L2 Cache

Behold the power of |!

User Tools

Site Tools


Sidebar

snipets:solaris:net-vnic

VNIC's and vlanning

Introduction

I know you can do vlanning without using a vnic, my personal preferences goes to vnics for a few reason. Mostly because they have there own mac address. And to simplify my interface manangement.

Bellow you'll find some quick and dirty examples.

Creating a vnic

dladm create-vnic -l aggr0 host0
ipadm create-if host0

The above example will create a vnic named host0 on a link aggregation called aggr0, ofcourse you can create vnics on normal interfaces or even on etherstubs.

You can drop the ipadm command if you are planning on using the vnic in a zone or for kvm.

Creating a vnic with a vlan tag

dladm create-vnic -l trunk0 -v 300 vm0
ipadm create-if vm0

Same as above but this time we are using a trunk0 in my case this is an aggr that contains tagged traffic for VLAN 100,200 and 300. By adding the -v option followed by the vlan-tag all the traffic will be tagged before it is send along to the trunk.

Managing a vnic

Some quick references to show all vnics and how to remove them.

Showing the configure vnics:

dladm show-vnic

Removing a vnic:

dladm delete-vnic vm0

Configure additional MACs:
:!: you need to add all macs of zones if you are running smartos in qemu for example

dladm set-linkprop -p secondary-macs=42:8e:a5:23:0e:5b vm0

Link Protection

Quick Reference

Check the current configuration:

dladm show-linkprop -p protection,allowed-ips vnic0

Disable link protection:

dladm reset-linkprop -p protection vnic0

Enable anti MAC-spoofing:

dladm set-linkprop -p protection=mac-nospoof vnic0

Enable anti IP-spoofing:

dladm set-linkprop -p protection=ip-nospoof vnic0
dladm set-linkprop -p allowed-ips=172.16.30.75,172.16.20.75 vnic0

Enable anti Client ID/DUID-spoofing:

dladm set-linkprop -p protection=dhcp-nospoof vnic0

Properties

  • ip-nospoof: limit outgoing traffic from source IP’s learned through DHCP or the allowed-ips property.
  • mac-nospoof: prevents zone admin from changing the mac address.
  • dhcp-nospoof: prevents Client ID/DUID spoofing for DHCP. Limited to the vnic's mac, other list can be specified using allowed-dhcp-cids.
  • restricted: only allows IPv4, IPv6 and ARP protocols.
snipets/solaris/net-vnic.txt · Last modified: 2014/12/25 22:03 by sjorge