router with sr-iov?

B

benoitc

I have one server that I want to act as a router but also have vm inside. The server has a dual NIC card is connected to 2 switches that get IP transit.

I am thinking to use SR-IOV instead of simpe passhtrough to share the nic ports with a bhyve vm on which the router is seupBut how would I link other vms on the host. Should I create a bridge on the host and then pass an interface to the router vm? Is there any good practice for such thing? Especially to do the initial setup/bootstrap of the host?
 
yes I know we can use VF on the host. But this implementation is buggy with mellanox. Using sr-iov with all vf in passthrough mode works however. So I am wonderring how people can still handled an est-west traffic inside the hosts without vm (without going back on the switch on top). Also how to generact unique mac address across a network ? Any idea is welcome.
 
If you are implementing software router on the host which is also hosting a bhyve vm with passthrough SR-IOV VF then yes you need to switch the packets back on the hardware switch which make the entire network topology pointless. Maybe it will be better not to use passthrough for the VF so you can use software bridge with TAP interfaces for the bhyve.

For standard virtualization server make sense to use passthrough for VF but when the router is on the same host not so much. Check the Intel's PCI-SIG SR-IOV primer document for different implementations and topologies and also there's a good network flow diagram under "6.3 Theory of Operations" of how the packets are switched in single root port with virtual network bridge.
 
VladiBG Thanks for the information. Late response but there would be vm on this machines but also external machine using the router vm as their main router. What i am looking is if it's possible to use both sr-iov for the router and aharw in an efficient manner the router with local vms. Maybe a single local bridge would do the trick?
 
benoitc said:
using the router vm as their main router.
Click to expand...
I thought long and hard about collapsing my firewall router into a VM.
I look at my firewall as the top of the rack.
First thing packets hit before my network.
Not sure I want to add complexity to that cause.
It is so nice to have a video output on a firewall. Serial output is nice but no sub for direct video output.
You see all the console error messages live.
I no longer need that crutch but it sure is nice.

I think this blurb for VladiBG s excellent documentation link needs highlighting:

One reason that line rate, or near line rate cannot be achieved is because each packet must
go through the software switch and that requires CPU cycles to process the packets.
Click to expand...

And while direct passthough provides good speed it is still not as fast as no virtualization. There is a hit.
The Direct Assignment method of virtualization provides very fast I/O. However, it prevents
the sharing of I/O devices.
Click to expand...
 
You must log in or register to reply here.
Back
Top