Solaris zones and routing behaviour

Working as a Security Consultant, I’m less involved in Solaris administration tasks. Anyway, for some customers, I still need to manage servers running Solaris 10.

One of the greatest features Solaris 10 introduced is the “zones” concept (to keep things easy, it’s the virtualization mechanism introduced by SUN). I already explained in a previous post how to deal with zones connected to multiple VLANs. Today, I faced a strange issue…

Let’s imagine a Solaris server with one zone:

  • Zone 0 (default zone) is connected on VLAN 10.10.0.x/24 via e1000g0
  • Zone 1 is connected on VLAN 10.10.20.x/24 via e1000g1
  • Default gateway of zone0 is
  • Default gateway of zone 1 is

To configure a load-balancer in triangulation mode, I added an IP ( on the loopback interface of zone 0:

zone0# ifconfig -a
lo0: flags=2001000849 mtu 8232 index 1
        inet netmask ff000000
lo0:30: flags=2001000849 mtu 8232 index 1
        inet netmask ffffff00
e1000g0:1: flags=1000843 mtu 1500 index 2
        zone app2
        inet netmask ffffff00 broadcast

Zone 1 as the following routing table:

zone1# netstat -rn

Routing Table: IPv4
  Destination           Gateway           Flags  Ref   Use   Interface
-------------------- -------------------- ----- ----- ------ ---------          U         1 230919  e1000g1:1           U         1      0  e1000g1:1
default               UG        11255328              UH        5 278090  lo0:6

The same IP ( was configured on the load-balancer as a VIP. The zone1 was configured as a client for the application load-balanced via
Result? The zone 1 will never use it’s routing table to reach, the packet will be directly passed to the zone 0!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.