[OpenIndiana-discuss] Isolating networks for zones
carlopmart
carlopmart at gmail.com
Sun Oct 30 08:53:54 UTC 2011
On 10/30/2011 09:27 AM, carlopmart wrote:
> On 10/30/2011 02:27 AM, Jeppe Toustrup wrote:
>> On Sat, Oct 29, 2011 at 23:30, carlopmart<carlopmart at gmail.com> wrote:
>>> I have installed oi zone under a oi_151a host to provide dns caching
>>> services. All works ok now, except network isolation. Running snoop on
>>> non-global zone I can see all traffic of all networks where global zone
>>> connects. For example:
>>
>> How is the vnic configured? (dladm show-vnic)
>>
>> You might want to set the global zone up as a router which route
>> traffic from it's external interface to an etherstub (virtual switch)
>> which the vnic then is connected to. Then you shouldn't be able to
>> sniff network traffic from the external network on the zone.
>>
>> --
>> Venlig hilsen / Kind regards
>> Jeppe Toustrup (aka. Tenzer)
>>
>
> Thanks Jeppe. I don't have configured a etherstub. current config is:
>
> root at oihost:~# dladm show-vnic
> LINK OVER SPEED MACADDRESS MACADDRTYPE VID
> dmzlan0 e1000g1 1000 2:8:20:dc:48:d9 random 0
>
> and dladm show-phys:
>
> root at oihost:~# dladm show-phys
> LINK MEDIA STATE SPEED DUPLEX DEVICE
> e1000g0 Ethernet up 1000 full e1000g0
> e1000g1 Ethernet up 1000 full e1000g1
> e1000g2 Ethernet unknown 0 half e1000g2
>
> But one question: how can I associate certail physical interface to a
> etherstub?? Do I need to create a bridge with only one interface??
>
> Thanks.
>
Oops stupid question. Ethersub is used only when no physical nics will
be used. And I need to use physical nic. But I don't understand why a
zone can see all traffic that cross global zone. Is it not possible to
restrict this traffic to only that comes/go to vnic??
--
CL Martinez
carlopmart {at} gmail {d0t} com
More information about the OpenIndiana-discuss
mailing list