External Network Connectivity w/Oracle VM Server for SPARC & Solaris 11

Hello all, thanks for reading my question:

So I've been a Unix/Linux SysAdmin for a couple years, and I'm a bit over my head running solo, trying to set up LDoms using Oracle VM Server 3.1 for SPARC. I've been very careful, and things have gone well up until the point I try to access the new virtual machines from the regular network.

I found the section in the Oracle VM Server 3.1 for SPARC Administration Manual that talks about enabling external connectivity, however it's very vague, and provides no examples. (it won't let me post a link to it from here yet - sorry) I did my best to follow the instructions, but I'm having zero luck getting from the virtual machine to the rest of my network and vice versa.

Can anyone help with where I can find an example of getting this to work? I feel like I've looked everywhere. Everything I've tried isn't working. Here's what I have so far:

1) I have the physical machine (primary domain) connected just fine to my network, no issues connecting, etc. The primary physical NIC is setup on net0. It has an IP address.

2) I created an etherstub (stub0) exactly as mentioned in step 1 of the manual

3) I created a virtual switch (primary-stub-vsw0) on the etherstub (exactly as depicted in step 2)

4) I created a virtual NIC (vnic0) on the etherstub (exactly like step 3)

5) I configured vnic0 and gave it a private IP address not in use anywhere on my network (similar to step 4, but I used 192.168.3.2 for the IP)

ipadm shows the following:

NAME              CLASS/TYPE STATE        UNDER      ADDR
lo0               loopback   ok           --         --
   lo0/v4         static     ok           --         127.0.0.1/8
   lo0/v6         static     ok           --         ::1/128
net0              ip         ok           --         --
   net0/v4        static     ok           --         10.12.20.86/24
net1              ip         down         --         --
net2              ip         down         --         --
net3              ip         down         --         --
vnic0             ip         ok           --         --
   vnic0/v4       static     ok           --         192.168.3.2/24

dladm shows the following:

net1                phys      1500   up       --
net2                phys      1500   up       --
net3                phys      1500   up       --
net0                phys      1500   up       --
net5                phys      1500   up       --
stub0               etherstub 1500   unknown  --
vnic0               vnic      1500   up       stub0
ldoms-vsw1.vport0   vnic      1500   up       stub0

and the network sections of ldm list-bindings shows:

NAME             STATE      FLAGS   CONS    VCPU  MEMORY   UTIL  UPTIME
primary          active     -n-cv-  SP      2     8G       0.7%  31d 2h 22m
...
VSW
    NAME             MAC               NET-DEV   ID   DEVICE     LINKPROP   DEFAULT-VLAN-ID PVID VID                  MTU   MODE   INTER-VNET-LINK
    primary-stub-vsw0 00:14:4f:fb:c9:5b stub0     1    switch@1              1               1                         1500         on
        PEER                        MAC               PVID VID                  MTU   MAXBW      LINKPROP   INTERVNETLINK
        vnet0@test1                 00:14:4f:fa:c6:d1 1                         1500

------------------------------------------------------------------------------
NAME             STATE      FLAGS   CONS    VCPU  MEMORY   UTIL  UPTIME
test1            active     -n----  5000    8     8G       0.1%  7d 21h 10m
...
NETWORK
    NAME             SERVICE                     ID   DEVICE     MAC               MODE   PVID VID                  MTU   MAXBW      LINKPROP
    vnet0            primary-stub-vsw0@primary   1    network@1  00:14:4f:fa:c6:d1        1                         1500
        PEER                        MAC               MODE   PVID VID                  MTU   MAXBW      LINKPROP
        primary-stub-vsw0@primary   00:14:4f:fb:c9:5b        1                         1500

6) I turned on packet forwarding globally. Results of ipadm show-prop -p forwarding ip:

PROTO PROPERTY              PERM CURRENT      PERSISTENT   DEFAULT      POSSIBLE
ipv4  forwarding            rw   on           on           off          on,off
ipv6  forwarding            rw   off          --           off          on,off

7) I set up some NAT rules to forward all packets from the vnic0 to net0. Content of /etc/ipf/ipnat.conf:

map vnic0 192.168.3.0/24 -> 0/32 portmap tcp/udp auto
map vnic0 192.168.3.0/24 -> 0/32

...and output of ipnat -l:

List of active MAP/Redirect filters:
map net0 192.168.3.0/24 -> 0.0.0.0/32 portmap tcp/udp auto
map net0 192.168.3.0/24 -> 0.0.0.0/32

List of active sessions:

8) on my LDom (test1), I set up the NIC and gave it an IP address in the schema of our network. Output of ipadm on the LDom is as follows:

NAME              CLASS/TYPE STATE        UNDER      ADDR
lo0               loopback   ok           --         --
   lo0/v4         static     ok           --         127.0.0.1/8
   lo0/v6         static     ok           --         ::1/128
net0              ip         ok           --         --
   net0/v4        static     ok           --         10.10.20.178/24

dladm shows:

LINK                CLASS     MTU    STATE    OVER
net0                phys      1500   up       --

9) I setup a default route on the LDom with route -p add default 10.12.20.1
netstat -nr shows:

Routing Table: IPv4
  Destination           Gateway           Flags  Ref     Use     Interface
-------------------- -------------------- ----- ----- ---------- ---------
default              10.10.20.1           UG        2       3122
10.10.20.0           10.10.20.178         U         3         11 net0
127.0.0.1            127.0.0.1            UH        2         83 lo0

Routing Table: IPv6
  Destination/Mask            Gateway                   Flags Ref   Use    If
--------------------------- --------------------------- ----- --- ------- -----
::1                         ::1                         UH      2       0 lo0

...but despite all this, I can't go anywhere or do anything. I can't ping the primary domain from the LDOM, I can't ping the LDOM from the primary domain, etc.

Does anyone have any insight? I would greatly appreciate the assist. Been stuck at this spot for over a week now.

Thanks in advance!

-Lyxix

Wow!! Firstly, thanks for providing comprehensive information; it's usually what's missing from complex issues on the forums. So 10 out of 10 for that.

The first thing that comes to mind is that Solaris 11 is a world away from Solaris 10 (and earlier) with regard to network setup. So are you sure that the documentation that you've been following is for Solaris 11?

I'll take time to study the information you've posted.

Meantime some reading:

http://www.alekz.net/archives/449

Post back any progress (or lack of).

hicksd8,

Thanks for the reply. The documentation from Oracle is very specific as to what steps apply to Sol11, and which apply to Sol10. I have definitely been following the Sol11 steps. My steps include the use of ipadm and dladm, which are exclusive to Sol11. Thanks for the suggestion, though. I hope you get a chance to study my issue and can provide some insight. I'm definitely stuck - no idea what else to try.

Thanks!

-Lyxix

I've had a good look through you post but I admit that I am confused.

Your primary domain (physical machine) works fine you say.

How many VM's have you created?

Have you designed your virtual network interfaces to these VM's?

Can you please explain what the 3 subnets 10.12.20, 10.10.20 and 192.168.3 are?

There's only 1 VM right now, I simply named it "test". I have to get the test working before I start virtualizing my old systems.

Steps 8 and 9 refer to the setting up of the virtual network on the "test" LDom.

10.12.20 and 10.10.20 are both subnets on our internal network. 192.168.3 is a subnet I used for the Virtual NIC on the primary domain because the manual said to use a private subnet that is not in use anywhere else on the network. That is not in use anywhere else on the network. I just picked the first IP (didn't want to use .1 because that would theoretically be for a router I imagine - my networking skills are limited).

Does that answer your questions? My guess is I don't understand something with the subnets or IP's or whatnot and that's the problem, but I have no idea what. If I didn't put it in my steps, I probably didn't do it.

Thanks again!

-Lyxix

Haven't made any progress, unfortunately. Does anybody have any ideas that can help out? I'm not sure why this is so difficult, but I'm not having any luck.

Thanks!

Really sorry to hear that you're not making any progress.

A link to a Hands On Lab video which, if you have a spare machine, I suggest that you copy in it's entirety.
Hands on Lab - Oracle Solaris 11 Networking and Virtualization - YouTube

Lyxix, not sure if this is still an issue. I am trying to accomplish a similar thing, namely, to create a private virtual network of ldoms on a Solaris 11 host, but with IP forwarding and NAT so they can reach the external network.

At the end of your step 7, try enabling the ipfilter service like this:

svcadm enable network/ipfilter

I am still having this issue - still stuck without network accessibility for my LDOMs.

I did verify that ipfilter was on:

root@scphys4:~# svcs | grep ipfilter
online         Nov_22   svc:/network/ipfilter:default

Thanks for the suggestion, though!

first my setup from the bottom up..

dladm show-phys

LINK              MEDIA                STATE      SPEED  DUPLEX    DEVICE
net1              Ethernet             down       0      unknown   igb1
net12             Ethernet             down       0      unknown   nxge3
Xgb2              Ethernet             up         10000  full      ixgbe2
Xgb3              Ethernet             down       0      unknown   ixgbe3
net10             Ethernet             down       0      unknown   nxge1
net11             Ethernet             down       0      unknown   nxge2
net0              Ethernet             down       0      unknown   igb0
Xgb1              Ethernet             down       0      unknown   ixgbe1
net9              Ethernet             down       0      unknown   nxge0
Xgb0              Ethernet             up         10000  full      ixgbe0
net13             Ethernet             down       0      unknown   nxge7
net15             Ethernet             down       0      unknown   nxge5
net17             Ethernet             down       0      unknown   nxge6
net14             Ethernet             down       0      unknown   nxge4
net3              Ethernet             down       0      unknown   igb5
net2              Ethernet             down       0      unknown   igb4
vsw0              Ethernet             up         10000  full      vsw0
vsw1              Ethernet             up         10000  full      vsw1
net8              Ethernet             up         10     full      usbecm2

ldm list -o network primary

 
NAME
primary
MAC
    00:10:e0:XX:XX:XX
VSW
    NAME             MAC               NET-DEV   ID   DEVICE     LINKPROP   DEFAULT-VLAN-ID PVID VID                  MTU   MODE   INTER-VNET-LINK
    vsw0             00:14:4f:XX:XX:XX Xgb2      0    switch@0              1               2    222,102,103,12       1500         on
    vsw1             00:14:4f:XX:XX:XX Xgb0      1    switch@1              1               102  222,2,103            1500         on
 
 

ldm list -o network adml3

 
NAME
adml3
MAC
    00:14:4f:XX:XX:XX
NETWORK
    NAME             SERVICE                     ID   DEVICE     MAC               MODE   PVID VID                  MTU   MAXBW      LINKPROP
    adml3_151        vsw0@primary                0    network@0  00:14:4f:XX:XX:XX        12   2,222,102,103        1500
    adml3_10         vsw1@primary                1    network@1  00:14:4f:XX:XX:XX       102  222,103,2            1500

so two 10GBE physical NIC's (Xgb0 and Xgb2), one DHCP, one not. two virtual switches, one for each NIC, then two vnet's in the LDOM one for each virtual switch.

no routing, no IPF, in fact the route service is turned off.

if I really wanted to get fancy I would do an aggregate and assign it to the vsw for failover. also I have vlans set. Sometimes it just nice to see a working config to compare to. Let the questions begin....