Re: [OpenIndiana-discuss] Isolating networks for zones

Sun, 30 Oct 2011 02:24:55 -0700 

On 10/30/2011 09:53 AM, carlopmart wrote:

On 10/30/2011 09:27 AM, carlopmart wrote:

On 10/30/2011 02:27 AM, Jeppe Toustrup wrote:

On Sat, Oct 29, 2011 at 23:30, carlopmart<carlopm...@gmail.com> wrote:

I have installed oi zone under a oi_151a host to provide dns caching
services. All works ok now, except network isolation. Running snoop on
non-global zone I can see all traffic of all networks where global zone
connects. For example:


How is the vnic configured? (dladm show-vnic)

You might want to set the global zone up as a router which route
traffic from it's external interface to an etherstub (virtual switch)
which the vnic then is connected to. Then you shouldn't be able to
sniff network traffic from the external network on the zone.

--
Venlig hilsen / Kind regards
Jeppe Toustrup (aka. Tenzer)



Thanks Jeppe. I don't have configured a etherstub. current config is:

root@oihost:~# dladm show-vnic
LINK OVER SPEED MACADDRESS MACADDRTYPE VID
dmzlan0 e1000g1 1000 2:8:20:dc:48:d9 random 0

and dladm show-phys:

root@oihost:~# dladm show-phys
LINK MEDIA STATE SPEED DUPLEX DEVICE
e1000g0 Ethernet up 1000 full e1000g0
e1000g1 Ethernet up 1000 full e1000g1
e1000g2 Ethernet unknown 0 half e1000g2

But one question: how can I associate certail physical interface to a
etherstub?? Do I need to create a bridge with only one interface??

Thanks.



Oops stupid question. Ethersub is used only when no physical nics will
be used. And I need to use physical nic. But I don't understand why a
zone can see all traffic that cross global zone. Is it not possible to
restrict this traffic to only that comes/go to vnic??






I will try to explain something more. I need to build a complete public 
dmz infrastructure using oi zones (if I can). OIhost is on internal 
network without Internet access. On this host I have three physical nics:


a) e1000g0 --- Internal network
b) e1000g1 --- First public DMZ
c) e1000g2 --- Second public DMZ


OI zones will deployed over e1000g1 and e1000g2 only. Between all 
physical nics on OI host exists two firewalls. Oi host can not be 
routeable from Internet.



Is it possible to accomplish this using zones or do I need to use a real 
virtualization hypervisors like vmware ESXi??


Thanks.



--
CL Martinez
carlopmart {at} gmail {d0t} com

_______________________________________________
OpenIndiana-discuss mailing list
OpenIndiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss






















					Reply via email to