This content has been marked as final. Show 5 replies
916641 wrote:Please be aware I could say something stupid in my explanations.
I am rather new to Solaris.
I installed a zone with default settings (ip-type exclusive) . From this zone I can ping the global zone
and reverse. But I cant connect or ping anything outside the machine.
Is this the intention of zones in Solaris 11 , or did I forget some (security) setting?
This all really depends on how your networking is set up.
In a native solaris 10 zone than with an exclusive ip adress one would have a dedicated real interface connecting to the outside world
In a solaris 11 machine there are more options available ...
.... and you may (not may not) need to be using dladm ; ipadm ;
A assume you may then need to use routeadm to sort out routing; or perhaps ou do not have a default route set up. ( I have a tendendency to blunder around like a bull in a china show with notworking)
Hope this post contains a couple of pointers and not too many wrong directions ... however with no other replies i thought i'd blunder in.
I think I found part of the problem.
When a snoop is sniffing on net0: in the global zone then the sub-zone can
communicate with the ouside world.
The snoop puts the interface in promiscuous mode en then it accepts/passes
the packets for the sub-zone.
So probably some extra settings (bridging>) are necessarry when using
I think I first have read more manuals ....
But is someone has a quick hint I would like to hear.
Check that the interfaces are configured, UP and running.
output should be something like this
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
inet 127.0.0.1 netmask ff000000
igb0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
inet xx.xx.xx.xx netmask ffffff00 broadcast 10.1.5.255
then, check the routing table by
netstat -nr, the output should look like,
Routing Table: IPv4
Destination Gateway Flags Ref Use Interface
-------------------- -------------------- ----- ----- ---------- ---------
default nn.nn.nn.nn UG 1 11191904
nn.nn.nn.0 nn.nn.nn.nn U 1 8590 igb0
nn.0.0.0 nn.nn.nn.nn U 1 0 igb0
nn.0.0.1 nn.0.0.1 UH 13 82102433 lo0
If the route table is not showing default route, then run the following command sequence to add one
route add default your.route.ip.address
in /etc/defaultrouter make entry of the your.route.ip.address
make sure that switch ports are activated at network level and network cable are pluged in.
In my first post I should have told the Solaris machine is running in ESXi (4.1).
Probably ESX will set the mac address on the virtual interface and will not accept traffic
arriving on the interface with another dest mac address.
When I run snoop in the global zone this will put the virtual interface in promiscuous mode,
this will signal ESX to pass all ethernet traffic coming from the outside world to this
Packets coming from the Solaris sub-zone do get out of the net0 interface.
This is because I enabled mac-address spoofing at esx level.
The solution is to put the global zone interface in briding mode:
dladm create-bridge esxbridge -l net0
Then packets coming from the outside with the dest mac address of the
sub-zone will be passed.
We use a number of Solaris 10 machines inside ESX without problems, but in this case a shared ip
stack is used where probably 1 mac address is shared among multiple ip addresses.
Edited by: 916641 on 27-Feb-2012 12:52