L2 (layer 2) and L3 (layer 3) refers respectively to MAC and IP addresses.
This is all similar to non-global zones (NGZ) L2 & L3 protection.
By default we have no protection setting for the global zone (GZ).
Note that ip-nospoof also requires setting the allowed-ips property.
$ dladm show-linkprop -p allowed-ips,protection net0
LINK PROPERTY PERM VALUE DEFAULT POSSIBLE
net0 allowed-ips rw -- -- --
net0 protection rw -- -- mac-nospoof,
restricted,
ip-nospoof,
dhcp-nospoof
In general both should be set to improve security.
# dladm set-linkprop -p allowed-ips=192.168.0.100 net0
# dladm set-linkprop -p protection=mac-nospoof,ip-nospoof net0
$ dladm show-linkprop -p allowed-ips,protection net0
LINK PROPERTY PERM VALUE DEFAULT POSSIBLE
net0 allowed-ips rw 192.168.0.100 -- --
net0 protection rw mac-nospoof, -- mac-nospoof,
ip-nospoof restricted,
ip-nospoof,
dhcp-nospoof