Download PDF
      
      
      
    
    
    
    Configure OVS and DPDK on the Host
Table of Contents
                    
  Expand all | Collapse all
  - 
          
                - VM-Series Deployments
- VM-Series in High Availability
- Enable Jumbo Frames on the VM-Series Firewall
- Hypervisor Assigned MAC Addresses
- Custom PAN-OS Metrics Published for Monitoring
- Interface Used for Accessing External Services on the VM-Series Firewall
- PacketMMAP and DPDK Driver Support
- Enable NUMA Performance Optimization on the VM-Series
- Enable ZRAM on the VM-Series Firewall
 
- 
          
                - VM-Series Firewall Licensing
- Create a Support Account
- Serial Number and CPU ID Format for the VM-Series Firewall
- Use Panorama-Based Software Firewall License Management
- 
      
            - Maximum Limits Based on Memory
- Activate Credits
- Create a Deployment Profile
- Manage a Deployment Profile
- Register the VM-Series Firewall (Software NGFW Credits)
- Provision Panorama
- Migrate Panorama to a Software NGFW License
- Transfer Credits
- Renew Your Software NGFW Credits
- Amend and Extend a Credit Pool
- Deactivate License (Software NGFW Credits)
- Delicense Ungracefully Terminated Firewalls
- Set the Number of Licensed vCPUs
- Create and Apply a Subscription-Only Auth Code
- Customize Dataplane Cores
- Migrate a Firewall to a Flexible VM-Series License
- 
      
            - Generate Your OAuth Client Credentials
- Manage Deployment Profiles Using the Licensing API
- Create a Deployment Profile Using the Licensing API
- Update a Deployment Profile Using the Licensing API
- Get Serial Numbers Associated with an Authcode Using the API
- Deactivate a VM-Series Firewall Using the API
 
 
- What Happens When Licenses Expire?
 
- 
          
                - Supported Deployments on VMware vSphere Hypervisor (ESXi)
- 
      
            - Plan the Interfaces for the VM-Series for ESXi
- Provision the VM-Series Firewall on an ESXi Server
- Perform Initial Configuration on the VM-Series on ESXi
- Add Additional Disk Space to the VM-Series Firewall
- Use VMware Tools on the VM-Series Firewall on ESXi and vCloud Air
- Use vMotion to Move the VM-Series Firewall Between Hosts
- Use the VM-Series CLI to Swap the Management Interface on ESXi
 
 
- 
          
                - 
      
            - Supported Deployments of the VM-Series Firewall on VMware NSX-T (North-South)
- Components of the VM-Series Firewall on NSX-T (North-South)
- 
      
            - Install the Panorama Plugin for VMware NSX
- Enable Communication Between NSX-T Manager and Panorama
- Create Template Stacks and Device Groups on Panorama
- Configure the Service Definition on Panorama
- Deploy the VM-Series Firewall
- Direct Traffic to the VM-Series Firewall
- Apply Security Policy to the VM-Series Firewall on NSX-T
- Use vMotion to Move the VM-Series Firewall Between Hosts
 
- Extend Security Policy from NSX-V to NSX-T
 
- 
      
            - Components of the VM-Series Firewall on NSX-T (East-West)
- VM-Series Firewall on NSX-T (East-West) Integration
- Supported Deployments of the VM-Series Firewall on VMware NSX-T (East-West)
- 
      
            - Install the Panorama Plugin for VMware NSX
- Enable Communication Between NSX-T Manager and Panorama
- Create Template Stacks and Device Groups on Panorama
- Configure the Service Definition on Panorama
- Launch the VM-Series Firewall on NSX-T (East-West)
- Add a Service Chain
- Direct Traffic to the VM-Series Firewall
- Apply Security Policies to the VM-Series Firewall on NSX-T (East-West)
- Use vMotion to Move the VM-Series Firewall Between Hosts
 
- 
      
            - Install the Panorama Plugin for VMware NSX
- Enable Communication Between NSX-T Manager and Panorama
- Create Template Stacks and Device Groups on Panorama
- Configure the Service Definition on Panorama
- Launch the VM-Series Firewall on NSX-T (East-West)
- Create Dynamic Address Groups
- Create Dynamic Address Group Membership Criteria
- Generate Steering Policy
- Generate Steering Rules
 
- Delete a Service Definition from Panorama
- Migrate from VM-Series on NSX-T Operation to Security Centric Deployment
- Extend Security Policy from NSX-V to NSX-T
- Use In-Place Migration to Move Your VM-Series from NSX-V to NSX-T
 
 
- 
      
            
- 
          
                
- Deployments Supported on AWS
- 
      
            
- Planning Worksheet for the VM-Series in the AWS VPC
- Launch the VM-Series Firewall on AWS
- Launch the VM-Series Firewall on AWS Outpost
- Create a Custom Amazon Machine Image (AMI)
- Encrypt EBS Volume for the VM-Series Firewall on AWS
- Use the VM-Series Firewall CLI to Swap the Management Interface
- Enable CloudWatch Monitoring on the VM-Series Firewall
- VM-Series Firewall Startup and Health Logs on AWS
 
- 
      
            
- Use Case: Secure the EC2 Instances in the AWS Cloud
- Use Case: Use Dynamic Address Groups to Secure New EC2 Instances within the VPC
- 
      
            - 
      
            - What Components Does the VM-Series Auto Scaling Template for AWS (v2.0) Leverage?
- How Does the VM-Series Auto Scaling Template for AWS (v2.0 and v2.1) Enable Dynamic Scaling?
- Plan the VM-Series Auto Scaling Template for AWS (v2.0 and v2.1)
- Customize the Firewall Template Before Launch (v2.0 and v2.1)
- Launch the VM-Series Auto Scaling Template for AWS (v2.0)
- SQS Messaging Between the Application Template and Firewall Template
- Stack Update with VM-Series Auto Scaling Template for AWS (v2.0)
- Modify Administrative Account and Update Stack (v2.0)
 
- 
      
            - Launch the Firewall Template (v2.1)
- Launch the Application Template (v2.1)
- Create a Custom Amazon Machine Image (v2.1)
- VM-Series Auto Scaling Template Cleanup (v2.1)
- SQS Messaging Between the Application Template and Firewall Template (v2.1)
- Stack Update with VM-Series Auto Scaling Template for AWS (v2.1)
- Modify Administrative Account (v2.1)
- Change Scaling Parameters and CloudWatch Metrics (v2.1)
 
 
- 
      
            
 
- 
          
                
- Intelligent Traffic Offload
 
- 
          
                
- Deployments Supported on Azure
- Deploy the VM-Series Firewall from the Azure Marketplace (Solution Template)
- Deploy the VM-Series Firewall from the Azure China Marketplace (Solution Template)
- Deploy the VM-Series with the Azure Gateway Load Balancer
- Create a Custom VM-Series Image for Azure
- Deploy the VM-Series Firewall on Azure Stack
- Deploy the VM-Series Firewall on Azure Stack HCI
- Enable Azure Application Insights on the VM-Series Firewall
- Set up Active/Passive HA on Azure
- Use the ARM Template to Deploy the VM-Series Firewall
 
- 
          
                - About the VM-Series Firewall on Google Cloud Platform
- Supported Deployments on Google Cloud Platform
- Prepare to Set Up VM-Series Firewalls on Google Public Cloud
- Create a Custom VM-Series Firewall Image for Google Cloud Platform
- 
      
            - Deploy the VM-Series Firewall from Google Cloud Platform Marketplace
- Management Interface Swap for Google Cloud Platform Load Balancing
- Use the VM-Series Firewall CLI to Swap the Management Interface
- Enable Google Stackdriver Monitoring on the VM Series Firewall
- Enable VM Monitoring to Track VM Changes on Google Cloud Platform (GCP)
- Use Dynamic Address Groups to Secure Instances Within the VPC
- Use Custom Templates or the gcloud CLI to Deploy the VM-Series Firewall
 
 
- 
          
                
- Prepare Your ACI Environment for Integration
- 
      
            - 
      
            - Create a Virtual Router and Security Zone
- Configure the Network Interfaces
- Configure a Static Default Route
- Create Address Objects for the EPGs
- Create Security Policy Rules
- Create a VLAN Pool and Domain
- Configure an Interface Policy for LLDP and LACP for East-West Traffic
- Establish the Connection Between the Firewall and ACI Fabric
- Create a VRF and Bridge Domain
- Create an L4-L7 Device
- Create a Policy-Based Redirect
- Create and Apply a Service Graph Template
 
- 
      
            - Create a VLAN Pool and External Routed Domain
- Configure an Interface Policy for LLDP and LACP for North-South Traffic
- Create an External Routed Network
- Configure Subnets to Advertise to the External Firewall
- Create an Outbound Contract
- Create an Inbound Web Contract
- Apply Outbound and Inbound Contracts to the EPGs
- Create a Virtual Router and Security Zone for North-South Traffic
- Configure the Network Interfaces
- Configure Route Redistribution and OSPF
- Configure NAT for External Connections
 
 
- 
      
            
 
- 
          
                - Choose a Bootstrap Method
- VM-Series Firewall Bootstrap Workflow
- Bootstrap Package
- Bootstrap Configuration Files
- Generate the VM Auth Key on Panorama
- Create the bootstrap.xml File
- Prepare the Licenses for Bootstrapping
- Prepare the Bootstrap Package
- Bootstrap the VM-Series Firewall on AWS
- Bootstrap the VM-Series Firewall on Azure
- Bootstrap the VM-Series Firewall on Azure Stack HCI
- Bootstrap the VM-Series Firewall on Google Cloud Platform
- Bootstrap the VM-Series Firewall on OCI
- Verify Bootstrap Completion
- Bootstrap Errors
 
Configure OVS and DPDK on the Host
After installing the necessary components
to support OVS and DPDK, you must configure the host to use OVS
and DPDK.
- Log in to the KVM host CLI.
- If you are replacing or reconfiguring an existing OVS-DPDK
setup, execute the following commands to reset any previous configuration.
Repeat the command for each interface.rm /usr/local/var/run/openvswitch/<interface-name>
- Configure initial huge pages for OVS.echo 16384 > /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages
- Mount huge pages for QEMU:mkdir /dev/hugepages mkdir /dev/hugepages/libvirt mkdir /dev/hugepages/libvirt/qemu mount -t hugetlbfs hugetlbfs /dev/hugepages/libvirt/qemu
- Use the following command to kill any currently existing
OVS daemon.killall ovsdb-server ovs-vswitchd
- Create directories for the OVS daemon.mkdir -p /usr/local/etc/openvswitch mkdir -p /usr/local/var/run/openvswitch 
- Clear old directories.rm -f /var/run/openvswitch/vhost-user* rm -f /usr/local/etc/openvswitch/conf.db 
- Initialize the configuration database.ovsdb-tool create /usr/local/etc/openvswitch/conf.db\ /usr/local/share/openvswitch/vswitch.ovsschema 
- Create an OVS DB server.ovsdb-server --remote=punix:/usr/local/var/run/openvswitch/db.sock \ --remote=db:Open_vSwitch,Open_vSwitch,manager_options \ --private-key=db:Open_vSwitch,SSL,private_key \ --certificate=db:Open_vSwitch,SSL,certificate \ --bootstrap-ca-cert=db:Open_vSwitch,SSL,ca_cert \ --pidfile --detach
- Initialize OVS.ovs-vsctl --no-wait init
- Start the database server.export DB_SOCK=/usr/local/var/run/openvswitch/db.sock
- Install the igb_uio module (network device driver) for
DPDK.cd ~/dpdk-2.2.0/x86_64-native-linuxapp-gcc/kmod modprobe uio insmod igb_uio.ko cd ~/dpdk-2.2.0/tools/
- Enable DPDK on interfaces using PCI-ID or interface name../dpdk_nic_bind.py --bind=igb_uio <your first data interface> ./dpdk_nic_bind.py --bind=igb_uio <your second data interface> 
- Start the OVS daemon in DPDK mode. You can change the
number of cores for ovs-vswitchd. By changing -c 0x1 to -c 0x3,
you can have two core run this daemon.ovs-vswitchd --dpdk -c 0x3 -n 4 -- unix:$DB_SOCK --pidfile --detach echo 50000 > /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages 
- Create the OVS bridge and attach ports to the OVS bridge.ovs-vsctl add-br ovs-br0 -- set bridge ovs-br0 datapath_type=netdev ovs-vsctl add-port ovs-br0 dpdk0 -- set Interface dpdk0 type=dpdk ovs-vsctl add-br ovs-br1 -- set bridge ovs-br1 datapath_type=netdev ovs-vsctl add-port ovs-br1 dpdk1 -- set Interface dpdk1 type=dpdk 
- Create DPDK vhost user ports for OVS.ovs-vsctl add-port ovs-br0 vhost-user1 -- set Interface vhost-user1 type=dpdkvhostuser ovs-vsctl add-port ovs-br1 vhost-user2 -- set Interface vhost-user2 type=dpdkvhostuser 
- Set the number of hardware queues of the NIC used by
the host.ovs-vsctl set Open_vSwitch . other_config:n-dpdk-rxqs=8 ovs-vsctl set Open_vSwitch . other_config:n-dpdk-txqs=8 
- Set the CPU mask used for OVS.ovs-vsctl set Open_vSwitch . other_config:pmd-cpu-mask=0xffff
- Set the necessary permissions for DPDK vhost user ports.
In the example below, 777 is used to give read, write, and executable
permissions.chmod 777 /usr/local/var/run/openvswitch/vhost-user1 chmod 777 /usr/local/var/run/openvswitch/vhost-user2 chmod 777 /dev/hugepages/libvirt/qemu 
