From the global zone enable link protection on vnic0:
We can set different modes: ip-nospoof, dhcp-nospoof, mac-nospoof and restricted.
ip-nospoof: Any outgoing IP, ARP, or NDP packet must have an address field that matches either a DHCP-configured IP address or one of the addresses listed in the allowed-ips link property.
mac-nospoof: prevents the root user from changing the zone mac address. An outbound packet's source MAC address must match the datalink's configured MAC address.
dhcp-nospoof: prevents Client ID/DUID spoofing for DHCP.
restricted: only allows IPv4, IPv6 and ARP protocols. Using this protection type prevents the link from generating potentially harmful L2 control frames.
# dladm set-linkprop -p protection=mac-nospoof,restricted,ip-nospoof vnic0
Specify the 10.0.0.1 IP address as values for the allowed-ips property for the vnic0 link:
# dladm set-linkprop -p allowed-ips=10.0.0.1 vnic0
Verify the link protection property values:
# dladm show-linkprop -p protection,allowed-ips vnic0
LINK PROPERTY PERM VALUE DEFAULT POSSIBLE
vnic0 protection rw mac-nospoof, -- mac-nospoof,
vnic0 allowed-ips rw 10.0.0.1 -- --
We can see that 10.0.0.1 is set as allowed ip address.