[OpenIndiana-discuss] Isolating networks for zones
carlopmart
carlopmart at gmail.com
Sun Oct 30 09:24:33 UTC 2011
On 10/30/2011 09:53 AM, carlopmart wrote:
> On 10/30/2011 09:27 AM, carlopmart wrote:
>> On 10/30/2011 02:27 AM, Jeppe Toustrup wrote:
>>> On Sat, Oct 29, 2011 at 23:30, carlopmart<carlopmart at gmail.com> wrote:
>>>> I have installed oi zone under a oi_151a host to provide dns caching
>>>> services. All works ok now, except network isolation. Running snoop on
>>>> non-global zone I can see all traffic of all networks where global zone
>>>> connects. For example:
>>>
>>> How is the vnic configured? (dladm show-vnic)
>>>
>>> You might want to set the global zone up as a router which route
>>> traffic from it's external interface to an etherstub (virtual switch)
>>> which the vnic then is connected to. Then you shouldn't be able to
>>> sniff network traffic from the external network on the zone.
>>>
>>> --
>>> Venlig hilsen / Kind regards
>>> Jeppe Toustrup (aka. Tenzer)
>>>
>>
>> Thanks Jeppe. I don't have configured a etherstub. current config is:
>>
>> root at oihost:~# dladm show-vnic
>> LINK OVER SPEED MACADDRESS MACADDRTYPE VID
>> dmzlan0 e1000g1 1000 2:8:20:dc:48:d9 random 0
>>
>> and dladm show-phys:
>>
>> root at oihost:~# dladm show-phys
>> LINK MEDIA STATE SPEED DUPLEX DEVICE
>> e1000g0 Ethernet up 1000 full e1000g0
>> e1000g1 Ethernet up 1000 full e1000g1
>> e1000g2 Ethernet unknown 0 half e1000g2
>>
>> But one question: how can I associate certail physical interface to a
>> etherstub?? Do I need to create a bridge with only one interface??
>>
>> Thanks.
>>
>
> Oops stupid question. Ethersub is used only when no physical nics will
> be used. And I need to use physical nic. But I don't understand why a
> zone can see all traffic that cross global zone. Is it not possible to
> restrict this traffic to only that comes/go to vnic??
>
>
>
I will try to explain something more. I need to build a complete public
dmz infrastructure using oi zones (if I can). OIhost is on internal
network without Internet access. On this host I have three physical nics:
a) e1000g0 --- Internal network
b) e1000g1 --- First public DMZ
c) e1000g2 --- Second public DMZ
OI zones will deployed over e1000g1 and e1000g2 only. Between all
physical nics on OI host exists two firewalls. Oi host can not be
routeable from Internet.
Is it possible to accomplish this using zones or do I need to use a real
virtualization hypervisors like vmware ESXi??
Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
More information about the OpenIndiana-discuss
mailing list