For better isolation, you can assign a PVLAN to a zone, which you can achieve in two ways:
Create a PVLAN in the global zone and then assign it to a non-global zone.
Configure a PVLAN during zone configuration.
The two examples after the following procedure show you how to do both methods.
Before You Begin
Ensure that your role has the appropriate rights profile to perform this procedure. See Using Rights Profiles to Perform Network Configuration.
$ dladm create-vlan -l link -v VLAN-ID[,PVLAN-SVID[,PVLAN-type]] [VLAN-link]
$ dladm show-vlan
global$ zonecfg -z zone-name zonecfg:zone-name> add net zonecfg:zone-name:net> set physical=VLAN-ID zonecfg:zone-name:net> end zonecfg:zone-name> verify zonecfg:zone-name> commit zonecfg:zone-name> exit global$ zoneadm -z zone-name reboot
In this example, the zone already exists and the creation and assigning of the PVLAN occurs later.
$ dladm create-vlan -l net0 -v 110,120,community vlan110 $ dladm show-vlan LINK VID SVID PVLAN-TYPE FLAGS OVER vlan110 110 120 community ----- net0 global$ zonecfg -z zone2 zonecfg:zone2> add net zonecfg:zone2:net> set physical=vlan110 zonecfg:zone2:net> end zonecfg:zone2> verify zonecfg:zone2> commit zonecfg:zone2> exit global$ zoneadm -z zone2 reboot $ dladm show-vlan LINK VID SVID PVLAN-TYPE FLAGS OVER vlan110 110 120 community ----- net0 zone2/vlan110 110 120 community ----- net0
The PVLAN that is created is assigned to the zone.
Example 26 Creating a PVLAN While You Configure a ZoneIn this example, the PVLAN is assigned as part of the configuration of a zone.
global$ zonecfg -z zone2 zonecfg:zone2> add anet zonecfg:zone2:anet> set vlan-id=100,200,community zonecfg:zone2:anet> end zonecfg:zone2> verify zonecfg:zone2> commit zonecfg:zone2> exit global$ zoneadm -z zone2 reboot
PVLAN is assigned as the underlying link for the zone's anet.