Using IP Instances with VLANs or How to Make a Few NICs Look Like Many

[Minor editorial and clarification updates 2009.09.28]

Solaris 10 8/07 includes a new feature for zone networking. IP Instances is the facility to give a non-global zone its own complete control over the IP stack, which previously was shared with and controlled by the global zone.

A zone that has an exclusive IP Instance can set interface parameters using ifconfig(1M), put an interface into promiscuous mode to run snoop(1M), be a DHCP client or server, set ndd(1M) variables, have its own IPsec policies, etc.

One requirement for an exclusive IP Instance is that it must have exclusive access to a link name. This is any NIC, VLAN-tagged NIC component, or aggregation at this time. When they become available, virtual NICs will make this much simpler, as a single NIC can be presented to the zones using a number of VNICs, effectively multiplexing access to that NIC. A link name is an entry that can be found in /dev, such as /dev/bge0, /dev/bge321001 (VLAN tag 321 on bge1), aggr2, and so on.

To see what link names are available on a system, use dladm(1M) with the show-link option. For example: 

global# dladm show-link
bge0            type: non-vlan  mtu: 1500       device: bge0
bge1            type: non-vlan  mtu: 1500       device: bge1
bge2            type: non-vlan  mtu: 1500       device: bge2
bge3            type: non-vlan  mtu: 1500       device: bge3

As folks have started to use IP Instances to isolate their zones, they have noticed that they don't have sufficient link names (I'll use just link in the rest of this) to assigned to the zones that have or wish to configure as exclusive. So, how does a global zone administrator configure a large number of zones as exclusive?

Let's consider the following situation, where there are three tiers of a web service, where each tier is on a different network.

If each server has only one NIC, the total number of switch ports required is at least eight (8). If each server has a management port, that is another eight ports, even if they are on a different, management network. Add to that at least three three switch ports going to the router.

Consolidating the servers onto a single Solaris 10 instance using exclusive IP Instances requires at least eight NICs for the services (one per service), and at least one for the global zone and management. (We'll ignore a service process requirements, since they are separate anyway, and access could be either via a serial interface or a network.)

One option to consider is using VLANs and VLAN tagging. When using VLAN tagging, additional information is put onto the ethernet frame by the sender which allows the receiver to associated that frame to a specific VLAN. The specification allow up to 4094 VLAN tags, from 1 to 4094. For more information on administering VLANs in Solaris 10, see Administering Virtual Local Area Networks in the Solaris 10 System Administrator Collection.

VLANs is a method to collapse multiple ethernet broadcast domains (whether hubs or switches) into a single network unit (usually a switch). [Typically, a single IP subnet, such as 192.168.54.0/24, is on a broadcast domain. Within such a switch frame, you can have a large number of virtual switches, consolidating network infrastructure and still isolating broadcast domains. Often, the use of VLANs is completely hidden from the systems tied to the switch, as a port on the switch is configured for only one VLAN. With VLAN tagging, a single port can allow a system to connect to multiple VLAns, and therefore multiple networks. Both the switch and the system must be configured for VLAN tagging for this to work properly. VLAN tagging has been used for years, and is robust and reliable.

Any one network interface can have multiple VLANs configured for it, but a single VLAN ID can only exist once on each interface. Thus it is possible to put multiple networks or broadcast domains on a single interface. It is not possible to put more than one VLAN of any broadcast domain on a single interface. For example, you can put VLANs 111, 112, and 113 on interface bge1, but you can not put VLAN 111 on bge1 more than once. You can, however, put VLAN 111 on interfaces bge1 and bge2.

Using the case shown above, if the three web servers are on the same network, say 10.1.111.0/24, you would want to have three interfaces that are all connected to a VLAN capable switch, and configure each interface with a VLAN tag that is the same as the VLAN ID on the switch.

For example, if the VLAN tag is 111 and the interfaces are bge1 through bge3, the link names you would assign to the three web servers would be bge111001, bge111002, and bge111003.

Introducing zones into the setup, the web servers can be run in three separate zones, and with exclusive IP Instances, they can be totally separate and each assigned a VLAN-tagged interface. Web Server 1 could have bge111001, Web Server 2 could have bge111002, and Web Server 3 could have bge111003. 

global# zonecfg -z web1 info net
net:
        address not specified
        physical: bge111001

global# zonecfg -z web2 info net
net:
        address not specified
        physical: bge111002

global# zonecfg -z web3 info net
net:
        address not specified
        physical: bge111003

Within the zones, you could configure IP addresses 10.1.111.1/24 through 10.1.111.3/24.

Similarly, for the authentication tier, using VLAN ID 112, you could assign the zones auth1 through auth3 to bge112001, bge112002, and bge112003,respectively. And for application servers app1 and app2 on VLAN ID 113, bge113001 and bge113002. This can be repeated until some limit is reached, whether it is network bandwidth, system resource limits, or the maximum number of concurrent VLANs on either the switch or Solaris.

This configuration could look like the following diagram.

Web Server 1, Auth Server 1, and Application Server 1 share the use of NIC1, yet are all on different VLANs (111, 112, and 113, respectively). The same for instances 2 and 3, except that there is no third application server. All traffic between the three web servers will stay within the switch, as will traffic between the authentication servers. Traffic between the tiers is passed between the IP networks by the router. NICg is showing that the global zone also has a network interface.

Using this technique, the maximum number of zones with exclusive IP Instances you could deploy on a single system that are on the same subnet is limited to the number of interfaces that are capable of doing VLAN tagging. In the above example, with three bge interfaces on the system, the maximum number of exclusive zones on a single subnet would be three. (I have intentionally reserved bge0 for the global zone, but it would be possible to use it as well, making sure the global zone uses a different VLAN ID altogether, such as 1 or 2.)

Posted on: Nov 05, 2007

Posted by: stw

Category: Solaris Networking

Permanent link to this entry

Comments:

Dear Sir ,

Your article very good to help me configure vlan on solaris 10 u4(0807) .
I am configure on SF240 and Global zone use bge0(ip 172.16.2.190).
Also i am configure 2 x bigzone /full zone and assign each zone ip exclusive and 2 vlan(vlan 111 and 222) in bge0 interface .

bash-3.00# zoneadm list -cv
ID NAME STATUS PATH BRAND IP
0 global running / native shared
2 splunk running /data/splunk native shared
8 zone1 running /zones/zone1 native excl
9 zone2 running /zones/zone2 native excl

bash-3.00# dladm show-link
bge0 type: non-vlan mtu: 1500 device: bge0
bge111000 type: vlan 111 mtu: 1500 device: bge0
bge222000 type: vlan 222 mtu: 1500 device: bge0
bge1 type: non-vlan mtu: 1500 device: bge1
bge2 type: non-vlan mtu: 1500 device: bge2
bge3 type: non-vlan mtu: 1500 device: bge3

i set ip bge111000 is 172.16.2.191
bge222000 is 172.16.2.192

My Question :

1. I cannot ping ip 172.16.2.191 or 172.16.2.192 from global zone or outside network.

2. How to configure vlan 111 and vlan 222 ? so zone1 and zone2 can communicate with outside network ?

Regards

Hadi

Posted by nyohadi on November 16, 2007 at 03:46 AM EST #

Hi Hadi,

Each VLAN is like a separate switch. VLAN 111 is on one switch, VLAN 222 is on a second switch, and the non-VLAN (bge0) is on a third switch. These switches just happen to be contained in a single piece of hardware and are completely configurable via software.

Therefore, unless you connect the different switches together, systems on any one switch can not communicate with those on any of the other switches. I don't know if there are switches out there that allow you to bridge between VLANs, essentially cascading switches and putting multiple VLANs on the same broadcast domain.

You have several choices. For all zones on network 172.16.2.0/24, use a single VLAN, for example 111, and all four interfaces (bge111000, bge111001, bge111002, and bge111003). Or put them on different subnets, and use a router between them (which is the example I used in the article). Or physically wire the VLANs together; but that is not desirable.

You can not easily use VLANs to make the system look like it has more interfaces on a single switch and broadcast domain.

Hope this helps.
Steffen

Posted by steffen on November 16, 2007 at 08:50 AM EST #

Hi,

For french-speaking visitors, I wrote an article on our french wiki about configuring VLAN in Solaris :

http://solaris-fr.org/home/docs/base/reseau/vlan

Posted by Nicolas Dorfsman on December 06, 2007 at 05:17 AM EST #

can you configure IPMP with this setup, i am guessing ipmp will be setup on the non-vlan interface...?

Posted by 142.205.240.4 on March 12, 2008 at 04:05 PM EDT #

If you give a zone a dedicated NIC with its own TCP stack and you harden your systems with SUNWJASS
PLEASE TAKE NOTE:
The nddconfig that SUNWJASS sets up to harden the TCP driver WILL NOT run inside a zone by default!!!!! You will have to modify the script. search for global inside nddconfig and remove the exit statement inside the "if" condition statement.

I have opened a case for this problem but Sun is not taking it very seriously.

Posted by Mike DeMarco on September 18, 2008 at 07:03 AM EDT #

The problem with nddconfig and SST (JASS) sounds like this bug:
6727931 SST needs updates to handle exclusive-IP non-global zones

If it is, it has been fixed with 122608-07.

In general it is good practice to run SST (JASS) with the latest patch revision.

- Dan

Posted by Dan Anderson on September 18, 2008 at 12:23 PM EDT #

Hi,

Could someone confirm whether the physical interface allocated to the zone, e.g. bge111001 could be replaced by a sub interface, bge111001:1?
This way a second zone could use bge111001:2 and they would be sharing the same vlan on the same NIC and this would scale independantly to the number of interfaces?

chrz,
Rob

Posted by Rob Bettinson on January 08, 2010 at 05:30 AM EST #

Hi Rob,

I think you are mixing up data links and IP. bge111001 is a data link, which gets plumbed and otherwise configured via IP. The (logical) :x is a IP means to allow multiple IP addresses on a data link.

A data link is either shared (with the global zone) or exclusive to a zone. Then in that IP Instance you can create multiple logical interfaces, where the first one, :0, has the logical interface number suppressed.

In a round about way, no you can not use IP logical interfaces to share a data link across exclusive IP Instance zones.

You can create multiple logical interfaces within an exclusive IP Instance zone. That does not address the desire to have more zones with exclusive IP Instances however.

Steffen
steffen . weiberle @ sun . com

Posted by 192.18.128.5 on January 08, 2010 at 02:16 PM EST #

Post a Comment:
  • HTML Syntax: NOT allowed

This blog copyright 2010 by stw