On 10/31/15 9:13 , 龙白滔 wrote: > Hi, > > > We have a requirement that all VMs (can be either a SmartOS zone, or a > LX-branded zone, or a KVM zone) on a physical machine belong to the same VLAN > and that they are not allowed to sniff one another. I read from crossbow > paper that "The hypervisor runs the physical NIC in promiscuous mode". Can I > disable promiscuous mode for the VNICs created for each VMs on the machine?
Hi, There's nothing that you need to change, the system works a bit differently than you understand it and actually already does what you want. The best way to think of a VNIC is that it's always plugged into its own isolated switch port. If you run something like snoop/tcpdump on a VNIC, it will never see traffic for any other device on the system, it will only see that which a switch would send it -- unicast traffic destined for its mac address and broadcast/multicast traffic. The underlying operating system may put the physical device in promiscuous mode if we run out of hardware resources to do mac address filtering; however, no VNIC can see any of that traffic due to the filtering that I mentioned above. If it didn't work this way it wouldn't be a very useful system! Robert ------------------------------------------- smartos-discuss Archives: https://www.listbox.com/member/archive/184463/=now RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00 Modify Your Subscription: https://www.listbox.com/member/?member_id=25769125&id_secret=25769125-7688e9fb Powered by Listbox: http://www.listbox.com
