About cookies on this site Our websites require some cookies to function properly (required). In addition, other cookies may be used with your consent to analyze site usage, improve the user experience and for advertising. For more information, please review your options. By visiting our website, you agree to our processing of information as described in IBM’sprivacy statement. To provide a smooth navigation, your cookie preferences will be shared across the IBM web domains listed here.
Article
IBM AIX SR-IOV access control list (ACL) support on NVIDIA device drivers
A deep dive into access control mechanisms for NVIDIA adapters using IBM AIX SR‑IOV
Access control lists (ACLs) in single root I/O virtualization (SR-IOV) enable traffic classification and filtering to enforce security policies, restrict virtual machine traffic, and mitigate layer 2 attacks. This article outlines the process for creating and validating virtual functions with ACL rules on NVIDIA device drivers and summarizes the expected outcomes when ACLs are applied.
What are access control lists?
ACLs are network filters that control data flow through network interfaces. When applied, the adapter inspects the traffic against the defined criteria and either permits or blocks it, ensuring compliance with security policies.
Why use ACLs?
ACLs provide a foundational layer of network security by controlling traffic flow and enforcing policies.
Why SR-IOV ACLs?
An SR-IOV adapter provides I/O virtualization capabilities for a managed system and the APIs provide the configuration of the SR-IOV adapters.
A PCI Express (PCIe) virtual function is a lightweight PCIe function on a network adapter that supports SR-IOV. The virtual function is associated with the PCIe physical function on the network adapter and represents a virtualized instance of the network adapter. Each virtual function has its own PCI configuration space.
ACL rules allow traffic classifications and filtering. SR-IOV, when combined with ACL, can provide the required security by restricting the allowed traffic and filtering it.
SR-IOV is supported on the following NVIDIA adapters (represented as feature codes in the following table):
| Feature Codes | Description |
|---|---|
| EC3L and EC3M | PCIe3 2-port 100 GbE RoCE QSFP28 PCIe 3.0 x16 adapter |
| EC2R and EC2S | PCIe3 2-port 10 Gb NIC and ROCE SR/Cu adapter |
| EC2T and EC2U | PCIe3 2-port 25/10/1 Gb NIC and ROCE SFP28 adapter |
| EC66 and EC67 | PCIe4 2-port 100 GbE RoCE x16 adapter |
| EC75 and EC76 | PCIe4 2-port 100 GbE RoCE x16 adapter |
| EC71 and EC72 | PCIe4 2-port 25/10/1 Gb RoCE SFP28 adapter |
| EN24 and EN26 | PCIe4 x16 4-port 25/10/1 GbE RoCE SFP28 adapter |
| EC85 and EC86 | PCIe5 2-port 200/100 GbE RoCE adapter x16 |
ACLs in network device drivers
Network device drivers enforce ACLs through Media Access Control (MAC) and VLAN restrictions at both the hypervisor and operating system levels.
Figure 1. IBM Power architecture with SR-IOV
ACL commands on AIX
The primary tool for ACL’s configuration is the chhwres command, which provides granular control over adapter attributes such as allowed MAC addresses and VLAN IDs. This ensures that only authorized traffic flows through the virtualized network interfaces, enhancing isolation and mitigating potential Layer 2 attacks.
MAC and VLAN restriction attributes
Use the chhwres command to configure MAC and VLAN restrictions for SR-IOV logical ports:
chhwres -r sriov -m <Managed_System> --rsubtype logport -p <Lpar_Name> -o a -a "adapter_id=<Adapter_ID>,phys_port_id=<Physical_Port_ID>,logical_port_type=eth, allowed_os_mac_addrs=<Mac_Options>, allowed_vlan_ids=<VLAN_Options>"
For MAC restrictions, use the allowed_os_mac_addrs attribute with the following options:
Options: none, all, or a list in the format 023344556677 (must start with 02).
For VLAN restrictions, use the allowed_vlan_ids attribute with the following options:
Options: Comma-separated VLAN IDs, for example, 2,3,4,5,…4095.
Example commands
Create a virtual function with allowed MAC and allowed VLAN options
chhwres -r sriov -m p9zzh-fsp --rsubtype logport -p p9zzh-cx5a -o a -a "adapter_id=2,phys_port_id=0,logical_port_type=eth ,huge_dma_window_mode=0, promisc_mode=0, allowed_os_mac_addrs=024444555544, allowed_vlan_ids=4, port_vlan_id=0"
Create a virtual function with only an allowed MAC address
chhwres -r sriov -m p9zzh-fsp --rsubtype logport -p p9zzh-cx5a -o a -a "adapter_id=2,phys_port_id=0,logical_port_type=eth ,huge_dma_window_mode=0, promisc_mode=0, allowed_os_mac_addrs=024444555544, port_vlan_id=0"
Create a virtual function with only an allowed VLAN ID
chhwres -r sriov -m p9zzh-fsp --rsubtype logport -p p9zzh-cx5a -o a -a "adapter_id=2,phys_port_id=0,logical_port_type=eth ,huge_dma_window_mode=0, promisc_mode=0, allowed_vlan_ids=4, port_vlan_id=0"
Checking the ACL values on AIX
You can check the ACL values on a virtual function on AIX using the entstat utility available for the adapter.
Running the entstat -d entX command gives the following output specific to the allowed MAC and VLAN list:
Port VLAN: Disabled
MAC Mode: Restricted To List
Maximum Active MAC Addresses: 1
Allowed MAC Addresses:
F2:5F:A4:F5:CA:00 ------ Default Mac Address
02:44:44:55:55:44 ------ Mac address from the list of allowed macs
VLAN Mode: Restricted To List
Maximum Active VLAN IDs: 20
Allowed VLAN IDs:
0004 ------- Vlan from the list of allowed vlans
Enabled VLAN IDs: None
Limitations of ACL
Though there are lots of benefits when you use ACL, there are a few limitations, such as:
- Only up to four MAC addresses are allowed in the MAC list.
- Only up to 20 VLAN IDs are allowed in the VLAN list.
- When the VLAN ID restriction uses an allow list, the operating system must permit the same VLANs on the interface.
- Virtual functions with a Port VLAN ID (PVID) greater than or equal to ‘1’ do not support the
allowed_vlan_idsattribute; it is always set to none. - When the PVID on a virtual function is greater than 1, the
allowed_vlan_idsattribute is set to none.
Design of ACL
Refer to the table in Figure 2 for different ACL combinations on AIX and their expected results.
Figure 2. ACL rules in NVIDIA adapters
The following are the acronyms used in the table in Figure 2:
| Term | Meaning |
|---|---|
| MAC-X | Allowed MAC |
| MAC-Y | Not allowed MAC |
| VLAN-X | Allowed VLAN |
| VLAN-Y | Not allowed VLAN |
| Sent | Ping success |
| Dropped | Ping failed |
| NA | Not Applicable |
Summary
ACLs are the principal elements in securing your networks, and therefore, understanding their function and proper placement is essential to achieve the best effectively.
This article described the use of ACLs with SR-IOV on NVIDIA network adapters to enforce network security through MAC and VLAN-based traffic filtering. It outlined virtual function creation, ACL configuration and validation on AIX, supported adapters, and key limitations. And as a result, you can restrict unauthorized traffic, improve isolation, and mitigate Layer 2 attacks in virtualized environments.