L2 Cache

Behold the power of |!

User Tools

Site Tools


Sidebar

snipets:solaris:net-vnic

This is an old revision of the document!


VNIC's and vlanning

Introduction

I know you can do vlanning without using a vnic, my personal preferences goes to vnics for a few reason. Mostly because they have there own mac address. And to simplify my interface manangement.

Bellow you'll find some quick and dirty examples.

Creating a vnic

dladm create-vnic -l aggr0 host0
ipadm create-if host0

The above example will create a vnic named host0 on a link aggregation called aggr0, ofcourse you can create vnics on normal interfaces or even on etherstubs.

You can drop the ipadm command if you are planning on using the vnic in a zone or for kvm.

Creating a vnic with a vlan tag

dladm create-vnic -l trunk0 -v 300 vm0
ipadm create-if vm0

Same as above but this time we are using a trunk0 in my case this is an aggr that contains tagged traffic for VLAN 100,200 and 300. By adding the -v option followed by the vlan-tag all the traffic will be tagged before it is send along to the trunk.

Introduction

Link Protection offers a few methodes to protect your vnic from things like IP Spoofing, MAC Spoofing,…

Bellow you will find some examples, those are mostly based on my blog post.

Quick Reference

Check the current configuration:

dladm show-linkprop -p protection,allowed-ips vnic0

Disable link protection:

dladm reset-linkprop -p protection vnic0

Enable anti MAC-spoofing:

dladm set-linkprop -p protection=mac-nospoof vnic0

Enable anti IP-spoofing:

dladm set-linkprop -p protection=ip-nospoof vnic0
dladm set-linkprop -p allowed-ips=172.16.30.75,172.16.20.75 vnic0

Enable anti Client ID/DUID-spoofing:

dladm set-linkprop -p protection=dhcp-nospoof vnic0

Properties

  • ip-nospoof: limit outgoing traffic from source IP’s learned through DHCP or the allowed-ips property.
  • mac-nospoof: prevents zone admin from changing the mac address.
  • dhcp-nospoof: prevents Client ID/DUID spoofing for DHCP. Limited to the vnic's mac, other list can be specified using allowed-dhcp-cids.
  • restricted: only allows IPv4, IPv6 and ARP protocols.

Examples

Restrict traffic to IPv4,IPv6 and ARP:

dladm set-linkprop -p protection=restricted vnic0

Combining, limit traffic to IPv4,IPv6 and ARP, also prefent mac-spoofing:

dladm set-linkprop -p protection=mac-nospoof,restricted vnic0

Etherstubs

TODO Include Page

snipets/solaris/net-vnic.1348136693.txt.gz · Last modified: 2014/10/09 22:02 (external edit)