Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[MX] Setting trust mode to use SR-IOV interface for layer-2 services on vMX in VMware ESXi

0

0

Article ID: KB37149 KB Last Updated: 04 Aug 2021Version: 1.0
Summary:

To use the single-root I/O virtualization (SR-IOV) interface for layer 2 services such as VPLS, L2VPN, L2Circuit, or Bridging on a vMX instance deployed on a VMware ESXi host, trust mode must be enabled and spoof mode disabled under the Intel NIC settings. Note that the trust mode may not get enabled on Intel NIC even if you specify correct values for the security policy in the vSwitch configuration that is done through the ESXi GUI.

This article describes how to verify trust mode status and how to set it on Intel NIC.

Note: This is applicable only on Intel 700 series network adapters.

Solution:

To verify trust mode status or to set trust mode on Intel NIC, the Intel esxcli plug-in needs to be installed. Follow the instructions provided by VMware to install the required plug-in.

  • To verify trust mode and spoof mode status, use the following command from the ESXi shell on the SR-IOV vmnic:

esxcli intnet sriovnic vf get -v <vf number> -n <vmnic name>

Example

[root@host:~] esxcli intnet sriovnic vf get -v 0 -n vmnic12

VF ID           Trusted         Spoof Check
-----           -------         -----------
0               false            true
  • To enable trust mode and disable spoof check on Intel NIC, use the following command:

esxcli intnet sriovnic vf set -s false -t true -v <vf number> -n <vmnic name>

Example

[root@host:~] esxcli intnet sriovnic vf set -s false -t true -v 0 -n vmnic12

Trusted mode is set to true and spoof check is set to false
[root@host:~] esxcli intnet sriovnic vf get -v 0 -n vmnic12

VF ID           Trusted         Spoof Check
-----           -------         -----------
0               true            false
  • If the trust mode value or spoof check value is changed, restart the vMX FPC that is configured with the SR-IOV interface via the Junos CLI by using request chassis fpc slot <number> restart. After the FPC comes online, the layer 2 services such as VPLS, L2VPN, L2Circuit, or Bridging should be working with the SR-IOV interface.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search