6.2. Virtual Network Interface Cards

6.2.1. vNIC Profile Overview

A Virtual Network Interface Card (vNIC) profile is a collection of settings that can be applied to individual virtual network interface cards in the Manager. A vNIC profile allows you to apply Network QoS profiles to a vNIC, enable or disable port mirroring, and add or remove custom properties. A vNIC profile also offers an added layer of administrative flexibility in that permission to use (consume) these profiles can be granted to specific users. In this way, you can control the quality of service that different users receive from a given network.

6.2.2. Creating or Editing a vNIC Profile

Create or edit a Virtual Network Interface Controller (vNIC) profile to regulate network bandwidth for users and groups.

Note

If you are enabling or disabling port mirroring, all virtual machines using the associated profile must be in a down state before editing.

Creating or Editing a vNIC Profile

  1. Click NetworkNetworks.
  2. Click the logical network’s name to open the details view.
  3. Click the vNIC Profiles tab.
  4. Click New or Edit.
  5. Enter the Name and Description of the profile.
  6. Select the relevant Quality of Service policy from the QoS list.
  7. Select a Network Filter from the drop-down list to manage the traffic of network packets to and from virtual machines. For more information on network filters, see Applying network filtering in the Red Hat Enterprise Linux Virtualization Deployment and Administration Guide.
  8. Select the Passthrough check box to enable passthrough of the vNIC and allow direct device assignment of a virtual function. Enabling the passthrough property will disable QoS, network filtering, and port mirroring as these are not compatible. For more information on passthrough, see Section 6.2.4, “Enabling Passthrough on a vNIC Profile”.
  9. If Passthrough is selected, optionally deselect the Migratable check box to disable migration for vNICs using this profile. If you keep this check box selected, see Additional Prerequisites for Virtual Machines with SR-IOV-Enabled vNICs in the Virtual Machine Management Guide.
  10. Use the Port Mirroring and Allow all users to use this Profile check boxes to toggle these options.
  11. Select a custom property from the custom properties list, which displays Please select a key…​ by default. Use the + and - buttons to add or remove custom properties.
  12. Click OK.

Apply this profile to users and groups to regulate their network bandwidth. If you edited a vNIC profile, you must either restart the virtual machine, or hot unplug and then hot plug the vNIC if the guest operating system supports vNIC hot plug and hot unplug.

6.2.3. Explanation of Settings in the VM Interface Profile Window

Table 6.5. VM Interface Profile Window

Field NameDescription

Network

A drop-down list of the available networks to apply the vNIC profile to.

Name

The name of the vNIC profile. This must be a unique name with any combination of uppercase and lowercase letters, numbers, hyphens, and underscores between 1 and 50 characters.

Description

The description of the vNIC profile. This field is recommended but not mandatory.

QoS

A drop-down list of the available Network Quality of Service policies to apply to the vNIC profile. QoS policies regulate inbound and outbound network traffic of the vNIC.

Network Filter

A drop-down list of the available network filters to apply to the vNIC profile. Network filters improve network security by filtering the type of packets that can be sent to and from virtual machines. The default filter is vdsm-no-mac-spoofing, which is a combination of no-mac-spoofing and no-arp-mac-spoofing. For more information on the network filters provided by libvirt, see the Pre-existing network filters section of the Red Hat Enterprise Linux Virtualization Deployment and Administration Guide.

<No Network Filter> should be used for virtual machine VLANs and bonds. On trusted virtual machines, choosing not to use a network filter can improve performance.

Passthrough

A check box to toggle the passthrough property. Passthrough allows a vNIC to connect directly to a virtual function of a host NIC. The passthrough property cannot be edited if the vNIC profile is attached to a virtual machine.

QoS, network filters, and port mirroring are disabled in the vNIC profile if passthrough is enabled.

Migratable

A check box to toggle whether or not vNICs using this profile can be migrated. Migration is enabled by default on regular vNIC profiles; the check box is selected and cannot be changed. When the Passthrough check box is selected, Migratable becomes available and can be deselected, if required, to disable migration of passthrough vNICs.

Port Mirroring

A check box to toggle port mirroring. Port mirroring copies layer 3 network traffic on the logical network to a virtual interface on a virtual machine. It it not selected by default. For further details, see Port Mirroring in the Technical Reference.

Device Custom Properties

A drop-down menu to select available custom properties to apply to the vNIC profile. Use the + and - buttons to add and remove properties respectively.

Allow all users to use this Profile

A check box to toggle the availability of the profile to all users in the environment. It is selected by default.

6.2.4. Enabling Passthrough on a vNIC Profile

The passthrough property of a vNIC profile enables a vNIC to be directly connected to a virtual function (VF) of an SR-IOV-enabled NIC. The vNIC will then bypass the software network virtualization and connect directly to the VF for direct device assignment.

The passthrough property cannot be enabled if the vNIC profile is already attached to a vNIC; this procedure creates a new profile to avoid this. If a vNIC profile has passthrough enabled, QoS, network filters, and port mirroring cannot be enabled on the same profile.

For more information on SR-IOV, direct device assignment, and the hardware considerations for implementing these in Red Hat Virtualization, see Hardware Considerations for Implementing SR-IOV.

Enabling Passthrough

  1. Click NetworkNetworks.
  2. Click the logical network’s name to open the details view.
  3. Click the vNIC Profiles tab to list all vNIC profiles for that logical network.
  4. Click New.
  5. Enter the Name and Description of the profile.
  6. Select the Passthrough check box.
  7. Optionally deselect the Migratable check box to disable migration for vNICs using this profile. If you keep this check box selected, see Additional Prerequisites for Virtual Machines with SR-IOV-Enabled vNICs in the Virtual Machine Management Guide.
  8. If necessary, select a custom property from the custom properties list, which displays Please select a key…​ by default. Use the + and - buttons to add or remove custom properties.
  9. Click OK.

The vNIC profile is now passthrough-capable. To use this profile to directly attach a virtual machine to a NIC or PCI VF, attach the logical network to the NIC and create a new PCI Passthrough vNIC on the desired virtual machine that uses the passthrough vNIC profile. For more information on these procedures respectively, see Section 6.4.2, “Editing Host Network Interfaces and Assigning Logical Networks to Hosts”, and Adding a New Network Interface in the Virtual Machine Management Guide.

6.2.5. Removing a vNIC Profile

Remove a vNIC profile to delete it from your virtualized environment.

Removing a vNIC Profile

  1. Click NetworkNetworks.
  2. Click the logical network’s name to open the details view.
  3. Click the vNIC Profiles tab to display available vNIC profiles.
  4. Select one or more profiles and click Remove.
  5. Click OK.

6.2.6. Assigning Security Groups to vNIC Profiles

Note

This feature is only available when OpenStack Networking (neutron) is added as an external network provider. Security groups cannot be created through the Red Hat Virtualization Manager. You must create security groups through OpenStack. For more information, see Project Security Management in the Red Hat OpenStack Platform Users and Identity Management Guide.

You can assign security groups to the vNIC profile of networks that have been imported from an OpenStack Networking instance and that use the Open vSwitch plug-in. A security group is a collection of strictly enforced rules that allow you to filter inbound and outbound traffic over a network interface. The following procedure outlines how to attach a security group to a vNIC profile.

Note

A security group is identified using the ID of that security group as registered in the OpenStack Networking instance. You can find the IDs of security groups for a given tenant by running the following command on the system on which OpenStack Networking is installed:

# neutron security-group-list

Assigning Security Groups to vNIC Profiles

  1. Click NetworkNetworks.
  2. Click the logical network’s name to open the details view.
  3. Click the vNIC Profiles tab.
  4. Click New, or select an existing vNIC profile and click Edit.
  5. From the custom properties drop-down list, select SecurityGroups. Leaving the custom property drop-down blank applies the default security settings, which permit all outbound traffic and intercommunication but deny all inbound traffic from outside of the default security group. Note that removing the SecurityGroups property later will not affect the applied security group.
  6. In the text field, enter the ID of the security group to attach to the vNIC profile.
  7. Click OK.

You have attached a security group to the vNIC profile. All traffic through the logical network to which that profile is attached will be filtered in accordance with the rules defined for that security group.

6.2.7. User Permissions for vNIC Profiles

Configure user permissions to assign users to certain vNIC profiles. Assign the VnicProfileUser role to a user to enable them to use the profile. Restrict users from certain profiles by removing their permission for that profile.

User Permissions for vNIC Profiles

  1. Click NetworkvNIC Profile.
  2. Click the vNIC profile’s name to open the details view.
  3. Click the Permissions tab to show the current user permissions for the profile.
  4. Click Add or Remove to change user permissions for the vNIC profile.
  5. In the Add Permissions to User window, click My Groups to display your user groups. You can use this option to grant permissions to other users in your groups.

You have configured user permissions for a vNIC profile.

6.2.8. Configuring vNIC Profiles for UCS Integration

Cisco’s Unified Computing System (UCS) is used to manage data center aspects such as computing, networking and storage resources.

The vdsm-hook-vmfex-dev hook allows virtual machines to connect to Cisco’s UCS-defined port profiles by configuring the vNIC profile. The UCS-defined port profiles contain the properties and settings used to configure virtual interfaces in UCS. The vdsm-hook-vmfex-dev hook is installed by default with VDSM. See Appendix A, VDSM and Hooks for more information.

When a virtual machine that uses the vNIC profile is created, it will use the Cisco vNIC.

The procedure to configure the vNIC profile for UCS integration involves first configuring a custom device property. When configuring the custom device property, any existing value it contained is overwritten. When combining new and existing custom properties, include all of the custom properties in the command used to set the key’s value. Multiple custom properties are separated by a semi-colon.

Note

A UCS port profile must be configured in Cisco UCS before configuring the vNIC profile.

Configuring the Custom Device Property

  1. On the Red Hat Virtualization Manager, configure the vmfex custom property and set the cluster compatibility level using --cver.

    # engine-config -s CustomDeviceProperties='{type=interface;prop={vmfex=^[a-zA-Z0-9_.-]{2,32}$}}' --cver=3.6
  2. Verify that the vmfex custom device property was added.

    # engine-config -g CustomDeviceProperties
  3. Restart the ovirt-engine service.

    # systemctl restart ovirt-engine.service

The vNIC profile to configure can belong to a new or existing logical network. See Section 6.1.2, “Creating a New Logical Network in a Data Center or Cluster” for instructions to configure a new logical network.

Configuring a vNIC Profile for UCS Integration

  1. Click NetworkNetworks.
  2. Click the logical network’s name to open the details view.
  3. Click the vNIC Profiles tab.
  4. Click New, or select a vNIC profile and click Edit.
  5. Enter the Name and Description of the profile.
  6. Select the vmfex custom property from the custom properties list and enter the UCS port profile name.
  7. Click OK.