Re: [zones-discuss] routing issues

Wed, 19 Aug 2009 13:46:54 -0700 

On 08/19/09 15:43, Robert Hartzell wrote:

Steffen Weiberle wrote:


That helps. So you are trying to do the following?:

   cable modem
    |
    |
   firewall(10.0.0.1)
    |
    |
      nic1 (10.0.0.2), vnic1 (10.0.0.3), vnic2 (10.0.0.4),
    |                  vnic3 (10.0.0.5)
---bastion host----------
      nic2(192.168.0.100)
    |
    |
     switch
    |
    |
host1 host2 host3 host(n)
(all on 192.168.0.0/24)

where dns, mail, and webserver would be using vnic[123]?



yes, exactly what I was thinking. My research indicates that moving each 
service into its own zone could enhance overall system security.



If so, I take it their default router is 10.0.0.1.


correct


Getting to/from them from 192.168.0.0/24 may be tricky, as they are 
really only outbound facing, and I doubt your firewall knows to send 
things back to 10.0.0.2 if the destination is 192.168.0.0.


I'm not sure if I understand what you mean by this...



I am not sure who is the consumer of your dns, mail, and web services. 
If only from the internet, or from the global zone, the above 
configuration should work.



If you want your 'clients' (host1, host2, etc.) to also access those 
services, I don't think the configuration will work, due to general 
routing (or lack of it).



Because each zone only knows about it's own subnet it may not be able to 
find the other subnet???



Because the zones only have one default router, the firewall, and it 
knows only of routing/forwarding to the Internet. As I think about this, 
a static route to 192.168.0.0/24 in exclusive IP Instance zones (not 
supported in shared IP Instances) may allow that.


zone-dns# route add 192.168.0.0 10.0.0.2 1


I gotta think about this is this is what you are really doing--not 
sure that using zones vs. discrete systems on the 10.0.0.0 subnet 
would really behave differently (the nice thing about exclusive IP 
instances is that it really is very close to separate hardware at that 
level).



I would rather not have to add separate systems but instead spend the 
money on a duplicate system and another Internet feed. I could then set 
up some kind of fail over or load balancing system.



I was using that as a relative routing design only. I don't think 
separate systems will make a difference here, if they are single-homed 
as the zones are.


Steffen


Shared IP Instances might introduce other routing issues, but they may 
not apply here.


Steffen


Your comments are much appreciated



_______________________________________________
zones-discuss mailing list
[email protected]






















					Reply via email to