Table of Contents


Where Can I Use This?
What Do I Need?
  • CN-Series Firewall
  • CN-Series 10.1.x or above Container Images
  • Panorama
    running PAN-OS 10.1.x or above version
  • Helm 3.6 or above version client
    for CN-Series deployment with Helm
IPVLAN is a driver for a virtual networking device that can be used in a containerized environment to access the host network. In L2 mode, IPVLAN exposes a single MAC address to the external network regardless of the number of IPVLAN devices created inside the host network. All logical IP interfaces use the same MAC address. This allows you to avoid using promiscuous mode on the parent NIC and prevents potential MAC limitations on the NIC or switch.
You can now use IPVLAN with the CN-Series firewall with the following limitations.
  • Requires PAN-OS 10.1.2 and later
  • IPv4 only
  • L2 mode only
  • One IP address per interface
  • If you are using Multus, deploy
    instead of
    . Additionally, you must deploy pan-cni-net-attach-def.yaml in every namespace where Multus application pods are deployed.
IPVLAN child interface communication in the same host (sharing the same parent interface) does not work.
You must annotate your application pod yaml files to enable IPVLAN; no changes are required to any CN-Series yaml files enable IPVLAN. The following is an example of a network attachment definition for IPVLAN. Note that the mode is set to
. The CN-Series firewall support L2 mode only.
cat ipvlan-nw-10.yaml apiVersion: "k8s.cni.cncf.io/v1" kind: NetworkAttachmentDefinition metadata: name: ipvlan-conf-10 spec: config: '{ "cniVersion": "0.3.0", "name": "ipvlan-conf-10", "type": "ipvlan", "master": "eth1", "mode": "l2", "ipam": { "type": "static", "addresses": [ { "address": "" } ] } }'

Recommended For You