Enable Data Link (Spoofing) Protection on Global Zones

Language:

Oracle Solaris data link protection prevents the potential damage that can be caused by malicious guest VMs to the network.

Enabling the snoop proofing configuration improves network performance, by enabling the virtual environment's network traffic to be isolated from the wider traffic that is received or sent by the host system. The link protection prevents the damage that can be caused by potentially malicious guest VMs to the network. The feature offers protection from these basic threats:

IP and MAC spoofing
L2 frame spoofing such as Bridge Protocol Data Unit (BPDU) attacks

Note - For more information about Oracle Solaris zones, refer to the Oracle Solaris zones documentation in the Oracle Solaris 11.4 Information Library at https://docs.oracle.com/cd/E37838_01/index.html and the Oracle Solaris 11.3 Information Library at http://docs.oracle.com/cd/E53394_01.

Log in to one of the compute servers and access the host console as superuser.
See Log into a Compute Server.

Set link protection.
```
# dladm set-linkprop -p protection=mac-nospoof,restricted,ip-nospoof,dhcp-nospoof netx
```
Where netx corresponds to each physical link connected to the 10Gb client network.

Confirm the configuration.

# dladm show-linkprop -p protection netx
LINK         PROPERTY     PERM     VALUE         EFFECTIVE         DEFAULT     POSSIBLE
net0         protection     rw     mac-nospoof   mac-nospoof        --         mac-nospoof,
                                   restricted    restricted         --         restricted,
                                   ip-nospoof    ip-nospoof         --         ip-nospoof,    
                                   dhcp-nospoof  dhcp-nospoof       --         dhcp-nospoof

Where netx corresponds to each physical link connected to the 10Gb client network.

Set allowed IPs on the link.

# dladm set-linkprop -p allowed-ips=10.0.0.1,10.0.0.2 netx