Intel i350: promiscuous mode and SR-IOV

IGoih · ‎05-28-2014

Hi,

I'm using CentOS 6.5 VM on Xen 4.3 Hypervisor.

igb driver version is 5.0.5-k and igbvf driver version is 2.0.2-k.

I'm trying to enable promiscuous mode on the VM.

I configured a VLAN on a VF with 'ip link set ethXX vf xx vlan '.

The VM uses that VF and when I checked if packets were received in the VM I found that broadcast packets and packets with the VM's MAC address destination were received.

But, packets with different MAC address destination were not received - promiscuous mode isn't working.

I tried to enable promiscuous mode in the VM with 'ip link set ethXX promisc on' and the packets were still not received.

Is there any other relevant command or configuration to enable the promiscuous mode?

Thanks!

Patrick_K_Intel1 · ‎05-28-2014

Promiscuous mode is not allowed in a VF. This is by design for security reasons. Consider a hosting environment, I don't want a competitor that may have a VM running on the same physical box as myself being able to put themselves in promiscuous mode and seeing my traffic.

-Patrick

IGoih · ‎05-28-2014

Hi Patrick,

Thank you for your help.

The VM runs an application that requires a promiscuous mode.

Is it a hardware or software limitation and can it be changed?

Thanks

Patrick_K_Intel1 · ‎05-28-2014

My marketing team would be upset with me if I didn't state that it isn't a limitation, but rather a thought-out design consideration :-)

Now that that is out of the way - it is in hardware. If you need a VM to be in promiscous mode then what you will need to do is to assign a whole PF to it.

Hope that helps.

Patrick

SMond4 · ‎06-05-2014

Hi Peter,

Does that mean that I cannot run FW application in a VM using VFs as network interfaces, instead I will need to passthrough the full PF?

Regards,

Samuiel

Patrick_K_Intel1 · ‎06-05-2014

I don't know what you mean by FW, nor who Peter is . If you need to do much more than have basic Ethernet traffic to and from a VM then a VF is not going to work for you.

The VF's are very light-weight interfaces that by design do little more than pass packets, especially on 1Gb devices. Newer 10G and beyond Intel devices have been adding additional SR-IOV features for VF's, however promiscous mode is not one of them and will likely not ever be one of them for security concerns. If you need more features than are available on a VF and have a requirement to run your application in a VM then your best solution is to assign the entire PF (port) to your VM.

thanx,

Patrick

SMond4 · ‎06-08-2014

Hi Patrick,

Sorry for writing Peter, probably it was because of the late hour.

By FW I meant firewall, I have more than one tenant on the server and each would like to run it's own firewall on a different VLAN.

Therefore I want to be able to configure the VFs to run in promiscuous mode on a given VLAN.

If a different Intel device does support this option I can change the card in my server.

If changes to driver could provide such options I'll be glad to make them but if it's hardware issue maybe future releases should take into account these applications.

Regards,

Samuel

Patrick_K_Intel1 · ‎06-10-2014

No problem :-)

Did some digging and the folks that are smarter than I say that you should be able to do what you want (promiscous mode), however it is not supported in the drivers (PF and VF as they are. We also cannot provide any direct support for you modifying the drivers yourself. However, the souce for both are available on Source Forge and I wrote some docs to help folks understand how the drivers work so that they could customize them if they like.

The doc was written for a different 1Gb Intel device, however the same basic principles should apply. Try taking a look at:

https://www-ssl.intel.com/content/www/us/en/ethernet-controllers/82576-sr-iov-driver-companion-guide.html Intel® 82576 SR-IOV Driver: Companion Guide

Hope that provides you some useful direction.

- Patrick