Introduction
Accurate vNIC-to-IP mapping is fundamental for virtual networking visibility, security, and troubleshooting. On the Nutanix AHV hypervisor, this mapping becomes especially important for services like Flow Virtual Networking, microsegmentation, packet inspection, and network analytics. But virtual machines may acquire IP addresses dynamically, change addresses over time, or operate across multiple subnets making it necessary for the hypervisor to observe real network events directly.
To solve this, AHV leverages a lightweight, kernel-native technology: eBPF. With the help of eBPF Ring Buffer, AHV efficiently captures ARP and DHCP packets at the hypervisor level, enabling more accurate and timely vNIC-to-IP association.
Why eBPF on Nutanix AHV?
Traditional packet-capture or polling approaches add overhead or miss transient events. We wanted a mechanism where we could:
- Observe essential L2/L3 network events.
- Avoid user-space packet flooding.
- Monitor only the specific traffic needed (ARP, DHCP).
- Update IP-mapping data structures instantly and safely.
How This Enables Better Networking on Nutanix?
Accurate and real-time IP-to-vNIC mapping improves:
- Flow Network Security: Precise microsegmentation policies.
- Flow Virtual Networking: Topology and analytics accuracy.
- Troubleshooting: Immediate identification of where a VM lives in the network.
- Observability: Packet-level visibility without heavy agents.
eBPF Ring Buffer: The Interface Between eBPF and AHV
The eBPF ring buffer is a shared circular buffer used for exchanging data between the kernel and user space. The BPF_MAP_TYPE_RINGBUF map is used which allows the kernel to write data into the buffer and the user space to consume (read from) it. If the buffer is full, new entries will not be accepted. The ring buffer also manages concurrency internally, helping maintain data integrity even when reads and writes occur simultaneously.
Here’s what makes it appealing:
- Efficient, Lock-Free Data Exchange: The ring buffer is designed to minimize synchronization overhead. It safely handles concurrent reads and writes, allowing the kernel to push data while userspace simultaneously consumes it, without requiring custom locking logic.
- Non-Retry Behavior Under Load: If the ring buffer becomes full, new entries are simply dropped. This avoids blocking the kernel or slowing down packet processing paths, keeping the system running smoothly even under heavy load.
- Simplicity for Variable-Sized Data: Unlike per-CPU maps or hash maps, the ring buffer supports variable-length messages. This makes it ideal for exporting packet metadata, parsed headers, or even raw packet bytes.
Why did we go with the eBPF Ring Buffer?
Our original approach was to use eBPF programs to identify “interesting” packets such as ARP, DHCP, NDP, or DHCPv6. eBPF programs would parse the packet in-kernel and populate eBPF maps with learned IPs. While effective, this approach comes with drawbacks:
- Storing IPs in maps consumes kernel memory.
- eBPF programs must stay small and simple due to verifier constraints.
To overcome these limitations, we adopted a different design philosophy:
Instead of parsing packets in the kernel, the eBPF program does filtering and forwards only interesting packets (DHCP, ARP, etc.) to a userspace process (AHV VM / AVM) using the eBPF ring buffer.
This userspace component then performs all the heavy lifting which includes parsing, learning, validation, and storage. Using this approach, storing IPs in eBPF maps is not required; instead, they are stored in a binary file.
What are the benefits of this architecture?
- Higher Flexibility: Userspace processing allows rapid iteration, debugging, and logging without recompiling or reloading eBPF programs.
- Lower Kernel Complexity: The kernel only forwards packets of interest; all logic lives in userspace where it's safer and easier to evolve.
- Unified IPv4/IPv6 Learning: The same pipeline handles ARP, DHCPv4, NDP, and DHCPv6 seamlessly.
- Scalability: Ring buffers provide high throughput with minimal overhead, maintaining performance even at scale.
Conclusion
The eBPF ring buffer opens the door to a cleaner division of responsibility between the kernel and userspace. By treating the kernel as a fast packet filter and pushing complex logic into the AHV VM, you gain:
- Better maintainability
- Stronger protocol support
- Easier debugging and scalability
- Lower kernel-space complexity
- Support for live migration - During Migration, the stack records the IP addresses learned for a given VM, in the VM’s XML on the destination and then AVM populates its in-memory structure with this information. This is how learned IP’s are not lost during live migration.
As networking stacks continue to evolve especially with IPv6; this architecture offers a modern, flexible, and resilient way to process and learn from network traffic.
©2026 Nutanix, Inc. All rights reserved. Nutanix, the Nutanix logo and all Nutanix product and service names mentioned are registered trademarks or trademarks of Nutanix, Inc. in the United States and other countries. Kubernetes is a registered trademark of The Linux Foundation in the United States and other countries. All other brand names mentioned are for identification purposes only and may be the trademarks of their respective holder(s). Code samples and snippets that appear in this content are unofficial, are unsupported, and may require extensive modification before use in a production environment. As such, the code samples, snippets, and/or methods are provided AS IS and are not guaranteed to be complete, accurate, or up-to-date. Nutanix makes no representations or warranties of any kind, express or implied, as to the operation or content of the code samples, snippets and/or methods. Nutanix expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, and whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement therein.
