As I previously mentioned, I am working on the possibility of putting
zones from different security contexts (front-end, application, back-
end) into the same physical server, which is effectively putting zones
in more than one subnet. We also like to use a load balancer, at least
on the front-end net, and increasingly on the back-end nets as well.
In order to use a load balancer, the general idea is that you set your
default route on the "real server" to go through the load balancer. I
am able to do this fine (s10u6), even without a "home brew" SMF
service to add default routes after zones come up like I have had to
use in the past.
The problem I ran into this time was that static routes don't seem to
use the same intelligence that default routes do. For example, in the
global zone I have 4 default routers, each pointing to the default
router of a local subnet (172.16.1.254/24, 172.16.2.254/24, and
172.16.3.254/24 (4th is not important at the moment). Inside a local-
zone with an interface on the 172.16.1.0/24 network, it only sees the
one default route that it can use (172.16.1.254). That's perfect. The
problem comes in when I start looking at the "admin" network. I don't
want to setup a load balancer service for SSH into each zone, so I
generally set a static route in to get to the admin network using a
different gateway (hard-firewall)...
route -p add -net 172.16.250.0/24 172.16.1.1
... of course if I have multiple subnets, I also have...
route -p add -net 172.16.250.0/24 172.16.2.1
route -p add -net 172.16.250.0/24 172.16.3.1
.... this confuses zones in the .2 and .3 subnets, as they see all
three routes and try to use the first one, even though they cannot
I know this would be made simpler with vnic and private IP stack, but
in my world, shared-ip is the only thing available (feasible).
Thanks in advance,
zones-discuss mailing list