Direct-Assignment Networking Fault Isolation in a Data Center Environment Application Note
Content Type: Troubleshooting | Article ID: 000098524 | Last Reviewed: 03/29/2024
Customers with high-performance or low-latency data center applications may use a technique called direct device assignment to install Ethernet networking interfaces directly into virtual machines allowing direct hardware access. Either an entire Ethernet device or an Ethernet port of a multi-function Ethernet device may be allocated to virtual machines through hypervisor-specific direct assignment methods.
Alternatively, with Ethernet devices supporting Single-Root I/O Virtualization1 (SR-IOV) technology, SR-IOV Ethernet virtual functions may be installed into virtual machines. Using SR-IOV, multiple virtual machines can share a common Ethernet uplink, with each virtual machine capable of similar low-latency, high-performance Ethernet networking services.
Virtual machine direct access to Ethernet hardware resources may pose both reliability or availability concerns to the network interface or the platform itself. In SR-IOV Ethernet configurations, malfunctioning software or malware running in a virtual machine could temporarily disable or disrupt the direct-assigned or virtualized Ethernet functions on the shared networking interface.
If an entire device interface is assigned to a virtual machine, any device-reported faults can be directly attributed to the virtual machine. However, in the case of SR-IOV, some network data processing faults triggered within the Ethernet interface by the virtual machine through the virtual function may be difficult or impossible to attribute to the original virtual machine.
This document discusses some methods that can be used to detect, isolate, and remediate such malfunctioning or malicious virtual machines from the data center operating environment.
The following configurations are addressed:
Virtual machines can generate faults in these configurations. As a side-effect, the Ethernet device will appear to fail temporarily or generate system faults that disrupt physical platform operation.
Direct-Assignment Networking Fault Isolation in a Data Center Environment Application Note