On Tue, Apr 28, 2009 at 6:09 AM, Vincent Boisard <vbois...@gmail.com> wrote: > Thanks for your help, > > Let me summarize this: > > - Shared IP has the advantage that the global zone fully administers the > network: zone don't have to (and even CAN'T) bother with it. There may be a > slight advantage performance wise. > - Exclusive IP with VNIC is needed for some features and enables bandwidth > management between the network and zones (Does it make sense to try to > manage bandwidth between zones ?)
I would add: - Exclusive IP is needed in certain situations, but without VNICs the number of exclusive-IP zones is severely restricted - usually 1 or 2 of them per system. With VNICs you can have hundreds of exclusive-IP zones. > On Mon, Apr 27, 2009 at 11:58 PM, Steffen Weiberle > <steffen.weibe...@sun.com> wrote: >> >> On 04/27/09 13:40, Vincent Boisard wrote: >>> >>> Hi everyone, >>> >>> I am wondering, as Crossbow is now integrated, does it still make sense >>> to use Shared IP Zones or is it better to use exclusive-ip zones with a vnic >>> for each of them. >>> With a vnic, we can benefit from the bandwidth management and al, but >>> they may be performance issues... >>> >>> What do you think about it ? >> >> Some cases need exclusive IP Instances, such as where you need to have >> isolation, force traffic in certain ways (static routes, preventing kernel >> from looping traffic back up [1]). >> >> In those cases where you have a choice to use either, the primary reason I >> see going shared IP is that the global administrator manages the network. >> With exclusive IP, the non-global administrator can/must manage that. Maybe >> not a big deal, unless you give root privileges to the zones users, and they >> can then make changes with out any constraints, and that is something that >> is not desirable in your installation. >> >> Steffen >> >> >> [1] Two or more VNICs on the same NIC with IP addresses on the same subnet >> will *not* have traffic leave the system. Something to keep in mind. The >> destination MAC address must be on a different node on the network for it to >> go out the NIC. That node could be a VNIC on a different NIC, but not on the >> same VNIC. Underneath the VNICs is essentially a switch, to help create the >> picture. This is partially good--traffic between zones sharing a VNIC is >> slower than shared (not sure how much) and faster than going out on the >> wire. Yet you still have the other benefits. >> >> -- --JeffV _______________________________________________ zones-discuss mailing list zones-discuss@opensolaris.org
