>
    Strata Copilot
    Enable VLAN Access Mode with SR-IOV and Multi-Queue Support
    Focus
    Download PDF
    Focus
    1. Home
    2. VM-Series
    3. VM-Series Firewall on KVM
    4. Enable VLAN Access Mode with SR-IOV and Multi-Queue Support
    Download PDF
    VM-Series

    Enable VLAN Access Mode with SR-IOV and Multi-Queue Support

    Table of Contents

    Enable VLAN Access Mode with SR-IOV and Multi-Queue Support

    Send and receive VLAN untagged traffic on SR-IOV interfaces on the VM-Series firewall on KVM.
    Where Can I Use This?What Do I Need?
    • KVM
    • VM-Series Firewall License (BYOL)
    • Panorama
    • VM-Series plugin
    The VM-Series firewalls on KVM can operate in VLAN access mode to support use cases where it is deployed as a virtual network function (VNF) that offers security as a service in a multitenant cloud or data center environment. In VLAN access mode, each VNF has dedicated virtual network interfaces (VNIs) for each network and it sends and receives packets to/from SR-IOV virtual functions (VFs) without VLAN tags; you must enable this capability on the physical and virtual functions on the host hypervisor. When you, then enable VLAN access mode on the VM-Series firewall, the firewall can send and receive traffic without VLAN tags across all its dataplane interfaces. Additionally, if you configure QoS policies, the firewall can enforce QoS on the access interface and provide differentiated treatment of traffic in a multitenant deployment.
    By default, the VM-Series firewall on KVM operates in VLAN trunk mode.
    1. On the host system, set up the physical and virtual function to operate in VLAN access mode.
      ip link set [inf_name] vf [vf_num] vlan [vlan_id].
      For best performance on the VM-Series firewall, make sure to:
      • Enable CPU pinning. See Isolate CPU Resources in a NUMA Node on KVM.
      • Disable Replay Protection, if you have configured IPSec Tunnels.
        On the firewall web interface, select NetworkIPSec Tunnels select an IPSec tunnel, and click General, and select Show Advanced Options and clear Enable Replay Protection.
    2. Access the CLI on the VM-Series firewall.
    3. Enable VLAN access mode.
      request plugins vm-series vlan-mode access-mode on
      on enables VLAN access mode; to use VLAN trunk mode, enter request plugins vm-series vlan-mode access-mode off.
    4. Reboot the firewall.
      Enterrequest restart system.
    5. Verify the VLAN mode configuration.
      show plugins vm-series vlan-mode

    Enable Multi-Queue Support for NICs on KVM

    Use multiqueue support for network interface cards to scale performance with the number of CPUs assigned to your firewall.
    Where Can I Use This?What Do I Need?
    • KVM
    • VM-Series Firewall License (BYOL)
    • Panorama
    • VM-Series plugin
    Modify the guest XML definition to enable multiqueue virtio-net. Multiqueue virtio-net allows network performance to scale with the number of vCPUs and allows for parallel packet processing by creating multiple TX and RX queues.
    1. Modify the guest XML definition. Insert a value from 1-256 for N to specify the number of queues. For the best results, match the number of queues with number of dataplane cores configured on the VM.
      <interface type='network'> 
      <source network='default'/> 
      <model type='virtio'/> 
      <driver name='vhost' queues='N'/> 
</interface>

    © 2026 Palo Alto Networks, Inc. All rights reserved.