Shared-IP and Exclusive-IP in Non-Global Solaris Zones

Just a few days ago I’ve been busy configuring one of the Solaris 10 zones on a DMZ server, and sure enough I hit one of the most common IP-related issues with non-global zones.

Shared IP configuration for non-global Solaris zones

By default, non-global zones will be configured with a shared IP functionality. What this means is that IP layer configuration and state is shared between the zone you’re creating and the global zone. This usually implies both zones being on the same IP subnet for each given NIC.

Shared IP mode is defined by the following statement in zone configuration:

set ip-type=shared

Here’s all the commands needed to enable it for a zone called s10zone in my example:

solaris# zonecfg -z s10zone
zonecfg:s10zone> set ip-type=shared
zonecfg:s10zone> verify
zonecfg:s10zone> commit
zonecfg:s10zone> end

While I’ve deployed quite a few zones before, it was only recently that I learned what sharing IP layer configuration meant in practical terms: no IP routing within non-global zone. So if for some reason you want your non-global zone to use a different IP route for connecting one of the available networks, you really can’t don it in shared IP mode, because your non-global zone can only inherit the routing rules of the global zone.

You still have an option of assigning different IP addresses to different virtual interfaces of a non-global zone, but unless their routing is catered for by the global zone, it won’t be of much use.

Exclusive IP configuration for non-global Solaris zones

Configured using this statement in zone configuration:

set ip-type=exclusive

… this mode implies that a given non-global zone will have exclusive access to one of the NICs on your system.

While for me the most important aspect of such exclusivity was the possibility to configure zone-specific routing, there’s obviously much more offered by this mode:

  • DHCPv4 and IPv6 stateless address autoconfiguration
  • IP Filter, including network address translation (NAT) functionality
  • IP Network Multipathing (IPMP)
  • IP routing
  • ndd for setting TCP/UDP/SCTP as well as IP/ARP-level knobs
  • IP security (IPsec) and IKE, which automates the provision of authenticated keying material for IPsec security association

So here it is – another design lesson for you – make sure you know what kind of networking your zones will need.

See also:


  1. It would be useful if ip-type was set per interface instead of globally per zone. Then you could use one shared network for management in addition to the exclusive interface(s).

  2. Prashanth says:

    I have one NIC in my server.I need to have IPSec setup for the local zone and hence have to create this zone in exclusive mode. If I do so, can the global zone be still assigned a IP on this NIC

  3. does it means you can serve NFS request within a zone with exclusive IP? aka run NFS server inside a zone?


  4. Prashanth, you have to manage IP address from within the exclusive-ip zone.

  5. bbr, thanks for asking!

    Last time I checked, native NFS server functionality was global zone only. I think exclusive-ip provides direct access to networking stack, but not Solaris kernel.

    Here’s the NFS related FAQ entry for zones:

  6. “zoneadm: zone ‘zone1’: WARNING: unable to hold network interface ‘eri1’.: Invalid argument”
    i’ve got this error when i’m booting the zone (zone1)
    My box is SF V120, i’m not plumbing the eri1 on the global zone.
    What’s wrong?

  7. Herve VELASCO says:

    I have a severe issue on Solaris Zone with IP exclusive.
    Any help would be greatly appeciate.

    I let you see my configuration:
    # zoneadm list -cv
    0 global running / native shared
    1 server01 running /zones/server01 native excl
    2 server03 running /zones/server02 native excl
    3 server02 running /zones/server03 native excl
    4 server04 running /zones/server04 native excl

    # zonecfg -z server01 export
    create -b
    set zonepath=/zones/server01
    set autoboot=true
    set ip-type=exclusive
    add net
    set physical=bge1
    add device
    set match=/dev/bge0

    #cat /zones/server01/root/etc/rcS.d/S01network.exclusive
    case “$1” in
    /usr/sbin/ifconfig bge0 plumb up # LAN ASTRIUM
    /usr/sbin/ifconfig bge0:1 plumb up # LAN ASTRIUM
    /usr/sbin/ifconfig bge0:1 inet XXX.XXX.XXX.34/23

    /usr/sbin/ifconfig bge1 plumb up # LAN PRIVE
    /usr/sbin/ifconfig bge1:1 plumb up
    /usr/sbin/ifconfig bge1:2 plumb up
    /usr/sbin/ifconfig bge1:3 plumb up
    /usr/sbin/ifconfig bge1:4 plumb up
    /usr/sbin/ifconfig bge1:5 plumb up
    /usr/sbin/ifconfig bge1:6 plumb up
    /usr/sbin/ifconfig bge1:7 plumb up
    /usr/sbin/ifconfig bge1:8 plumb up
    /usr/sbin/ifconfig bge1:9 plumb up
    /usr/sbin/ifconfig bge1:10 plumb up
    /usr/sbin/ifconfig bge1:1 inet YYY.YYY.YYY.106/24
    /usr/sbin/ifconfig bge1:2 inet YYY.YYY.YYY.107/24
    /usr/sbin/ifconfig bge1:3 inet YYY.YYY.YYY.108/24
    /usr/sbin/ifconfig bge1:4 inet YYY.YYY.YYY.109/24
    /usr/sbin/ifconfig bge1:5 inet YYY.YYY.YYY.110/24

    echo “Usage: $0 { start }”
    exit 1
    exit 0

    Each zone and global zone shares bge0 and are on the same subnet
    Each secondary zone has exclusive control on secondary interface for private network.

    There isn’t any problem to communicate with computers on the LAN (outside global zone) but it’s impossible to communicate (TCP/UDP/ICMP) beetween the zone.

    traceroute don’t find the way:
    # traceroute server01
    traceroute: Warning: Multiple interfaces found; using XXX.XXX.XXX.117 @ bge0
    traceroute to server01 (XXX.XXX.XXX.34), 30 hops max, 40 byte packets
    1 * server-master1 (XXX.XXX.XXX.117) 1068.500 ms !H *
    2 *
    3 *

  8. Amit Patel says:

    Hi can you use ifs in a non global zone by configuring vfstab to connect to a nfs share. For our oracle install we have two zones configured for ifs access to nas.


  1. […] IP address configuration in Solaris zones […]

Speak Your Mind