Roshan Perera wrote:
Hi all,
Appreciate if someone can help me with VLAN tagging on zones please.
Details below. Dummy example..
Global Zone IP address 10.10.10.5 (IPMP real)
ce0 10.10.10.6 (IPMP test)
ce1 10.10.10.7 (IPMP test)
VLAN tagging to be used in zones preferably using the same nic's as above or
separate NIC.
zone1 to use VLAN tagging with IP address 10.10.20.10/23
zone2 to use VLAN tagging with IP address 10.10.30.10/23
Reason for tagging is for security reasons.
Is the above config possible/supported. If so please advice how to configure.
Keep in mind that zones is currently designed to operate using shared
networking e.g. when the different zones are connected to the same VLANs
or LANs.
I think some customers have gotten setups like to above to work, but it
isn't something that we claim to support AFAIK.
And one has to be careful on the security front by having firewalls
between the VLANs and the rest of the network.
While a non-global zone can't do much damage to the network, the reverse
is not the case. If you have potential network attackers on the VLANs,
then they can send packets on the VLAN "connected" to zone1, and use the
IP destination address for zone2, and the shared IP in Solaris will
happily relay the packet to that zone. This is because the
demultiplexing to the zone is based on the IP address, and not on the
arriving network interface.
I believe setting ip_strict_dst_multihoming will prevent this, but I
don't think that has been verified.
In addition, you want to have firewalls that block packets with IP
source routes, since otherwise one can potentially source route a packet
between the different VLANs via the shared IP on the server. Common
firewalls block IP source routes.
Erik
_______________________________________________
zones-discuss mailing list
[email protected]
