Single-root input/output virtualization
(SR-IOV) relies on communication between virtual function (VF) drivers
on the VM-Series firewall, and physical function (PF) drivers on
the host (the hypervisor). The host uses PF drivers to talk to its
physical NICs, and the VM-Series firewall uses VF drivers to talk
to the PF drivers.
The following diagram is a simple visualization
of that concept.
Why use SR-IOV? SR-IOV is a packet
acceleration technology that allows a virtual machine to directly
access packets from the NIC. In contrast, when using a virtual switch,
the host processes the packets, send the packets through a virtual
switch, and then the virtual machine receives its packets.
the Compatibility Matrix, PacketMMAP Driver Versions lists
both the host version and the native driver version on the VM-Series
firewall. For example, i40e on the host, and on the firewall, i40e
(for PCI-passthrough) and i40evf (for SR-IOV).
let's consider a NIC that uses the i40e PF driver. The host communicates with
the NIC via the i40e driver. The VM-Series firewall can use its
VF driver (i40evf) to directly communicate with the host's PF driver.
This allows VM-Series firewall direct access, which improves packet
processing speed. To ensure compatibility, install a host PF driver
version that is later than the native PF driver version.
Why does VM-Series firewall
have native PF drivers? As mentioned in Options for Attaching VM-Series
on the Network, when using PCI-passthrough, the NIC is reserved
for the VM-Series firewall, so the host (or other guests on the
host) cannot access the NIC. In a PCI-passthrough configuration,
the VM-Series firewall uses its native PF driver to communicate
directly with the host NIC.
Refer to the PacketMMAP Driver Versions list
to determine which PF driver version to install on the host. Install
a PF version that is higher than VM-Series firewall native PF driver.
PAN-OS has two packet
processing modes—DPDK (default) and MMAP—and each mode has a corresponding
native driver on the VM-Series firewall. For example, if the firewall
is in DPDK mode, the firewall uses the DPDK i40evf driver version
to communicate with the host's i40e driver (when using SR-IOV).
Alternatively, when the firewall is Packet MMAP, it will use a different
i40evf driver version to communicate with the host's i40e driver.
You can enable DPDK on the host (the hypervisor),
or on the guest (the VM-Series firewall). Enabling both yields the
Compiling OVS with DPDK is part of
enabling DPDK on the host.