Jim Walker wrote:> The problem I''m seeing is other systems on the 10.10.46.0 network > are using 10.10.46.128 as their router. > > Is there a way to limit routing to just the internal virtual network?Can you provide more details on what the problem is? Is the problem that systems on 10.10.46.0/24 are acquiring routes pointing to .128 as a router (default or otherwise)? If so, then that implies that you want to disable routing advertisements on that interface, or perhaps all advertising. How do you have your routing protocols configured? Is the problem that there are systems on the 10.10.46.0/24 network that have (maliciously?) set .128 as a next hop gateway for routes, and you don''t want them to be _able_ to use this system that way? If so, then I think you''re probably looking at configuring IP Filter to exclude the "unwanted" traffic. Is the problem that you have packets forwarding through 10.10.46.0/24 on this system, and that''s just fine, but you don''t want _certain_ remote destinations to be reachable through there? If so, then that might be a configuration issue on those other systems, or a routing protocol configuration problem, or perhaps yet another usage case for IP Filter. Please clarify and provide specific examples of the issues you see.> If I use this command "# ifconfig nge0 -router" to disable the > physical network the virtual router is also disabled.The "-router" option turns off IFF_ROUTER, which disables all IP forwarding on that interface. It''s the modern equivalent of the old "ndd -set /dev/ip nge0:ip_forwarding 0" mechanism. -- James Carlson 42.703N 71.076W <carlsonj at workingcode.com>
I have a network using crossbow like this:
-bash-4.0$ dladm show-link
LINK CLASS MTU STATE BRIDGE OVER
nge0 phys 1500 up -- --
nge1 phys 1500 down -- --
vtfswitch0 etherstub 1500 unknown -- --
vtfrouter2 vnic 1500 up -- vtfswitch0
vtfvnic3 vnic 1500 up -- vtfswitch0
vtfvnic3 (192.168.0.3) is used by a VirtualBox instance,
and vtfrouter2 (192.168.0.2) is used as the router back
to the host physical network. Here''s more on the nics:
-bash-4.0$ ifconfig -a
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232
index 1
inet 127.0.0.1 netmask ff000000
nge0: flags=1100843<UP,BROADCAST,RUNNING,MULTICAST,ROUTER,IPv4> mtu 1500
index 2
inet 10.10.46.128 netmask ffffff00 broadcast 10.10.46.255
nge1: flags=1000802<BROADCAST,MULTICAST,IPv4> mtu 1500 index 3
inet 0.0.0.0 netmask 0
vtfrouter2: flags=1100843<UP,BROADCAST,RUNNING,MULTICAST,ROUTER,IPv4> mtu
1500
index 7
inet 192.168.0.2 netmask ffffff00 broadcast 192.168.0.255
lo0: flags=2002000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv6,VIRTUAL> mtu 8252
index 1
inet6 ::1/128
nge0: flags=2000841<UP,RUNNING,MULTICAST,IPv6> mtu 1500 index 2
inet6 fe80::214:4fff:fe9a:9b82/10
nge0:1: flags=2080841<UP,RUNNING,MULTICAST,ADDRCONF,IPv6> mtu 1500 index 2
inet6 2002:a0a:2ea5:1:214:4fff:fe9a:9b82/64
The problem I''m seeing is other systems on the 10.10.46.0 network
are using 10.10.46.128 as their router.
Is there a way to limit routing to just the internal virtual network?
If I use this command "# ifconfig nge0 -router" to disable the
physical network the virtual router is also disabled.
Cheers,
Jim
James Carlson wrote:> Jim Walker wrote: >> The problem I''m seeing is other systems on the 10.10.46.0 network >> are using 10.10.46.128 as their router. >> >> Is there a way to limit routing to just the internal virtual network? > > Can you provide more details on what the problem is? > > Is the problem that systems on 10.10.46.0/24 are acquiring routes > pointing to .128 as a router (default or otherwise)? If so, then that > implies that you want to disable routing advertisements on that > interface, or perhaps all advertising. How do you have your routing > protocols configured?Systems using dhcp on the 10.10.46.0 subnet are picking up .128 as a router. -bash-4.0$ routeadm Configuration Current Current Option Configuration System State --------------------------------------------------------------- IPv4 routing enabled enabled IPv6 routing disabled disabled IPv4 forwarding enabled enabled IPv6 forwarding disabled disabled Routing services "route:default ripng:default" Routing daemons: STATE FMRI disabled svc:/network/routing/ripng:default disabled svc:/network/routing/legacy-routing:ipv4 disabled svc:/network/routing/legacy-routing:ipv6 online svc:/network/routing/ndp:default disabled svc:/network/routing/rdisc:default online svc:/network/routing/route:default -bash-4.0$> Is the problem that there are systems on the 10.10.46.0/24 network that > have (maliciously?) set .128 as a next hop gateway for routes, and you > don''t want them to be _able_ to use this system that way? If so, then I > think you''re probably looking at configuring IP Filter to exclude the > "unwanted" traffic.It is happening automatically. But, we could use this if other methods don''t work.> Is the problem that you have packets forwarding through 10.10.46.0/24 on > this system, and that''s just fine, but you don''t want _certain_ remote > destinations to be reachable through there? If so, then that might be a > configuration issue on those other systems, or a routing protocol > configuration problem, or perhaps yet another usage case for IP Filter. > > Please clarify and provide specific examples of the issues you see.That''s not the problem.>> If I use this command "# ifconfig nge0 -router" to disable the >> physical network the virtual router is also disabled. > > The "-router" option turns off IFF_ROUTER, which disables all IP > forwarding on that interface. It''s the modern equivalent of the old > "ndd -set /dev/ip nge0:ip_forwarding 0" mechanism.We need something a bit more specific. Cheers, Jim