HowTo Set Virtual Network Attributes on a Virtual Function (SR-IOV)

his post describes how to set network attributes (VLAN,Priority and MAC) when using SR-IOV device or Para-Virtualized vNIC.

(Make sure that ip-route2 standard Linux tool is installed on your machine).

To set a VLAN and priority on Virtual Function, for para-virtualized interface, use the following commands:

#ip link set <dev> down 
#ip link set <pf> vf <vf_index> vlan <vlan id> qos <priority>
#ip link set <dev> up

For example: Here eth2 is the PF (physical function) , eth8 is the interface assigned to VF 1.

#ip link set eth8 down
#ip link set eth2 vf 1 vlan 2 qos 2
#ip link set eth8 up

If you do not specify a priority the default is 0. If you use SR-IOV passthrough you should change the VLAN before starting the VM. You can use just the following:

#ip link set <pf> vf <vf_index> vlan <vlan id> qos <priority>

To set the vNIC MAC address on the Virtual Function, use the command:

#ip link set <pf> vf <vf_index> mac <vnic_mac>

For example:

#ip link set eth2 vf 1 mac 00:52:44:11:22:33

Changing the MAC should be done before the VM is up. For KVM hypervisor a 'virt-manager' GUI application can be used to create and manage VMs./div> However, if someone doesn’t want to use this library, the VM can be defined by updating the libvirt dom.xml file.

To Turn HW packet source mac spoof check on or off for the specified VF, run:

#ip link set <pf> vf <vf_index> spoofchk on|off

For example, configure for a VF mac of 00:52:44:11:22:33 and turn on spoof-checking (the default is off).

#ip link set eth2 vf 1 mac 00:52:44:11:22:33
#ip link set eth2 vf 1 spoofchk on

It is possible to change the link state as seen by the VF. The set options are:

- auto: a reflection of the PF link state (default)

- enable: lets the VF to communicate with other VFs on this host even if the PF link state is down

- disable: causes the HW to drop any packets sent by the VF.

#ip link set <pf> vf <vf_index> state auto|enable|disable

For example, set the link state to "down" of a given VF:

 

#ip link set eth2 vf 1 state disable

To verify configuration use ip link show command

# ip link show dev eth2
7: eth2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000 
link/ether 00:02:c9:e6:01:12 brd ff:ff:ff:ff:ff:ff
vf 0 MAC 00:00:00:00:00:00, vlan 4095, spoof checking off, link-state auto 
vf 1 MAC 00:00:00:00:00:00, vlan 4095, spoof checking on, link-state enable 
vf 2 MAC 00:00:00:00:00:00, vlan 4095, spoof checking off, link-state disable
vf 3 MAC 00:00:00:00:00:00, vlan 4095, spoof checking off, link-state auto 
vf 4 MAC 00:00:00:00:00:00, vlan 4095, spoof checking off, link-state auto 
vf 5 MAC 00:00:00:00:00:00, vlan 4095, spoof checking off, link-state auto

Note: "vlan 4095" means VGT mode where the guest is allowed to send anything they want, untagged or tagged with whatever vlan ID. There's no concept of "allowed VLANs" in Linux.

 

An example of an allocated VF as PCI device (SR-IOV)

<devices>

...

<hostdev mode='subsystem' type='pci' managed='yes'>

  <source>

   <address domain='0x0000' bus='0x04' slot='0x00' function='0x4'/>

  </source>

  <alias name='hostdev0'/>

  <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>

</hostdev>

  ...

</devices>

To verify the PCI configuration, run lspci command and look for the source parameters bus, slot and function.

# lspci

…

04:00.4 Network controller: Mellanox Technologies ... [ConnectX-3 Virtual Function]

#

An example of an allocated VF as Para-virtualized device

<devices>

  ...

  <interface type='direct'>

    <mac address='52:54:00:36:5b:2c'/>

    <source dev='eth8' mode='passthrough'/>

    <target dev='macvtap0'/>

    <model type='virtio'/>

    <alias name='net1'/>

    <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>

</interface>

...

</devices>