: Enable SR-IOV on KVM
Focus
Focus

Enable SR-IOV on KVM

Table of Contents

Enable SR-IOV on KVM

Single root I/O virtualization (SR-IOV) allows a single PCIe physical device under a single root port to appear to be multiple separate physical devices to the hypervisor or guest. To enable SR-IOV on a KVM guest, define a pool of virtual function (VF) devices associated with a physical NIC and automatically assign VF devices from the pool to PCI IDs.
For SR-IOV with Intel 10GB network interfaces (ixgbe driver), the driver version must be 4.2.5 or later to support multiple queues for each NIC interface. See the Compatibility Matrix for PacketMMAP and DPDK driver support by PAN-OS version.
  1. Define a network for a pool of VFs.
    1. Generate an XML file with text similar to the following example. Change the value of pf dev to the ethdev corresponding to your SR-IOV device’s physical function.
      <network> 
         <name>passthrough</name> 
         <forward mode='hostdev' managed='yes'> 
           <pf dev='eth3'/> 
         </forward> 
      </network> 
    2. Save the XML file.
    3. Execute the following commands:
      $ virsh net-define <path to network XML file> 
      $ virsh net-autostart passthrough 
      $ virsh net-start passthrough
  2. To ensure that the VM-Series firewall boots in DPDK mode, edit the guest VM XML configuration on the KVM hypervisor to add the following:
    <cpu mode='host-passthrough' check='none'/>
    This ensures that the CPU flags are exposed.
    To verify that the CPU flags are exposed on the VM:
    cat /proc/cpuinfo
    In the flags output for PAN-OS 10.1 or later with DPDK 18.11, you need AVX, or AES and SSE flags.
  3. After defining and starting the network, modify the guest XML definition to specify the network.
    <interface type='network'> 
        <source network='passthrough'> 
    </interface> 
    When the guest starts, a VF is automatically assigned to the guest.
  4. Add the multicast MAC address to the host.
    When SR-IOV is enabled, multicast traffic is filtered by the PF. This filtering causes applications that rely on multicast, such as OSPF, to fail. To prevent this filtering, you must manually add the multicast MAC address to the host using the following command:
    #ip maddress add <multicast-mac> dev <interface-name>