Roshan Perera wrote:
Hi all,

Appreciate if someone can help me with VLAN tagging on zones please.

Details below. Dummy example..
Global Zone IP address      10.10.10.5 (IPMP real)
                            ce0      10.10.10.6 (IPMP test)
                            ce1      10.10.10.7 (IPMP test)


VLAN tagging to be used in zones preferably using the same nic's as above or 
separate NIC.

zone1  to use VLAN tagging with IP address 10.10.20.10/23
zone2  to use VLAN tagging with IP address 10.10.30.10/23

Reason for tagging is for security reasons.

Is the above config possible/supported. If so please advice how to configure.

Keep in mind that zones is currently designed to operate using shared networking e.g. when the different zones are connected to the same VLANs or LANs.

I think some customers have gotten setups like to above to work, but it isn't something that we claim to support AFAIK.

And one has to be careful on the security front by having firewalls between the VLANs and the rest of the network.

While a non-global zone can't do much damage to the network, the reverse is not the case. If you have potential network attackers on the VLANs, then they can send packets on the VLAN "connected" to zone1, and use the IP destination address for zone2, and the shared IP in Solaris will happily relay the packet to that zone. This is because the demultiplexing to the zone is based on the IP address, and not on the arriving network interface. I believe setting ip_strict_dst_multihoming will prevent this, but I don't think that has been verified.

In addition, you want to have firewalls that block packets with IP source routes, since otherwise one can potentially source route a packet between the different VLANs via the shared IP on the server. Common firewalls block IP source routes.

   Erik
_______________________________________________
zones-discuss mailing list
zones-discuss@opensolaris.org

Reply via email to