Go to main content

Securing the Network in Oracle® Solaris 11.3

Exit Print View

Updated: September 2018
 
 

How to View Link Protection Configuration and Statistics

Before You Begin

You must become an administrator who is assigned the Network Link Security rights profile. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.

  1. View the link protection property values.
    # dladm show-linkprop -p protection,allowed-ips,allowed-dhcp-cids link

    The following example shows the values for the protection, allowed-ips, and allowed-dhcp-cids properties for the vnic0 link:

    # dladm show-linkprop -p protection,allowed-ips,allowed-dhcp-cids vnic0
    LINK    PROPERTY            PERM  VALUE         EFFECTIVE   DEFAULT POSSIBLE
    vnic0   protection          rw    mac-nospoof   mac-nospoof   --    mac-nospoof,
                                      restricted    restricted          restricted,
                                      ip-nospoof    ip-nospoof          ip-nospoof,
                                      dhcp-nospoof  dhcp-nospoof        dhcp-nospoof
    vnic0   allowed-ips         rw    192.0.2.11,   192.0.2.11,   --      --
                                      192.0.2.12    192.0.2.12
    vnic0   allowed-dhcp-cids   rw    hello         hello         --      --

    Note - The allowed-ips property is used only if ip-nospoof is enabled, as listed under EFFECTIVE. The allowed-dhcp-cids property is used only if dhcp-nospoof is enabled.
  2. View the link protection statistics.

    The output of the dlstat command is committed, so this command is suitable for scripts.

    # dlstat -A
    ...
     vnic0
      mac_misc_stat
                   multircv                       0
                  brdcstrcv                       0
                   multixmt                       0
                  brdcstxmt                       0
              multircvbytes                       0
               bcstrcvbytes                       0
              multixmtbytes                       0
               bcstxmtbytes                       0
                   txerrors                       0
                 macspoofed                       0  <----------
                  ipspoofed                       0  <----------
                dhcpspoofed                       0  <----------
                 restricted                       0  <----------
                   ipackets                       3
                     rbytes                     182
    ...

    The output indicates that no spoofed or restricted packets have attempted to pass through.

    You might use the kstat command, but its output is not committed. For example, the following command finds the dhcpspoofed statistics:

    # kstat vnic0:0:link:dhcpspoofed
    module: vnic0                           instance: 0
    name:   link                            class:    vnic
            dhcpspoofed                     0 

    For more information, see the dlstat(1M) and kstat(1M) man pages.