Using Solaris and SPARC Networking and Virtualization

Crossbow is delivered--Traveling VNICs and more

With Solaris Express Community Edition build 105, the initial implementation of Network Virtualization and Resource Control, known as Project Crossbow, is delivered into the main networking code base and available in the distributed images. No need to install additional software! The multi-year effort has reached a major milestone.

The feature I have been waiting for the most is the virtual NICs (VNICs). This allows me to create multiple data links using a single physical network interface, such as on my laptop. Each data link can be assigned to a different zone, and with exclusive IP Instance zones, each zone can have separate IP management and characteristics. The most useful one for me is to have one zone working on the native local network, and another zone with IPsec enabled, for a VPN connection.

Previously, I have demonstrated how to do this with two NICs and with one NIC and VNICs. I also have an example of how to achieve this with VNANs.

Now that Crossbow is integrated, things are much simpler!

Some Specifics

First thing I did was create a VNIC. Note that the dladm(1M) commands have changed slightly, both general and for VNICs. To see what physical NICs are available. On my laptop it looks like this. (The option used to be show-dev.)
global# dladm show-phys
ath0 WiFi down 0 unknown ath0
bge0 Ethernet up 1000 full bge0

Data links are the entities that can be assigned to a zone, so lets see those.
global# dladm show-link
ath0 phys 1500 down --
bge0 phys 1500 up --

Now I create a VNIC.
global# dladm create-vnic -l bge0 vpn0
global# dladm show-link
ath0 phys 1500 down --
bge0 phys 1500 up --
vpn0 vnic 1500 up bge0

I used the basic create-vnic format, where I only specified the option over which device to create the VNIC. I let Solaris determine the MAC address, and I did not assign any other properties to the VNIC. The name for a data link must start with characters and end with a number. Thus I chose vpn0 to make it clear to me what I want to use it for. I could have called it vpn123456789, showing that the number part can be quite large.

I now create a zone, and I chose the following configuration.

global# zonecfg -z vpn info
zonename: vpn
zonepath: /zones/vpn
brand: native
autoboot: false
ip-type: exclusive
dir: /lib
dir: /platform
dir: /sbin
dir: /usr
address not specifiedphysical: vpn0
defrouter not specified

Key items are in bold. The zone is an exclusve IP Instance zone, and I only assigned the vpn0 data link to it. The zone is a sparse zone, and the need to inherit an extra directory for IPsec to work is no longer required (I was curious whether this had been fixed.)

After installing (I made a clone of an existing zone) and before booting the zone, I copied into the zone a customized sysidcfg file.

global# cat /zones/vpn/root/etc/sysidcfg
network_interface=PRIMARY {dhcp

Upon booting, the zone gets an IP address via DHCP. This will be useful for being on a variety of networks. When using wireless, I won't have to change the zone's configuration. I will, however, have to recreate vpn0 on top of ath0.

Now I can happily be on a public and the corporate network at the same time. This example has me using the non-global zone to run VPN within. However, depending on my needs at the moment, I could have the global zone be VPNed in, and the non-global zone be on the public network. It is just a matter of where I run the VPN software.

global# ifconfig -a4
lo0: flags=2001000849 mtu 8232 index 1
inet netmask ff000000
ath0: flags=201000802 mtu 1500 index 2
inet netmask 0
ether 0:b:6b:80:bc:59
bge0: flags=201004843 mtu 1500 index 3
inet netmask ffffff00 broadcast
ether 0:c0:9f:5b:43:33
vpn# ifconfig -a4
lo0: flags=2001000849 mtu 8232 index 1
inet netmask ff000000
vpn0: flags=201004843 mtu 1500 index 2
inet netmask ffffff00 broadcast
ether 2:8:20:86:53:e3
ip.tun0: flags=10010008d1 mtu 1366 index 3
inet tunnel src tunnel dst
tunnel security settings --> use 'ipsecconf -ln -i ip.tun0'
tunnel hop limit 60
inet --> netmask ffffffff

This demonstrates one of the features of Crossbow. I will now be able to do a lot more with zones, while taking advantage of IP Instances, without needing multiple NICs. This is great for customer demos. I have not covered items such as the virtual switch that is created, or the ability to snoop traffic between zones now, or all the resource monitoring and controls that Crossbow offers. More on that elsewhere and in the future.

P.S. Crossbow affects and works with a lot of the generic LAN driver (GLD) framework, and delivers a new MAC interface, utilizes improvements in dladm, data link naming (vanity naming from Project Clearview), and lots more, and thus is a lot of code changes. There is a high level of interest in getting the VNIC features into Solaris 10. If you have a strong need for that, please add a Service Record using your support channel to Change Request 6790102.

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.