mlx5 PF and VF Vlan Restrictions

mlx5 PF and VF Vlan Restrictions

[domingo montoya]

Hello,

Can we have VLAN restrictions at both PF and VF level in mlx5 CX4 driver?

For a particular VF, I would like to restrict VLANs from the PF driver

For e.g, Let's say there is VF0. I would like to restrict the allowed
vlans from the VF0 to be one of 10,20,30.

I would like to do this enforcement at the PF driver.

How do i do this?

So if the VF tries to configure any vlan other than 10,20,30, it should fail.

Also how to communicate the vlans that are allowed to the vf from the PF.


Is this feature already implemented in the mlx5 ?

If not, can anyone please help me understand how to do that.


Thanks so much


Best Regards,
Domingo

Re: mlx5 PF and VF Vlan Restrictions

[Saeed Mahameed]

On Thu, Jul 14, 2016 at 11:27 AM, domingo montoya
<reach.domingomontoya@gmail.com> wrote:
> Hello,
>
> Can we have VLAN restrictions at both PF and VF level in mlx5 CX4 driver?
>
> For a particular VF, I would like to restrict VLANs from the PF driver
>
> For e.g, Let's say there is VF0. I would like to restrict the allowed
> vlans from the VF0 to be one of 10,20,30.
>
> I would like to do this enforcement at the PF driver.
>
> How do i do this?
>

in mlx5 driver you will need to configure both egress and ingress ACLs
with the allowed vlan list

same as we did in VST but without the HW vlan insertion/stripping.
i.e don't configure the HW (don't call modify_esw_vport_cvlan with non
0 vlan and qos).

today for vst mode we allow one vlan:
- VST vlan On VF TX is enforced via modify_esw_vport_cvlan command to
insert inforced vlan for all VF TX packets
- VST vlan On VF RX is enforced  via ingress ACL (Allowed vlan rule).

You need
- VGT vlan list allowed ACL rules in both ingress and egress ACLs and
drop all other traffic.


>
> So if the VF tries to configure any vlan other than 10,20,30, it should fail.
>
> Also how to communicate the vlans that are allowed to the vf from the PF.

you don't need to communicate them, the vf should initiate VGT Vlans
and try to work in best effort manner, if the PF allows it it will
work.
if not, traffic won't pass.

>
>
> Is this feature already implemented in the mlx5 ?
>

No, missing kernel/userspace API for PF admin to configure allowed vlan list.

>
> If not, can anyone please help me understand how to do that.
>

add new command for iproute to configure allowed vlan list per VF it
should be mutually exclusive with VST.
add new ndo to configure vlan list for VF in device driver, better if
we extend the existing ndo (set_vf_valn).

Thanks,
Saeed.

Re: mlx5 PF and VF Vlan Restrictions

[domingo montoya]

On Thu, Jul 14, 2016 at 3:58 PM, Saeed Mahameed
<saeedm@dev.mellanox.co.il> wrote:
> On Thu, Jul 14, 2016 at 11:27 AM, domingo montoya
> <reach.domingomontoya@gmail.com> wrote:
>> Hello,
>>
>> Can we have VLAN restrictions at both PF and VF level in mlx5 CX4 driver?
>>
>> For a particular VF, I would like to restrict VLANs from the PF driver
>>
>> For e.g, Let's say there is VF0. I would like to restrict the allowed
>> vlans from the VF0 to be one of 10,20,30.
>>
>> I would like to do this enforcement at the PF driver.
>>
>> How do i do this?
>>
>
> in mlx5 driver you will need to configure both egress and ingress ACLs
> with the allowed vlan list
>
> same as we did in VST but without the HW vlan insertion/stripping.
> i.e don't configure the HW (don't call modify_esw_vport_cvlan with non
> 0 vlan and qos).
>
> today for vst mode we allow one vlan:
> - VST vlan On VF TX is enforced via modify_esw_vport_cvlan command to
> insert inforced vlan for all VF TX packets
> - VST vlan On VF RX is enforced  via ingress ACL (Allowed vlan rule).
>
> You need
> - VGT vlan list allowed ACL rules in both ingress and egress ACLs and
> drop all other traffic.
>

Thanks so much Saeed for the quick response. This is really very
helpful. I'll try out this.

>
>>
>> So if the VF tries to configure any vlan other than 10,20,30, it should fail.
>>
>> Also how to communicate the vlans that are allowed to the vf from the PF.
>
> you don't need to communicate them, the vf should initiate VGT Vlans
> and try to work in best effort manner, if the PF allows it it will
> work.
> if not, traffic won't pass.

Okay. I was thinking when the vf configures any vlan other than the
ones the PF allows, the PF driver gets a notification right, so if
there was any way we could fail the command, so the VF returns error
when setting the vlan.

Best effort is also good. Thanks!


>
>>
>>
>> Is this feature already implemented in the mlx5 ?
>>
>
> No, missing kernel/userspace API for PF admin to configure allowed vlan list.
>
>>
>> If not, can anyone please help me understand how to do that.
>>
>
> add new command for iproute to configure allowed vlan list per VF it
> should be mutually exclusive with VST.
> add new ndo to configure vlan list for VF in device driver, better if
> we extend the existing ndo (set_vf_valn).

Thanks so much for the detailed instructions. I'll try them out.


>
> Thanks,
> Saeed.

Best Regards,
Domingo