[OpenIndiana-discuss] Isolating networks for zones

carlopmart carlopmart at gmail.com
Sun Oct 30 09:24:33 UTC 2011 

On 10/30/2011 09:53 AM, carlopmart wrote:
> On 10/30/2011 09:27 AM, carlopmart wrote:
>> On 10/30/2011 02:27 AM, Jeppe Toustrup wrote:
>>> On Sat, Oct 29, 2011 at 23:30, carlopmart<carlopmart at gmail.com> wrote:
>>>> I have installed oi zone under a oi_151a host to provide dns caching
>>>> services. All works ok now, except network isolation. Running snoop on
>>>> non-global zone I can see all traffic of all networks where global zone
>>>> connects. For example:
>>>
>>> How is the vnic configured? (dladm show-vnic)
>>>
>>> You might want to set the global zone up as a router which route
>>> traffic from it's external interface to an etherstub (virtual switch)
>>> which the vnic then is connected to. Then you shouldn't be able to
>>> sniff network traffic from the external network on the zone.
>>>
>>> --
>>> Venlig hilsen / Kind regards
>>> Jeppe Toustrup (aka. Tenzer)
>>>
>>
>> Thanks Jeppe. I don't have configured a etherstub. current config is:
>>
>> root at oihost:~# dladm show-vnic
>> LINK OVER SPEED MACADDRESS MACADDRTYPE VID
>> dmzlan0 e1000g1 1000 2:8:20:dc:48:d9 random 0
>>
>> and dladm show-phys:
>>
>> root at oihost:~# dladm show-phys
>> LINK MEDIA STATE SPEED DUPLEX DEVICE
>> e1000g0 Ethernet up 1000 full e1000g0
>> e1000g1 Ethernet up 1000 full e1000g1
>> e1000g2 Ethernet unknown 0 half e1000g2
>>
>> But one question: how can I associate certail physical interface to a
>> etherstub?? Do I need to create a bridge with only one interface??
>>
>> Thanks.
>>
>
> Oops stupid question. Ethersub is used only when no physical nics will
> be used. And I need to use physical nic. But I don't understand why a
> zone can see all traffic that cross global zone. Is it not possible to
> restrict this traffic to only that comes/go to vnic??
>
>
>

I will try to explain something more. I need to build a complete public 
dmz infrastructure using oi zones (if I can). OIhost is on internal 
network without Internet access. On this host I have three physical nics:

a) e1000g0 --- Internal network
b) e1000g1 --- First public DMZ
c) e1000g2 --- Second public DMZ

OI zones will deployed over e1000g1 and e1000g2 only. Between all 
physical nics on OI host exists two firewalls. Oi host can not be 
routeable from Internet.

Is it possible to accomplish this using zones or do I need to use a real 
virtualization hypervisors like vmware ESXi??

Thanks.



-- 
CL Martinez
carlopmart {at} gmail {d0t} com

More information about the OpenIndiana-discuss mailing list