Chapter 8: SR-IOV Setup

8.1. Overview

cOS Stream supports Single Root I/O Virtualization (SR-IOV). SR-IOV allows a single physical PCI Ethernet interface to be divided into multiple Virtual Function (VF) PCI Ethernet interface devices. When running in a virtual environment, the firewall can be assigned such VF interfaces, allowing it to have direct access to a dedicated part of the physical PCI Ethernet interface.

Just as with PCI passthrough, the direct access provided by SR-IOV can give dramatically higher traffic throughput capability for a Clavister Firewall since it circumvents the overhead involved with normal virtual interfaces.

Prerequisites for SR-IOV

In order to make use of SR-IOV, at least the following is required:

  • Hardware support for IOMMU and SR-IOV.

  • Both IOMMU and SR-IOV enabled in the BIOS.

  • An Intel or Mellanox Ethernet Network device that has SR-IOV capabilities. cOS Stream supports multiple models from both vendors.

Setup of the hardware platform for virtualization is not discussed further here. For details on this subject, please consult the documentation for the relevant hardware platforms, operating systems and/or hypervisors.

Using Assigned MAC Addresses in an HA cluster

By default, an HA cluster will use synthetic MAC addresses on its Ethernet interfaces. However, such MAC addresses may not be allowed by the constraints for the virtual machine. If this is the case, the actual interface MAC addresses must be used instead. This is done by setting the property HAEthernetAddressMode on the relevant EthernetInterface objects to the value InterfaceMAC (the default value is PrivateSharedMAC). For example:
System:/> set Interface EthernetInterface if1
			HAEthernetAddressMode=InterfaceMAC
If this feature is to be used, it is recommended to read the full description of its correct setup in the HA setup section of the separate Administration Guide for cOS Stream.

Achieving Maximum Throughput

Once the SR-IOV interfaces exist as logical interfaces in the system configuration they can be used for both receiving and sending traffic as well as being part of cOS Stream rule sets and other configuration objects.

In order to reach much higher throughput speeds, traffic must both enter and leave the firewall via SR-IOV interfaces. Having the traffic enter or leave on a normal virtual interface will create a bottleneck, reducing throughput back to non-SR-IOV speeds.