Private Virtual Networks in Solaris 11.2
By: Date: May 18, 2014 Categories: Solaris / Illumos Tags:

Overview

Solaris 11.2 (beta) has some powerful network virtualization features.  We use zones quite a bit at work, but on the network side with zones we have mostly used anet configurations where VNICs are auto-created, perhaps also specifying a VLAN id.  Powerful, easy, and best of all, very efficient configuration and virtualization.

But that only scratches the surface, and I thought I’d set out to do some more, and in particular with Private Virtual Networks.  PVNs allow you to have networks on your Solaris host that  are private from the network that your global zone sits on.  These can be completely private virtual networks that have no access to the outside world, or they can be allowed to access the outside world through network address translation (NAT).

The State of Documentation

The documentation I could find was either outdated (still using a mixture of ifconfig and dladm, incomplete, or had mistakes, leading to a simple test configuration that never quite worked.  The current 11.2 beta documentation (here) seems to leave out some pieces that you need.

Our Simple Test Setup

For our simple test environment, we have one global zone (actually running under VirtualBox, but that is irrelevant for this setup) with two non global zones.  The non global zones will be access the public world using NAT supplied by the global zone.

Network Configuration Information

Our LAN network is 192.168.1.0/24, and our PVN will be 10.250.250.0/24:

global zone IP  (on net0/v4): 192.168.1.10/24
global zone PVN IP : 10.250.250.1/24
zone1 PVN IP: 10.250.250.10/24
zone2 PVN IP: 10.250.250.11/24

Create an Etherstub and VNICs

VNICs need an underlying link, but we don’t want to use a real physical link.  Instead, we first create an Etherstub.  Once we do that, we want to create three VNICs — one for the global zone, and one for each non-global zone:

dladm Output Before We Start

root@sol112a:~# dladm
LINK CLASS MTU STATE OVER
net0 phys 1500 up --

Create the Etherstub and VNICs

dladm create-etherstub estub0
dladm create-vnic -l estub0 vnic0
dladm create-vnic -l estub0 vnic1
dladm create-vnic -l estub0 vnic2

 Configure the Global Zone’s VNIC

On the global zone:

ipadm create-ip vnic0
ipadm create-addr -T static -a 10.250.250.1/24 vnic0/v4

Configure IPv4 Packet Forwarding

You need to configure packet forwarding between the global zone’s public interface and the private network VNIC:

ipadm set-ifprop -p forwarding=on -m ipv4 net0
ipadm set-ifprop -p forwarding=on -m ipv4 vnic0

Setup NAT

Configure ipfilter NAT in the global zone.  The file /etc/ipf/ipnat.conf should contain the following lines:

map net0 10.250.250.0/24 -> 0/32 portmap tcp/udp auto
map net0 10.250.250.0/24 -> 0/32

Enable IPFilter


svcadm enable network/ipfilter
svcs -xv #check until the ipfilter service is running

Configure Non Global Zone Networking

Our setup assumes you already have two non-global zones already configured. For the networking piece, you might need to remove existing anet or other networks:

zonecfg:zone1> add net
zonecfg:zone1:net> set physical=vnic1
zonecfg:zone1:net> set allowed-address=10.250.250.10/24
zonecfg:zone1:net> set defrouter=10.250.250.1
zonecfg:zone1:net> end
zonecfg:zone1> commit

Repeat this step for zone2, replacing with the appropriate values for physical, allowed-address, and defrouter.

Test the Configuration

Use zlogin from the global zone to log into one of the non-global zones, then use ssh (or anything else) to create a persistent connection to a resource on the physical LAN (i.e., something on the 192.168.1.0/24 network in this case).

From the global zone, use ipnat -l to show the active NAT session:

root@sol112a:~# ipnat -l
List of active MAP/Redirect filters:
map net0 10.250.250.0/24 -> 0.0.0.0/32 portmap tcp/udp auto
map net0 10.250.250.0/24 -> 0.0.0.0/32
 
List of active sessions:
MAP 10.250.250.10 35525 192.168.1.10 3789 [192.168.1.134 22]

Leave a Reply

Your email address will not be published. Required fields are marked *