Dedicated Edge — AF_PACKET Mode
AF_PACKET mode allows VPP to use the Linux kernel's AF_PACKET interface for packet I/O instead of DPDK. This makes it possible to deploy a full-featured VPP edge on virtual machines, cloud instances, or hardware that does not support DPDK. Expect throughput in the range of 1–5 Gbps.
Prerequisites
- Any server, VM, or cloud instance (VMware, KVM, Hyper-V, AWS, Azure, GCP, etc.)
- Ubuntu 22.04+ or compatible Linux distribution
- Docker installed and running
- SSH access configured
- Minimum hardware: 2 CPU cores, 4 GB RAM, 2 NICs (WAN + LAN)
No special hardware requirements — no VT-d, no hugepages, no VFIO.
Identify Interface Names
Before deploying, you need to know the name of the WAN-facing network interface on the target machine.
Run ip link show on the target machine to list all available network interfaces.
Common interface names by platform:
| Platform | Typical Interface Names |
|---|---|
| VMware Fusion / ESXi | ens33, ens160, ens192 |
| KVM / QEMU | ens3, enp1s0, eth0 |
| AWS | ens5, eth0 |
| Azure | eth0, eth1 |
| Bare metal | enp1s0, enp2s0, eno1 |
Identify which interface is connected to your WAN (internet-facing) network and which is on your LAN.
Build and Deploy
From the testing/ directory on your build machine, run:
./scripts/build-production-edge-image.sh \
--mode afpacket \
--wan-interface ens33 \
--deploy <VM_IP> \
--bootstrap
Build Script Flags
| Flag | Description |
|---|---|
--mode afpacket | Use AF_PACKET mode instead of DPDK |
--wan-interface <name> | Specifies the WAN-facing network interface (required for AF_PACKET) |
--lan-interfaces <name> | Specifies the LAN interface(s) (optional, comma-separated for multiple) |
--deploy <IP> | Target VM/server IP address for SSH deployment |
--bootstrap | Run the bootstrap process after deployment |
--skip-build | Skip the Docker image build (use a previously built image) |
--overwrite-compose | Regenerate the compose file (overwrites existing) |
The deploy process is the same as DPDK mode, except:
- No hugepages allocation
- No VFIO kernel module setup
- VPP uses
vpp-afpacket.confinstead ofvpp.conf - Interface names in the generated compose reflect the actual Linux interface names
Key Differences from DPDK Mode
| Aspect | DPDK Mode | AF_PACKET Mode |
|---|---|---|
| VPP interface names | G0, G1 (GigabitEthernet) | host-ens33, host-ens34 |
| Hugepages | Required (1024 x 2 MB) | Not required |
| VFIO | Required | Not required |
| VPP config file | vpp.conf | vpp-afpacket.conf |
| Host NIC availability | Taken from host OS | Shared with host OS |
| Throughput | 10 Gbps+ | 1–5 Gbps |
| Hardware requirements | Intel NICs, VT-d, SR-IOV | Any NIC |
In VPP, AF_PACKET interfaces appear as host-<linux-interface-name>. For example, if your Linux WAN interface is ens33, VPP will show it as host-ens33. The orchestrator automatically translates between orchestrator port names (G0, G1) and the actual VPP interface names.
Verification
After deployment, verify that VPP is running with AF_PACKET interfaces:
ssh edge@<VM_IP> "sudo docker exec vpp-agent vppctl show interface"
You should see host-* interfaces. Example output:
Name Idx State MTU (L3/IP4/IP6/MPLS)
host-ens33 1 up 9000/0/0/0
host-ens34 2 up 9000/0/0/0
local0 0 down 0/0/0/0
In the SecureLink web UI, the edge detail page will display a purple AF_PACKET badge next to the VPP mode indicator, confirming the mode was detected correctly.
Troubleshooting
VPP fails to start with AF_PACKET
- Verify the interface name is correct:
ip link showon the target machine - Ensure the interface exists and is up:
ip link set <interface> up - Check VPP logs:
ssh edge@<VM_IP> "sudo docker logs vpp-agent"
WAN IP not detected
AF_PACKET interfaces in bridge mode may be L2-only (no IP address assigned directly to VPP). This is expected behavior — the edge will still report its status and update timestamps even without a detected WAN IP.
Next Steps
After the edge is running, proceed to Bootstrap & Provisioning if you did not use the --bootstrap flag during deployment.