > network unless we use "utadm -L on". The closest solution we have found so > far is to configure a shared network (utadm -A) on the multi-homed SunRay > server, set the default route to the "SunRay interface", and add (a lot) of > static routes for our various internal nets. But this would mean that > (non-SunRay) Internet traffic would have to go through the "SunRay > interface" > as well, contradicting our our original intention for separating the > network > traffic. > > Is it possible what we intend to do here or are we trying to do something > stupid? As usual, any input on this issue is welcome. ;-) The target > platform > for our setup is OpenSolaris (Build 134) with SRSS 4.2, in case that > matters... > > cheers, > Torsten > _______________________________________________ > SunRay-Users mailing list > [email protected] > http://www.filibeto.org/mailman/listinfo/sunray-users >
_______________________________________________ SunRay-Users mailing list [email protected] http://www.filibeto.org/mailman/listinfo/sunray-users
