Hello, As I previously mentioned, I am working on the possibility of putting zones from different security contexts (front-end, application, back- end) into the same physical server, which is effectively putting zones in more than one subnet. We also like to use a load balancer, at least on the front-end net, and increasingly on the back-end nets as well. In order to use a load balancer, the general idea is that you set your default route on the "real server" to go through the load balancer. I am able to do this fine (s10u6), even without a "home brew" SMF service to add default routes after zones come up like I have had to use in the past.
The problem I ran into this time was that static routes don't seem to use the same intelligence that default routes do. For example, in the global zone I have 4 default routers, each pointing to the default router of a local subnet (172.16.1.254/24, 172.16.2.254/24, and 172.16.3.254/24 (4th is not important at the moment). Inside a local- zone with an interface on the 172.16.1.0/24 network, it only sees the one default route that it can use (172.16.1.254). That's perfect. The problem comes in when I start looking at the "admin" network. I don't want to setup a load balancer service for SSH into each zone, so I generally set a static route in to get to the admin network using a different gateway (hard-firewall)... route -p add -net 172.16.250.0/24 172.16.1.1 ... of course if I have multiple subnets, I also have... route -p add -net 172.16.250.0/24 172.16.2.1 route -p add -net 172.16.250.0/24 172.16.3.1 .... this confuses zones in the .2 and .3 subnets, as they see all three routes and try to use the first one, even though they cannot reach 172.16.1.1. I know this would be made simpler with vnic and private IP stack, but in my world, shared-ip is the only thing available (feasible). Thanks in advance, Tommy _______________________________________________ zones-discuss mailing list firstname.lastname@example.org