> I need your expertise to confirm the following issue:
 > 
 > Issue Description: The customer appl A sends a lookup request which is
 > destined to be handled by appl B. Both applications are using Cluster
 > Logical IP addressed destined for different subnets as configured using
 > multiple defaultrouters bound to separate IPMP groups. Their
 > expectation is that TCP communications between applications will cross
 > the physical network such that external firewall ACL rules can be
 > implemented/honored.
 >      
 > During internal acceptance testing the customer failed both physical
 > links servicing the IPMP group of appl B. Packets from appl A still
 > arrived and were accepted by Appl B. This has highlighted that traffic
 > was crossing (round-robin) on the TCP stack/loopback and not making its
 > way onto the physical wire which negates enforcement of the external
 > firewall rules which expect a received packet /port to appear
 > consistently from the same host source interface.
 >
 > 1.  So, Is the observation true and TCP/IP stack works as designed ?
 >
 > 2.  Is there a way to tune or force it (TCP/IP stack)to cross the physical 
 > network such that external firewall ACL rules can be implemented/honored ? 

Answers to both of these require more information.  You ask about zones in
the subject line, but talk about "Cluster Logical IP addresses" above.  Is
Sun Cluster being used?  If so, you're probably asking the wrong aliases.

 > 3.     This will bring up other questions when talking about S10 and 
 > zones. If a packet
 >         is source on zoneA and destined for zoneB will it go on the wire?

No.

-- 
meem
_______________________________________________
zones-discuss mailing list
zones-discuss@opensolaris.org

Reply via email to