>>> Steffen Weiberle <steffen.weibe...@sun.com> 8/21/2009 3:01 PM >>>
On 08/19/09 17:35, Steffen Weiberle wrote:
> On 08/19/09 17:25, Robert Hartzell wrote:
>> You have given me much to think about ;). I'm going to set up a test 
>> system this weekend and see what I can screw up...
>> If I can find a reasonable solution for this I will ping the list and 
>> post a howto on my wiki.
>> again, thanks for helping out.
> You are welcome. One other thing has come up, and I might have to try 
> this myself...
> When you create more than one VNIC on top of a NIC, a virtual switch is 
> created, so that the VNICs can communicate with one another. (The 
> ethernet spec does not allow you to transmit a frame that is destined to 
> you, and if one VNIC user is sending to another, it must stay within the 
> system to not violate the spec.)
> It gets interested since the global zone also is on that NIC, and 
> traffic between the global interface (your nic1) and the VNICs must not 
> go on the wire, for the above reason. However, I don't know that the 
> physical NIC is 'seen' as a member of the switch. (This is good for 
> security reason as well, it seems to me, except in situations like what 
> you are setting up.)
> I will have to try it myself when I get done doing some VLAN over 
> aggregation stuff.
> Steffen
> _______________________________________________
> zones-discuss mailing list
> zones-discuss@opensolaris.org 

I took the opportunity to try some of my previous suggestions out.

I believe it is independent of Erik's reply regarding SUNWroute, as I am 
doing my work on SX-CE build 121, not OpenSolaris. I am not using a 
routing daemon, so the differences hopefully are minimal. [1]

Using the following layout:

    cable modem
       nic1 (, vnic1 (, vnic2 (,
     |                  vnic3 (
---bastion host----------
host1 host2 host3 host(n)
(all on

Global zone had a default router (/etc/defaultrouter) of
Initially, global zone has both nic1 and nic2 configured *without* the 
'router' option. More on that later.

Zone vnic1 is an exclusive IP Instance zone using vnic1 on top of nic1. 
The zone's default router is

Zone vnic1 can ping, [2], IP addresses beyond the 
firewall at It can not reach nodes on the 
subnet. A traceroute shows attempts to go via the firewall, as expected 
by the 'default' route.

In zone vnic1, issuing 'route add net' allows 
me to reach, but not other hosts on that subnet. This is 
because does not require IP forwarding, other addresses do.

Issuing, in the global zone, 'ifconfig nic1 router ; ifconfig nic2 
router' does allow zone vnic1 to reach all hosts on This 
is because the system is now configured to pass datagrams through using 
both interfaces nic1 and nic2. This does make the system a general 
router, without advertizing any route. That should not be an issue since 
traffic from outside of the firewall should not be able to get into the network, unless you have a forwarding rule in the firewall. 
(This step is only necessary if the system on need to access 
the zones!)

I hope this helps with understanding how routing is working in Solaris 
in general.


includes in.route and in.rdisc, not the route(1M) command.

[2] This clarifies my question whether a VNIC on an interface can reach 
the underlying interface. The answer is 'yes, it can.'
zones-discuss mailing list

zones-discuss mailing list

Reply via email to