Send and receive VLAN untagged traffic on SR-IOV interfaces
on the VM-Series firewall on KVM.
The VM-Series firewalls on KVM can operate
in VLAN access mode to support use cases where it is deployed as
a virtual network function (VNF) that offers security-as-a-service
in a multi-tenant cloud/data center environment. In VLAN access mode,
each VNF has dedicated virtual network interfaces (VNIs) for each
network and it sends and receives packets to/from SR-IOV virtual
functions (VFs) without VLAN tags; you must enable this capability
on the physical and virtual functions on the host hypervisor. When
you, then enable VLAN access mode on the VM-Series firewall, the
firewall can send and receive traffic without VLAN tags across all
its dataplane interfaces. Additionally, if you configure QoS policies,
the firewall can enforce QoS on the access interface and provide differentiated
treatment of traffic in a multi-tenant deployment.
default, the VM-Series firewall on KVM operates in VLAN trunk mode.
On PAN-OS 9.0.4 or later with VM-Series plugin 1.0.5 or later, you
can enable VLAN access mode.
On the host system, set up the physical and virtual
function to operate in VLAN access mode.
ip link set [inf_name] vf [vf_num] vlan [vlan_id]
best performance on the VM-Series firewall, make sure to: