Wednesday, January 28, 2015

Solaris: VNIC's and vlan tagging


Introduction
I know you can do vlan tagging without using a vnic, my personal preferences goes to vnics for a few reason. Mostly because they have there own mac address. And to simplify my interface manangement.
Bellow you'll find some quick and dirty examples.

 Creating a vnic
#dladm create-vnic -l aggr0 host0
#ipadm create-if host0

The above example will create a vnic named host0 on a link aggregation called aggr0, ofcourse you can create vnics on normal interfaces or even on etherstubs.
You can drop the ipadm command if you are planning on using the vnic in a zone or for kvm.


 Creating a vnic with a vlan tag
#dladm create-vnic -l trunk0 -v 300 vm0
#ipadm create-if vm0

Same as above but this time we are using a trunk0 in my case this is an aggr that contains tagged traffic for VLAN 100,200 and 300. By adding the -v option followed by the vlan-tag all the traffic will be tagged before it is send along to the trunk.

 Managing a vnic
Some quick references to show all vnics and how to remove them.

 Showing the configure vnics:

#dladm show-vnic

Removing a vnic:

#dladm delete-vnic vm0

Configure additional MACs:
 you need to add all macs of zones if you are running smartos in qemu for example
#dladm set-linkprop -p secondary-macs=42:8e:a5:23:0e:5b vm0

Link Protection
Quick Reference

 Check the current configuration:

#dladm show-linkprop -p protection,allowed-ips vnic0

Disable link protection:

#dladm reset-linkprop -p protection vnic0

Enable anti MAC-spoofing:

#dladm set-linkprop -p protection=mac-nospoof vnic0

Enable anti IP-spoofing:

#dladm set-linkprop -p protection=ip-nospoof vnic0
#dladm set-linkprop -p allowed-ips=172.16.30.75,172.16.20.75 vnic0

Enable anti Client ID/DUID-spoofing:

#dladm set-linkprop -p protection=dhcp-nospoof vnic0

Properties
  • ip-nospoof: limit outgoing traffic from source IP's learned through DHCP or the allowed-ips property.
  • mac-nospoof: prevents zone admin from changing the mac address.
  • dhcp-nospoof: prevents Client ID/DUID spoofing for DHCP. Limited to the vnic's mac, other list can be specified using allowed-dhcp-cids.
  • restricted: only allows IPv4, IPv6 and ARP protocols.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)