On 11/28/10 14:50, Orvar Korvar wrote:
> Sorry, I didnt really get that. Could you explain a bit what you did, for a
> solaris noob? You just shut down the global NIC, and the local zone NIC still
> works? Yes?
> A question: I see that you use shared ip. Isn't that less safe than
> exclusive-ip because several zones share the same NIC in your case? If you
> want to separate traffic maximally, you should use exclusive-ip, yes?
"Safe" is better defined if you have some sort of threat model in mind.
It's unclear (at least to me) what that is.
With an exclusive IP instance, the non-global zone itself has more
access than with a shared IP instance, because the zone has to configure
its own interface. With shared IP instance, the zone has no ability to
control the interface in any way at all -- it can't set the address or
(at least by default) send raw data.
There are trade-offs in each approach.
> If I use exclusive IP, I must configure virtual nics with crossbow - yes?
No. If you use exclusive IP instances, you need to have separate
interfaces. One way to get there is with virtual NICs. Another is by
using separate VLANs on a single NIC. Still another is by using
multiple NICs. It's not a requirement to use virtual NICs, but it's one
more thing that you _can_ do.
> I am actually trying this, but can not my zone to ping the world. The local
> zone exclusive-IP NIC does not work. When I get this scenario to work, I will
> post everything here, how to do it. So others can follow. But I need help
> during this research phase. Please help me answer my questions above?
Check the usual things -- such as the subnet mask configured on the
interface and the routes. With exclusive IP instances, the zone itself
must set up the routes it needs. With shared IP instances, all routing
is done in the global zone alone.
James Carlson 42.703N 71.076W <carls...@workingcode.com>
zones-discuss mailing list