| Where Can I Use This? | What Do I Need? |
|---|
|
|
- CN-Series 10.1.x or above Container Images
- Panorama running PAN-OS 10.1.x or above version
- Helm 3.6 or above version client for CN-Series deployment with Helm
|
IPVLAN is a driver for a virtual networking
device that can be used in a containerized environment to access
the host network. In L2 mode, IPVLAN exposes a single MAC address
to the external network regardless of the number of IPVLAN devices created
inside the host network. All logical IP interfaces use the same
MAC address. This allows you to avoid using promiscuous mode on
the parent NIC and prevents potential MAC limitations on the NIC
or switch.
You can now use IPVLAN with the CN-Series firewall
with the following limitations.
Requires PAN-OS 10.1.2
and later
IPv4 only
L2 mode only
One IP address per interface
If you are using Multus, deploy pan-cni-multus.yaml instead
of pan-cni.yaml. Additionally, you must deploy
pan-cni-net-attach-def.yaml in every namespace where Multus application
pods are deployed.
IPVLAN child interface
communication in the same host (sharing the same parent interface)
does not work.
You must annotate your application pod
yaml files to enable IPVLAN; no changes are required to any CN-Series
yaml files enable IPVLAN. The following is an example of a network
attachment definition for IPVLAN. Note that the mode is set to “l2”.
The CN-Series firewall support L2 mode only.
cat ipvlan-nw-10.yaml
apiVersion: "k8s.cni.cncf.io/v1"
kind: NetworkAttachmentDefinition
metadata:
name: ipvlan-conf-10
spec:
config: '{
"cniVersion": "0.3.0",
"name": "ipvlan-conf-10",
"type": "ipvlan",
"master": "eth1",
"mode": "l2",
"ipam": {
"type": "static",
"addresses": [
{
"address": "10.154.102.89/24"
}
]
}
}'
