JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Solaris Administration: Network Interfaces and Network Virtualization     Oracle Solaris 11 Information Library
search filter icon
search icon

Document Information


1.  Overview of the Networking Stack

Network Configuration in This Oracle Solaris Release

The Network Stack in Oracle Solaris

Network Devices and Datalink Names

Administration of Other Link Types

Part I Network Auto-Magic

2.  Introduction to NWAM

3.  NWAM Configuration and Administration (Overview)

4.  NWAM Profile Configuration (Tasks)

5.  NWAM Profile Administration (Tasks)

6.  About the NWAM Graphical User Interface

Part II Datalink and Interface Configuration

7.  Using Datalink and Interface Configuration Commands on Profiles

8.  Datalink Configuration and Administration

9.  Configuring an IP Interface

10.  Configuring Wireless Interface Communications on Oracle Solaris

11.  Administering Bridges

12.  Administering Link Aggregations

13.  Administering VLANs

14.  Introducing IPMP

15.  Administering IPMP

16.  Exchanging Network Connectivity Information With LLDP

Part III Network Virtualization and Resource Management

17.  Introducing Network Virtualization and Resource Control (Overview)

18.  Planning for Network Virtualization and Resource Control

19.  Configuring Virtual Networks (Tasks)

20.  Using Link Protection in Virtualized Environments

Overview of Link Protection

Link Protection Types

Configuring Link Protection (Task Map)

How to Enable the Link Protection Mechanism

How to Disable Link Protection

How to Specify IP Addresses for Protection Against IP Spoofing

How to View the Link Protection Configuration

21.  Managing Network Resources

22.  Monitoring Network Traffic and Resource Usage



Overview of Link Protection

With the increasing adoption of virtualization in system configurations, guest virtual machines (VMs) can be given exclusive access to a physical or virtual link by the host administrator. This configuration improves network performance by allowing the virtual environment's network traffic to be isolated from the wider traffic that is received or sent by the host system. At the same time, this configuration can expose the system and the entire network to the risk of harmful packets that a guest environment might generate.

Link protection aims to prevent the damage that can be caused by potentially malicious guest VMs to the network. The feature offers protection from the following basic threats:

Note - Link protection should not replace the deployment of a firewall, particularly for configurations with more complex filtering requirements.

Link Protection Types

The link protection mechanism is disabled by default. To enable link protection, specify one or more of the following protection types as values of the protection link property:


Enables protection against MAC spoofing. An outbound packet's source MAC address must match the datalink's configured MAC address. Otherwise, the packet is dropped. If the link belongs to a zone, enabling mac-nospoof prevents the zone's owner from modifying that link's MAC address.


Enables protection against IP spoofing. Any outgoing IP, ARP, or NDP packet must have an address field that matches either a DHCP-configured IP address or one of the addresses listed in the allowed-ips link property. Otherwise, the packet is dropped.

The allowed-ips link property works with the ip-nospoof protection type. By default, the list specified by this property is empty. If the property is empty or unconfigured, the following IP addresses are implicitly included in the property. These IP addresses are matched with the IP address of the outgoing packets to determine if the packets are allowed to pass or are dropped.

  • DHCP-configured IPv4 or IPv6 addresses that are dynamically learned

  • Link local IPv6 addresses that conform to RFC 2464 and which are derived from the link's MAC address

The following list indicates a protocol and the corresponding outbound packet's associated address field that must match an address in the allowed-ips property. If this property is empty, then the packet's address must match a DHCP-configured IP address.

  • IP (IPv4 or IPv6) – The packet's source address

  • ARP – The packet's sender protocol address.


Restricts outgoing packets to only those packets of the IPv4, IPv6, and ARP protocol types. Other packets that are not of the listed types are dropped. Using this protection type prevents the link from generating potentially harmful L2 control frames.

Note - Packets that are dropped because of link protection are tracked by the following kernel statistics: mac_spoofed, ip_spoofed, and restricted. These statistics correspond to the three protection types. Use the kstat command to retrieve these per-link statistics. For more details about retrieving these statistics, see the kstat(1M) man page.