Overblog
Suivre ce blog
Administration Créer mon blog
31 juillet 2013 3 31 /07 /juillet /2013 21:11

 

I already wrote an similar article to Solaris 11 and Zones (link). Today I will describe how to configure several Ldoms Guest an emphasis on network configuration (several vlan).

 

 

In this example, there are 3 Ldoms running on dedicated systems that are exposed to the external networks.

  • The Ldom control runs in 4 vlan (front, admin, backup, interconnect) - OS Solaris 11.1
  • Ldom Guest 1 runs in 4 vlan (front, admin, backup, interconnect) - OS Solaris 10u11
  • Ldom Guest 2 runs in 3 vlan (front, admin, backup) - OS Solaris 10u10

 

Vlans informations:

  • Vlan id 1 : address 192.168.1.0/24 - front
  • Vlan id 2 : address 192.168.2.0/24 - admin
  • Vlan id 3 : address 192.168.3.0/24 - backup
  • Vlan id 4 : address 192.168.4.0/24 - interconnect


Address for Ldom control

  • Vlan id 1 : 192.168.1.10 - defaultrouter 192.168.1.1
  • Vlan id 2 : 192.168.2.10
  • Vlan id 3 : 192.168.3.10
  • Vlan id 4 : 192.168.4.10

 

Let's go... Just wait... The network configuration of switch must be already configured (please contact network team !?)

 

 

Step 1: Create link aggregation and vlan configuration on Ldom control

 

My system (Sparc T4-2) includes 2 NICs (10G). There is no network configuration yet (I connect on ILOM).

 

# dladm show-phys
LINK       MEDIA         STATE      SPEED  DUPLEX    DEVICE
[...]
net8       Ethernet      unknown    0      unknown   ixgbe1
net9       Ethernet      unknown    0      unknown   ixgbe0
[...] 

 

I create a basic link aggregation (I use LACP) with 2 NICs.

 

# dladm create-aggr -P L2,L3 -L active -l net8 -l net9 aggr0

 

I check quicly the status of the aggregation.

 

# dladm show-link
LINK       CLASS     MTU    STATE    OVER
[...]
net8       phys      1500   up       --
net9       phys      1500   up       --
[...]
aggr0      aggr      1500   up       net8 net9

 

# dladm show-aggr -x
LINK   PORT  SPEED    DUPLEX  STATE  ADDRESS            PORTSTATE
aggr0    --  10000Mb  full    up     90:xx:xx:xx:xx:x8  --
       net8  10000Mb  full    up     90:xx:xx:xx:xx:x8  attached
       net9  10000Mb  full    up     90:xx:xx:xx:xx:x9  attached

 

Yet, I create 1 virtual card for each vlan id.

 

# dladm create-vlan -l aggr0 -v 1 front0
# dladm create-vlan -l aggr0 -v 2 admin0
# dladm create-vlan -l aggr0 -v 3 backup0
# dladm create-vlan -l aggr0 -v 4 interco0 

 

# dladm show-vlan
LINK          VID   OVER      FLAGS
front0        1     aggr0     -----
admin0        2     aggr0     -----
backup0       3     aggr0     -----
interco0      4     aggr0     -----

 

# ipadm create-ip front0
# ipadm create-addr -T static -a local=192.168.1.10/24 front0/v4
# ipadm create-ip admin0
# ipadm create-addr -T static -a local=192.168.2.10/24 admin0/v4
# ipadm create-ip backup0
# ipadm create-addr -T static -a local=192.168.3.10/24 backup0/v4
# ipadm create-ip interco0
# ipadm create-addr -T static -a local=192.168.4.10/24 interco0/v4 

 

# ipadm
NAME           CLASS/TYPE STATE  UNDER  ADDR
admin0         ip         ok     --     --
   admin0/v4   static     ok     --     192.168.2.10/24
backup0        ip         ok     --     --
   backup0/v4  static     ok     --     192.168.3.10/24
front0         ip         ok     --     --
   front0/v4   static     ok     --     192.168.1.10/24
inter0         ip         ok     --     --
   inter0/v4   static     ok     --     192.168.4.10/24
lo0            loopback   ok     --     --
   lo0/v4      static     ok     --     127.0.0.1/8
   lo0/v6      static     ok     --     ::1/128
[...]

 

Don't forget, the configuration of router.

 

# route add -p default 192.168.1.1 -ifp front0

 

 

Step 2: Create link virtual switch and configuration vnic for each Ldoms Guest

 

I create one virtual switch for all vlan

 

# ldm add-vswitch net-dev=aggr0 vid=1,2,3 primary-vsw0 primary

 

For Ldom Guest 1, I create 4 vnic (see definition)

 

# ldm add-vnet pvid=1 id=0 vnet0 primary-vsw ldom1
# ldm add-vnet pvid=2 id=0 vnet1 primary-vsw ldom1
# ldm add-vnet pvid=3 id=0 vnet2 primary-vsw ldom1
# ldm add-vnet pvid=4 id=0 vnet3 primary-vsw ldom1

 

For Ldom Guest 2, I create 3 vnic (see definition)

# ldm add-vnet pvid=1 id=0 vnet0 primary-vsw ldom2
# ldm add-vnet pvid=2 id=0 vnet1 primary-vsw ldom2
# ldm add-vnet pvid=3 id=0 vnet2 primary-vsw ldom2

 

 

Conclusion: We hope this step-by-step guide will give you some ideas for future consolidation with Oracle VM for Sparc. With Oracle Solaris 11 capabilities (aka Crossbow), you can easily set up fairly complex environments (simply network configuration).

 

 

See Also

 
Published by gloumps - dans réseau
commenter cet article
30 mars 2013 6 30 /03 /mars /2013 22:20

 

Everyone knows that one of the major problem for consolidating Solaris 10 is network. if each Solaris Zones use a different network (vlan), the configuration of the Global Zone becomes a real headache.

 

In Solaris 11, Crosbow effectively addresses this problem. This article explains how to create several Solaris Zone an emphasis on network configuration (several vlan).

 

In this example, there are 3 Solaris Zone running on dedicated systems that are exposed to the external networks. Each Solaris Zone runs a different vlan.

  • The Global Zone running in vlan id 1 (Address: 192.168.1.10/24 - Router: 192.168.1.1)
  • The Solaris Zone zone1 running in vlan id 1 (Address: 192.168.1.11/24 - Router: 192.168.1.1)
  • The Solaris Zone zone2 running in vlan id 2 (Address: 192.168.2.10/24 - Router: 192.168.2.1)
  • The Solaris Zone zone3 running in vlan id 3 (Address: 192.168.3.10/24 - Router: 192.168.3.1)
  • Each port of NIC used by aggregation is configured in different vlans (vlan id 1, 2 and 3)

Let's go... Just wait... The network configuration of switch must be already configured (please contact network team !?)

 

 

Step 1: Create link aggregation

 

My system (Sparc M5000) includes 4 NICs. There is no network configuration yet (I connect on XSCF).

 

# dladm show-phys
LINK       MEDIA         STATE      SPEED  DUPLEX    DEVICE
net1       Ethernet      unknown    0      unknown   bge1
net0       Ethernet      unknown    0      unknown   bge0
net3       Ethernet      unknown    0      unknown   bge3
net2       Ethernet      unknown    0      unknown   bge2

 

I create a basic link aggregation (I don't use LACP) with 4 NICs.

 

# dladm create-aggr -P L2,L3 -l net0 -l net1 -l net2 -l net3 default0

 

I check quicly the status of the aggregation.

 

# dladm show-link
LINK          CLASS     MTU    STATE    OVER
net1          phys      1500   up       --
net0          phys      1500   up       --
net3          phys      1500   up       --
net2          phys      1500   up       --
default0      aggr      1500   up       net0 net1 net2 net3

 

Yet, I configure address on this aggregation.

 

# ipadm create-ip default0
# ipadm create-addr -T static -a local=192.168.1.10/24 default0/v4

 

Don't forget, the configuration of router.

 

# route add -p default 192.168.1.1 -ifp default0

 

 

Step 2: Create Solaris Zone for Cloning

 

It is much faster to clone Solaris Zone than to create one from scratch, because building an image from packages takes longer than, in essence, copying an existing zone. I use the cloning technique in this example to first create one Solaris Zone and then clone it three times.

 

# zfs create -o mountpoint=/zones -o dedup=on rpool/zones
# zfs create -o mountpoint=/zones/zclone rpool/zones/zclone
# chmod 700 /zones/zclone

 

# zonecfg -z zclone
Use 'create' to begin configuring a new zone.
zonecfg:zclone> create
create: Using system default template 'SYSdefault'
zonecfg:zclone> set zonepath=/zones/zclone
zonecfg:zclone> set ip-type=exclusive
zonecfg:zclone> exit

 

# zoneadm -z zclone install
Progress being logged to /var/log/zones/zoneadm.20130329T161207Z.zclone.install
       Image: Preparing at /zones/zclone/root. 
[...] 
  Next Steps: Boot the zone, then log into the zone console (zlogin -C)
              to complete the configuration process.
Log saved in non-global zone as /zones/zclone/root/var/log/zones/zoneadm.20130329T161207Z.zclone.install

 

# zoneadm -z zclone boot ; zlogin -C zclone
[Connected to zone 'zclone' console]
Loading smf(5) service descriptions: 115/115

 

When I obtain the screen to configure this Solaris Zone, I halt this zone.

 

# zoneadm -z zclone halt

 

 

Step 3: Create Solaris Zones zone1

 

Remimber, Solaris Zone zone1 use a same vlan that Global Zone. First, I create a vlan link over a datalink (default0).

 

# dladm create-vnic -v 1 -l default0 vnic1

 

Next, I create zone1 from the zclone zone (don't forget a profile creation - new sysidcfg).

 

# zonecfg -z zone1 "create -t zclone"
# zonecfg -z zone1
zonecfg:zone1> set zonepath=/zones/zone1
zonecfg:zone1> select anet linkname=net0
zonecfg:zone1:anet> set linkname=vnic1
zonecfg:zone1:anet> set lower-link=default0
zonecfg:zone1:anet> end
zonecfg:zone1> commit
zonecfg:zone1> exit

 

# zoneadm -z zone1 clone -c /tmp/sc_profile1.xml zclone
The following ZFS file system(s) have been created:
    rpool/zones/zone1
Progress being logged to /var/log/zones/zoneadm.20130329T172124Z.zone1.clone
Log saved in non-global zone as /zones/zone1/root/var/log/zones/zoneadm.20130329T172124Z.zone1.clone

 

 

Step 4: Create Solaris Zones zone2

 

Solaris Zone zone2 use a vlan id 2. First, I create a vlan link over a datalink (default0).

 

# dladm create-vnic -v 2 -l default0 vnic2

 

Next, I create zone2 from the zclone zone (don't forget a profile creation - new sysidcfg). Beware, I use the following paramater to configure the vlan id: vlan-id.

 

# zonecfg -z zone2 "create -t zclone"
# zonecfg -z zone2
zonecfg:zone2> set zonepath=/zones/zone2
zonecfg:zone2> select anet linkname=net0
zonecfg:zone2:anet> set linkname=vnic2
zonecfg:zone2:anet> set lower-link=default0
zonecfg:zone2:anet> set vlan-id=2
zonecfg:zone2:anet> end
zonecfg:zone2> commit
zonecfg:zone2> exit

 

# zoneadm -z zone2 clone -c /tmp/sc_profile2.xml zclone
The following ZFS file system(s) have been created:
    rpool/zones/zone2
Progress being logged to /var/log/zones/zoneadm.20130329T174913Z.zone2.clone
Log saved in non-global zone as /zones/zone2/root/var/log/zones/zoneadm.20130329T174913Z.zone2.clone

 

 

Step 5: Create Solaris Zones zone3

 

It's the same configuration than zone2, the only change comes from vlan id. This zone uses a vlan id 3.

 

# dladm create-vnic -v 3 -l default0 vnic3

 

# zonecfg -z zone3 "create -t zclone"
# zonecfg -z zone3
zonecfg:zone3> set zonepath=/zones/zone3
zonecfg:zone3> select anet linkname=net0
zonecfg:zone3:anet> set linkname=vnic3
zonecfg:zone3:anet> set lower-link=default0
zonecfg:zone3:anet> set vlan-id=3
zonecfg:zone3:anet> end
zonecfg:zone3> commit
zonecfg:zone3> exit

 

# zoneadm -z zone3 clone -c /tmp/sc_profile3.xml zclone
The following ZFS file system(s) have been created:
    rpool/zones/zone3
Progress being logged to /var/log/zones/zoneadm.20130329T175707Z.zone3.clone
Log saved in non-global zone as /zones/zone3/root/var/log/zones/zoneadm.20130329T175707Z.zone3.clone

 

 

Step 6: Start all Solaris Zone

 

My configuration is finished. I just start all zone.

 

# zoneadm list -cv
  ID NAME      STATUS     PATH               BRAND    IP   
   0 global    running    /                  solaris  shared
   - zclone    installed  /zones/zclone      solaris  excl 
   - zone1     installed  /zones/zone1       solaris  excl 
   - zone2     installed  /zones/zone2       solaris  excl 
   - zone3     installed  /zones/zone3       solaris  excl 

 

# zoneadm –z zone1 boot ; zoneadm –z zone2 boot ; zoneadm –z zone3 boot

 

 

Conclusion: We hope this step-by-step guide will give you some ideas for future consolidation. With Oracle Solaris 11 capabilities, you can easily set up fairly complex environments.

 

 

See Also

 

Published by gloumps - dans réseau
commenter cet article
16 avril 2010 5 16 /04 /avril /2010 19:15

 

Voyons ce que nous apporter le protocole CDP (Cisco Discovery Protocol) quand on capture l'un de ces paquets depuis un serveur. Suivre le lapin blanc...

 

Les équipements CISCO utilisent un protocole de découverte réseau nommé CDP. Je ne fais pas rentrer dans l'explication de ce protocole mais c'est grâce à lui que nous pouvons récupérer les informations suivantes :

 

# snoop -d bnx0 -o /tmp/snoop -s 400 -c 1 ether dst 1:0:c:cc:cc:cc and ether[20:2]=0x2000
Using device /dev/bnx0 (promiscuous mode)
1 1 packets captured

# strings /tmp/snoop
snoop
KEj
**a:
"myswitch.domain.com
Cisco IOS Software, s72033_rp Software (s72033_rp-IPSERVICESK9-M), Version 12.2(33)SXH2, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Sat 29-Mar-08 13:28 by prod_rel_team
cisco WS-C6509-E
GigabitEthernet4/27

 

Cela permet notamment d'obtenir le nom du switch et le port sur lequel le serveur est connecté. Cela fonctionne aussi avec la commande tcpdump (ajouter simplement l'option verbose).

Published by gloumps - dans réseau
commenter cet article
17 mars 2008 1 17 /03 /mars /2008 21:58

 

Sans rentrer dans les détails conernant la configuration du firewall dans Solaris 10, cette article va vous permettre de configurer  ipfilter dans le cas  ou une configuration ipmp est déjà présente. Les détails se trouvent ci-dessous :

 

Configuration ipmp

 

Soit un serveur solaris type V40z avec deux interfaces type bge.

 

# cat /etc/hostname.bge0
host01 deprecated -failover netmask + broadcast + group ipmp1
addif host netmask + broadcast + up

# cat /etc/hostname.bge1
host02 deprecated -failover netmask + broadcast + group ipmp1

# cat /etc/inet/hosts
...
192.168.1.10   host host.domain.com   loghost
192.168.1.11   host01 host01.domain.com
192.168.1.12   host02 host02.domain.com

 

Configuration ipfilter

 

Cas Solaris  10  update  2

 

Pour configurer ipfilter avec l'ipmp, il faut utiliser le driver pfil.

 

# cat /etc/ipf/pfil.ap
...
#e1000g   -1    0    pfil
bge       -1    0    pfil
...

 

La modification du fichier /etc/ipf/pfil.ap nécessite un arrêt/relance du module (ou plus simplement du serveur). Il ne faut pas oublier d'activer le service smf.

 

# svcs  online svc:/network/pfil:default
# svcs  svc:/network/pfil:default
STATE          STIME    FMRI
online         Oct_03   svc:/network/pfil:default

 

Il faut créer un groupe (nommé ici ipmp1, tout comme le nom du groupe ipmp) et lui assigner les deux cartes réseaux.

 

# ndd -get /dev/pfil qif_ipmp_set ipmp1=bge0,bge1

 

La vérification s'effectue de cette façon


# ndd -get /dev/pfil qif_ipmp_status
ifname members
ipmp1 bge0,bge1

# ndd -get /dev/pfil qif_status
ifname ill q OTHERQ ipmp num sap hl nr nw bad copy copyfail drop notip nodata notdata
ipmp1 0 0 0 0 0 800 0 0 0 0 0 0 0 0 0 0
QIF3 0 ffffffff882e7050 ffffffff882e7148 0 3 806 0 1633203 106184 0 0 0 0 0 0 0
bge1 ffffffff88121540 ffffffff8824d568 ffffffff8824d660 ffffffff9e14c580 2 800 14 9627709772 18921021835 0 3638 0 3638 0 0 0
QIF1 0 ffffffff8824f7f0 ffffffff8824f8e8 0 1 806 0 0 17 0 0 0 0 0 0 0
bge0 ffffffff880ad1c0 ffffffff8814d7e8 ffffffff8814d8e0 ffffffff9e14c580 0 800 14 0 0 0 0 0 0 0 0 0

 

Pour visulaliser toutes les options du driver pfil

 

# ndd -get /dev/pfil ?

?                        (read only)
pfildebug                (read and write)
pfil_delayed_copy        (read and write)
pfil_interface           (read only)
qif_status               (read only)
sill_status              (read only)
qif_ipmp_status          (read only)
qif_ipmp_set             (write only)
qif_verbose              (read and write)
pfil_inet4               (read only)
pfil_inet6               (read only)
pfil_sync                (read only)

 

Cas Solaris  10  update  3


Le driver pfil n'existe plus à partir de l'update 3 de Solaris 10. Il faut utilisé l'option ipmp_hook_emulation du driver ip.

 

# ndd -get /dev/ip ipmp_hook_emulation
0
# ndd -set /dev/ip ipmp_hook_emulation 1
# ndd -get /dev/ip ipmp_hook_emulation
1

 

Validation dans ipfilter

Les règles du firewall doivent contenir le nom du groupe ipmp (attention dans le cas de Solaris 10 update 2 c'est le nom du groupe pfil qu'il faut indiquer). Le démon ipmon doit être lancés pour visualiser les logs

 

# tail -f /var/adm/ipfilter.log

12/03/2008 08:48:27.432715 ipmp1 @0:117 b 192.168.1.10,3200 -> 192.168.1.100,4976 PR tcp len 20 40 -R OUT
12/03/2008 08:48:29.444544 ipmp1 @0:117 b 192.168.1.10,3200 -> 192.168.1.100,4976 PR tcp len 20 40 -R OUT
12/03/2008 08:48:33.468254 ipmp1 @0:117 b 192.168.1.10,3200 -> 192.168.1.100,4976 PR tcp len 20 40 -R OUT
12/03/2008 08:48:41.515359 ipmp1 @0:117 b 192.168.1.10,3200 -> 192.168.1.100,4976 PR tcp len 20 40 -R OUT


Published by gloumps - dans réseau
commenter cet article