On 11/28/10 14:50, Orvar Korvar wrote: > Sorry, I didnt really get that. Could you explain a bit what you did, for a > solaris noob? You just shut down the global NIC, and the local zone NIC still > works? Yes? > > A question: I see that you use shared ip. Isn't that less safe than > exclusive-ip because several zones share the same NIC in your case? If you > want to separate traffic maximally, you should use exclusive-ip, yes?
"Safe" is better defined if you have some sort of threat model in mind. It's unclear (at least to me) what that is. With an exclusive IP instance, the non-global zone itself has more access than with a shared IP instance, because the zone has to configure its own interface. With shared IP instance, the zone has no ability to control the interface in any way at all -- it can't set the address or (at least by default) send raw data. There are trade-offs in each approach. > If I use exclusive IP, I must configure virtual nics with crossbow - yes? No. If you use exclusive IP instances, you need to have separate interfaces. One way to get there is with virtual NICs. Another is by using separate VLANs on a single NIC. Still another is by using multiple NICs. It's not a requirement to use virtual NICs, but it's one more thing that you _can_ do. > I am actually trying this, but can not my zone to ping the world. The local > zone exclusive-IP NIC does not work. When I get this scenario to work, I will > post everything here, how to do it. So others can follow. But I need help > during this research phase. Please help me answer my questions above? Check the usual things -- such as the subnet mask configured on the interface and the routes. With exclusive IP instances, the zone itself must set up the routes it needs. With shared IP instances, all routing is done in the global zone alone. -- James Carlson 42.703N 71.076W <carls...@workingcode.com> _______________________________________________ zones-discuss mailing list email@example.com