Enable SR-IOV on KVM

Single root I/O virtualization (SR-IOV) allows a single PCIe physical device under a single root port to appear to be multiple separate physical devices to the hypervisor or guest. To enable SR-IOV on a KVM guest, define a pool of virtual function (VF) devices associated with a physical NIC and automatically assign VF devices from the pool to PCI IDs.
For SR-IOV with Intel 10GB network interfaces (ixgbe driver), the driver version must be 4.2.5 or later to support multiple queues for each NIC interface. See the Compatibility Matrix for SR-IOV and DPDK driver support by PAN-OS version.
  1. Define a network for a pool of VFs.
    1. Generate an XML file with text similar to the following example. Change the value of pf dev to the ethdev corresponding to you SR-IOV device’s physical function.
      <network> <name>passthrough</name> <forward mode='hostdev' managed='yes'> <pf dev='eth3'/> </forward> </network>
    2. Save the XML file.
    3. Execute the following commands:
      $
      virsh net-define
      <path to network XML file>
      $ virsh net-autostart passthrough $ virsh net-start passthrough
  2. After the defining and starting the network, modify the guest XML definition to specify the network.
    <interface type='network'> <source network='passthrough'> </interface>
    When the guest starts, a VF is automatically assigned to the guest.
  3. Add the multicast MAC address to the host.
    When SR-IOV is enabled, multicast traffic is filtered by the PF. This filtering causes applications that rely on multicast, such as OSPF, to fail. To prevent this filtering, you must manually add the multicast MAC address to the host using the following command:
    #ip maddress add <multicast-mac> dev <interface-name>

Recommended For You