On 6/11/12 11:50 AM, Jim Klimov wrote:
2012-06-11 18:19, Dan McDonald wrote:
The fundamental question is always: What problem are you really trying
to solve?
Okay, I found another rationale beside performance and simplified
intra-zone routing (though not as apparent as exclusive routing).
It seems that the shared IP stack offer better protection against
sniffing on colocated environments (i.e. zone-based hosting): it
is not allowed to use promiscuous mode on NIC aliases used in the
shared stack, while sniffing does work on exclusive VNICs.
This isn't a problem. When you promiscuously sniff traffic on a VNIC
regardless of zone, you only get the following:
* Broadcast and multicast traffic
* unicast traffic with your zones MAC address
Specifically if you create a vnic over an underlying physical NIC you do
not see all the traffic of the underlying device. See
http://src.illumos.org/source/xref/illumos-gate/usr/src/uts/common/io/mac/mac_client.c#3134.
VNICs are always of type MAC_CLIENT_PROMISC_FILTERED.
Robert
-------------------------------------------
illumos-discuss
Archives: https://www.listbox.com/member/archive/182180/=now
RSS Feed: https://www.listbox.com/member/archive/rss/182180/21175430-2e6923be
Modify Your Subscription:
https://www.listbox.com/member/?member_id=21175430&id_secret=21175430-6a77cda4
Powered by Listbox: http://www.listbox.com
