mirror of
git://git.proxmox.com/git/pve-docs.git
synced 2025-01-20 14:03:42 +03:00
5b105f3efd
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
995 lines
25 KiB
Plaintext
995 lines
25 KiB
Plaintext
[[chapter_pvesdn]]
|
||
Software Defined Network
|
||
========================
|
||
ifndef::manvolnum[]
|
||
:pve-toplevel:
|
||
endif::manvolnum[]
|
||
|
||
The **S**oftware **D**efined **N**etwork (SDN) feature allows you to create
|
||
virtual networks (VNets) at the datacenter level.
|
||
|
||
WARNING: SDN is currently an **experimental feature** in {pve}. This
|
||
documentation for it is also still under development. Ask on our
|
||
xref:getting_help[mailing lists or in the forum] for questions and feedback.
|
||
|
||
|
||
[[pvesdn_installation]]
|
||
Installation
|
||
------------
|
||
|
||
To enable the experimental Software Defined Network (SDN) integration, you need
|
||
to install the `libpve-network-perl` and `ifupdown2` packages on every node:
|
||
|
||
----
|
||
apt update
|
||
apt install libpve-network-perl ifupdown2
|
||
----
|
||
|
||
NOTE: {pve} version 7 and above come installed with ifupdown2.
|
||
|
||
After this, you need to add the following line to the end of the
|
||
`/etc/network/interfaces` configuration file, so that the SDN configuration gets
|
||
included and activated.
|
||
|
||
----
|
||
source /etc/network/interfaces.d/*
|
||
----
|
||
|
||
|
||
Basic Overview
|
||
--------------
|
||
|
||
The {pve} SDN allows for separation and fine-grained control of virtual guest
|
||
networks, using flexible, software-controlled configurations.
|
||
|
||
Separation is managed through zones, where a zone is its own virtual separated
|
||
network area. A 'VNet' is a type of a virtual network connected to a zone.
|
||
Depending on which type or plugin the zone uses, it can behave differently and
|
||
offer different features, advantages, and disadvantages. Normally, a 'VNet'
|
||
appears as a common Linux bridge with either a VLAN or 'VXLAN' tag, however,
|
||
some can also use layer 3 routing for control. 'VNets' are deployed locally on
|
||
each node, after being configured from the cluster-wide datacenter SDN
|
||
administration interface.
|
||
|
||
|
||
Main Configuration
|
||
~~~~~~~~~~~~~~~~~~
|
||
|
||
Configuration is done at the datacenter (cluster-wide) level and is saved in
|
||
files located in the shared configuration file system:
|
||
`/etc/pve/sdn`
|
||
|
||
On the web-interface, SDN features 3 main sections:
|
||
|
||
* SDN: An overview of the SDN state
|
||
|
||
* Zones: Create and manage the virtually separated network zones
|
||
|
||
* VNets: Create virtual network bridges and manage subnets
|
||
|
||
In addition to this, the following options are offered:
|
||
|
||
* Controller: For controlling layer 3 routing in complex setups
|
||
|
||
* Subnets: Used to defined IP networks on VNets
|
||
|
||
* IPAM: Enables the use of external tools for IP address management (guest
|
||
IPs)
|
||
|
||
* DNS: Define a DNS server API for registering virtual guests' hostname and IP
|
||
addresses
|
||
|
||
[[pvesdn_config_main_sdn]]
|
||
|
||
SDN
|
||
~~~
|
||
|
||
This is the main status panel. Here you can see the deployment status of zones
|
||
on different nodes.
|
||
|
||
The 'Apply' button is used to push and reload local configuration on all cluster
|
||
nodes.
|
||
|
||
|
||
[[pvesdn_local_deployment_monitoring]]
|
||
Local Deployment Monitoring
|
||
~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||
|
||
After applying the configuration through the main SDN panel,
|
||
the local network configuration is generated locally on each node in
|
||
the file `/etc/network/interfaces.d/sdn`, and reloaded with ifupdown2.
|
||
|
||
You can monitor the status of local zones and VNets through the main tree.
|
||
|
||
|
||
[[pvesdn_config_zone]]
|
||
Zones
|
||
-----
|
||
|
||
A zone defines a virtually separated network. Zones can be restricted to
|
||
specific nodes and assigned permissions, in order to restrict users to a certain
|
||
zone and its contained VNets.
|
||
|
||
Different technologies can be used for separation:
|
||
|
||
* VLAN: Virtual LANs are the classic method of subdividing a LAN
|
||
|
||
* QinQ: Stacked VLAN (formally known as `IEEE 802.1ad`)
|
||
|
||
* VXLAN: Layer2 VXLAN
|
||
|
||
* Simple: Isolated Bridge. A simple layer 3 routing bridge (NAT)
|
||
|
||
* EVPN (BGP EVPN): VXLAN using layer 3 border gateway protocol (BGP) routing
|
||
|
||
Common options
|
||
~~~~~~~~~~~~~~
|
||
|
||
The following options are available for all zone types:
|
||
|
||
nodes:: The nodes which the zone and associated VNets should be deployed on
|
||
|
||
ipam:: Optional. Use an IP Address Management (IPAM) tool to manage IPs in the
|
||
zone.
|
||
|
||
dns:: Optional. DNS API server.
|
||
|
||
reversedns:: Optional. Reverse DNS API server.
|
||
|
||
dnszone:: Optional. DNS domain name. Used to register hostnames, such as
|
||
`<hostname>.<domain>`. The DNS zone must already exist on the DNS server.
|
||
|
||
|
||
[[pvesdn_zone_plugin_simple]]
|
||
Simple Zones
|
||
~~~~~~~~~~~~
|
||
|
||
This is the simplest plugin. It will create an isolated VNet bridge.
|
||
This bridge is not linked to a physical interface, and VM traffic is only
|
||
local between the node(s).
|
||
It can also be used in NAT or routed setups.
|
||
|
||
[[pvesdn_zone_plugin_vlan]]
|
||
VLAN Zones
|
||
~~~~~~~~~~
|
||
|
||
This plugin reuses an existing local Linux or OVS bridge, and manages the VLANs
|
||
on it. The benefit of using the SDN module is that you can create different
|
||
zones with specific VNet VLAN tags, and restrict virtual machines to separated
|
||
zones.
|
||
|
||
Specific `VLAN` configuration options:
|
||
|
||
bridge:: Reuse this local bridge or OVS switch, already configured on *each*
|
||
local node.
|
||
|
||
[[pvesdn_zone_plugin_qinq]]
|
||
QinQ Zones
|
||
~~~~~~~~~~
|
||
|
||
QinQ also known as VLAN stacking, wherein the first VLAN tag is defined for the
|
||
zone (the 'service-vlan'), and the second VLAN tag is defined for the
|
||
VNets.
|
||
|
||
NOTE: Your physical network switches must support stacked VLANs for this
|
||
configuration!
|
||
|
||
Below are the configuration options specific to QinQ:
|
||
|
||
bridge:: A local, VLAN-aware bridge that is already configured on each local
|
||
node
|
||
|
||
service vlan:: The main VLAN tag of this zone
|
||
|
||
service vlan protocol:: Allows you to choose between an 802.1q (default) or
|
||
802.1ad service VLAN type.
|
||
|
||
mtu:: Due to the double stacking of tags, you need 4 more bytes for QinQ VLANs.
|
||
For example, you must reduce the MTU to `1496` if you physical interface MTU is
|
||
`1500`.
|
||
|
||
[[pvesdn_zone_plugin_vxlan]]
|
||
VXLAN Zones
|
||
~~~~~~~~~~~
|
||
|
||
The VXLAN plugin establishes a tunnel (overlay) on top of an existing
|
||
network (underlay). This encapsulates layer 2 Ethernet frames within layer
|
||
4 UDP datagrams, using `4789` as the default destination port. You can, for
|
||
example, create a private IPv4 VXLAN network on top of public internet network
|
||
nodes.
|
||
|
||
This is a layer 2 tunnel only, so no routing between different VNets is
|
||
possible.
|
||
|
||
Each VNet will have a specific VXLAN ID in the range 1 - 16777215.
|
||
|
||
Specific EVPN configuration options:
|
||
|
||
peers address list:: A list of IP addresses from each node through which you
|
||
want to communicate. Can also be external nodes.
|
||
|
||
mtu:: Because VXLAN encapsulation uses 50 bytes, the MTU needs to be 50 bytes
|
||
lower than the outgoing physical interface.
|
||
|
||
[[pvesdn_zone_plugin_evpn]]
|
||
EVPN Zones
|
||
~~~~~~~~~~
|
||
|
||
This is the most complex of all the supported plugins.
|
||
|
||
BGP-EVPN allows you to create a routable layer 3 network. The VNet of EVPN can
|
||
have an anycast IP address and/or MAC address. The bridge IP is the same on each
|
||
node, meaning a virtual guest can use this address as gateway.
|
||
|
||
Routing can work across VNets from different zones through a VRF (Virtual
|
||
Routing and Forwarding) interface.
|
||
|
||
The configuration options specific to EVPN are as follows:
|
||
|
||
VRF VXLAN tag:: This is a VXLAN-ID used for routing interconnect between VNets.
|
||
It must be different than the VXLAN-ID of the VNets.
|
||
|
||
controller:: An EVPN-controller must to be defined first (see controller plugins
|
||
section).
|
||
|
||
VNet MAC address:: A unique, anycast MAC address for all VNets in this zone.
|
||
Will be auto-generated if not defined.
|
||
|
||
Exit Nodes:: Optional. This is used if you want to define some {pve} nodes as
|
||
exit gateways from the EVPN network, through the real network. The configured
|
||
nodes will announce a default route in the EVPN network.
|
||
|
||
Primary Exit Node:: Optional. If you use multiple exit nodes, this forces
|
||
traffic to a primary exit node, instead of load-balancing on all nodes. This
|
||
is required if you want to use SNAT or if your upstream router doesn't support
|
||
ECMP.
|
||
|
||
Exit Nodes local routing:: Optional. This is a special option if you need to
|
||
reach a VM/CT service from an exit node. (By default, the exit nodes only
|
||
allow forwarding traffic between real network and EVPN network).
|
||
|
||
Advertise Subnets:: Optional. If you have silent VMs/CTs (for example, if you
|
||
have multiple IPs and the anycast gateway doesn't see traffic from theses IPs,
|
||
the IP addresses won't be able to be reach inside the EVPN network). This
|
||
option will announce the full subnet in the EVPN network in this case.
|
||
|
||
Disable Arp-Nd Suppression:: Optional. Don't suppress ARP or ND packets.
|
||
This is required if you use floating IPs in your guest VMs
|
||
(IP are MAC addresses are being moved between systems).
|
||
|
||
Route-target import:: Optional. Allows you to import a list of external EVPN
|
||
route targets. Used for cross-DC or different EVPN network interconnects.
|
||
|
||
MTU:: Because VXLAN encapsulation uses 50 bytes, the MTU needs to be 50 bytes
|
||
less than the maximal MTU of the outgoing physical interface.
|
||
|
||
|
||
[[pvesdn_config_vnet]]
|
||
VNets
|
||
-----
|
||
|
||
A `VNet` is, in its basic form, a Linux bridge that will be deployed locally on
|
||
the node and used for virtual machine communication.
|
||
|
||
The VNet configuration properties are:
|
||
|
||
ID:: An 8 character ID to name and identify a VNet
|
||
|
||
Alias:: Optional longer name, if the ID isn't enough
|
||
|
||
Zone:: The associated zone for this VNet
|
||
|
||
Tag:: The unique VLAN or VXLAN ID
|
||
|
||
VLAN Aware:: Enable adding an extra VLAN tag in the virtual machine or
|
||
container's vNIC configuration, to allow the guest OS to manage the VLAN's tag.
|
||
|
||
[[pvesdn_config_subnet]]
|
||
Subnets
|
||
~~~~~~~~
|
||
|
||
A subnetwork (subnet) allows you to define a specific IP network
|
||
(IPv4 or IPv6). For each VNet, you can define one or more subnets.
|
||
|
||
A subnet can be used to:
|
||
|
||
* Restrict the IP addresses you can define on a specific VNet
|
||
* Assign routes/gateways on a VNet in layer 3 zones
|
||
* Enable SNAT on a VNet in layer 3 zones
|
||
* Auto assign IPs on virtual guests (VM or CT) through IPAM plugins
|
||
* DNS registration through DNS plugins
|
||
|
||
If an IPAM server is associated with the subnet zone, the subnet prefix will be
|
||
automatically registered in the IPAM.
|
||
|
||
Subnet properties are:
|
||
|
||
ID:: A CIDR network address, for example 10.0.0.0/8
|
||
|
||
Gateway:: The IP address of the network's default gateway. On layer 3 zones
|
||
(Simple/EVPN plugins), it will be deployed on the VNet.
|
||
|
||
SNAT:: Optional. Enable SNAT for layer 3 zones (Simple/EVPN plugins), for this
|
||
subnet. The subnet's source IP will be NATted to server's outgoing interface/IP.
|
||
On EVPN zones, this is only done on EVPN gateway-nodes.
|
||
|
||
Dnszoneprefix:: Optional. Add a prefix to the domain registration, like
|
||
<hostname>.prefix.<domain>
|
||
|
||
[[pvesdn_config_controllers]]
|
||
Controllers
|
||
-----------
|
||
|
||
Some zone types need an external controller to manage the VNet control-plane.
|
||
Currently this is only required for the `bgp-evpn` zone plugin.
|
||
|
||
[[pvesdn_controller_plugin_evpn]]
|
||
EVPN Controller
|
||
~~~~~~~~~~~~~~~
|
||
|
||
For `BGP-EVPN`, we need a controller to manage the control plane.
|
||
The currently supported software controller is the "frr" router.
|
||
You may need to install it on each node where you want to deploy EVPN zones.
|
||
|
||
----
|
||
apt install frr frr-pythontools
|
||
----
|
||
|
||
Configuration options:
|
||
|
||
asn:: A unique BGP ASN number. It's highly recommended to use a private ASN
|
||
number (64512 – 65534, 4200000000 – 4294967294), as otherwise you could end up
|
||
breaking global routing by mistake.
|
||
|
||
peers:: An IP list of all nodes where you want to communicate for the EVPN
|
||
(could also be external nodes or route reflectors servers)
|
||
|
||
|
||
[[pvesdn_controller_plugin_BGP]]
|
||
BGP Controller
|
||
~~~~~~~~~~~~~~~
|
||
|
||
The BGP controller is not used directly by a zone.
|
||
You can use it to configure FRR to manage BGP peers.
|
||
|
||
For BGP-EVPN, it can be used to define a different ASN by node, so doing EBGP.
|
||
|
||
Configuration options:
|
||
|
||
node:: The node of this BGP controller
|
||
|
||
asn:: A unique BGP ASN number. It's highly recommended to use a private ASN
|
||
number in the range (64512 - 65534) or (4200000000 - 4294967294), as otherwise
|
||
you could break global routing by mistake.
|
||
|
||
peers:: A list of peer IP addresses you want to communicate with using the
|
||
underlying BGP network.
|
||
|
||
ebgp:: If your peer's remote-AS is different, this enables EBGP.
|
||
|
||
loopback:: Use a loopback or dummy interface as the source of the EVPN network
|
||
(for multipath).
|
||
|
||
ebgp-mutltihop:: Increase the number of hops to reach peers, in case they are
|
||
not directly connected or they use loopback.
|
||
|
||
bgp-multipath-as-path-relax:: Allow ECMP if your peers have different ASN.
|
||
|
||
[[pvesdn_config_ipam]]
|
||
IPAMs
|
||
-----
|
||
|
||
IPAM (IP Address Management) tools are used to manage/assign the IP addresses of
|
||
guests on the network. It can be used to find free IP addresses when you create
|
||
a VM/CT for example (not yet implemented).
|
||
|
||
An IPAM can be associated with one or more zones, to provide IP addresses
|
||
for all subnets defined in those zones.
|
||
|
||
[[pvesdn_ipam_plugin_pveipam]]
|
||
{pve} IPAM Plugin
|
||
~~~~~~~~~~~~~~~~~
|
||
|
||
This is the default internal IPAM for your {pve} cluster, if you don't have
|
||
external IPAM software.
|
||
|
||
[[pvesdn_ipam_plugin_phpipam]]
|
||
phpIPAM Plugin
|
||
~~~~~~~~~~~~~~
|
||
https://phpipam.net/
|
||
|
||
You need to create an application in phpIPAM and add an API token with admin
|
||
privileges.
|
||
|
||
The phpIPAM configuration properties are:
|
||
|
||
url:: The REST-API endpoint: `http://phpipam.domain.com/api/<appname>/`
|
||
|
||
token:: An API access token
|
||
|
||
section:: An integer ID. Sections are a group of subnets in phpIPAM. Default
|
||
installations use `sectionid=1` for customers.
|
||
|
||
[[pvesdn_ipam_plugin_netbox]]
|
||
NetBox IPAM Plugin
|
||
~~~~~~~~~~~~~~~~~~
|
||
|
||
NetBox is an IP address management (IPAM) and datacenter infrastructure
|
||
management (DCIM) tool. See the source code repository for details:
|
||
https://github.com/netbox-community/netbox
|
||
|
||
You need to create an API token in NetBox to use it:
|
||
https://netbox.readthedocs.io/en/stable/api/authentication
|
||
|
||
The NetBox configuration properties are:
|
||
|
||
url:: The REST API endpoint: `http://yournetbox.domain.com/api`
|
||
|
||
token:: An API access token
|
||
|
||
[[pvesdn_config_dns]]
|
||
DNS
|
||
---
|
||
|
||
The DNS plugin in {pve} SDN is used to define a DNS API server for registration
|
||
of your hostname and IP address. A DNS configuration is associated with one or
|
||
more zones, to provide DNS registration for all the subnet IPs configured for
|
||
a zone.
|
||
|
||
[[pvesdn_dns_plugin_powerdns]]
|
||
PowerDNS Plugin
|
||
~~~~~~~~~~~~~~~
|
||
https://doc.powerdns.com/authoritative/http-api/index.html
|
||
|
||
You need to enable the web server and the API in your PowerDNS config:
|
||
|
||
----
|
||
api=yes
|
||
api-key=arandomgeneratedstring
|
||
webserver=yes
|
||
webserver-port=8081
|
||
----
|
||
|
||
The PowerDNS configuration options are:
|
||
|
||
url:: The REST API endpoint: http://yourpowerdnserver.domain.com:8081/api/v1/servers/localhost
|
||
|
||
key:: An API access key
|
||
|
||
ttl:: The default TTL for records
|
||
|
||
|
||
Examples
|
||
--------
|
||
|
||
[[pvesdn_setup_example_vlan]]
|
||
VLAN Setup Example
|
||
~~~~~~~~~~~~~~~~~~
|
||
|
||
TIP: While we show plaintext configuration content here, almost everything
|
||
should be configurable using the web-interface only.
|
||
|
||
Node1: /etc/network/interfaces
|
||
|
||
----
|
||
auto vmbr0
|
||
iface vmbr0 inet manual
|
||
bridge-ports eno1
|
||
bridge-stp off
|
||
bridge-fd 0
|
||
bridge-vlan-aware yes
|
||
bridge-vids 2-4094
|
||
|
||
#management ip on vlan100
|
||
auto vmbr0.100
|
||
iface vmbr0.100 inet static
|
||
address 192.168.0.1/24
|
||
|
||
source /etc/network/interfaces.d/*
|
||
----
|
||
|
||
Node2: /etc/network/interfaces
|
||
|
||
----
|
||
auto vmbr0
|
||
iface vmbr0 inet manual
|
||
bridge-ports eno1
|
||
bridge-stp off
|
||
bridge-fd 0
|
||
bridge-vlan-aware yes
|
||
bridge-vids 2-4094
|
||
|
||
#management ip on vlan100
|
||
auto vmbr0.100
|
||
iface vmbr0.100 inet static
|
||
address 192.168.0.2/24
|
||
|
||
source /etc/network/interfaces.d/*
|
||
----
|
||
|
||
Create a VLAN zone named `myvlanzone':
|
||
|
||
----
|
||
id: myvlanzone
|
||
bridge: vmbr0
|
||
----
|
||
|
||
Create a VNet named `myvnet1' with `vlan-id` `10' and the previously created
|
||
`myvlanzone' as its zone.
|
||
|
||
----
|
||
id: myvnet1
|
||
zone: myvlanzone
|
||
tag: 10
|
||
----
|
||
|
||
Apply the configuration through the main SDN panel, to create VNets locally on
|
||
each node.
|
||
|
||
Create a Debian-based virtual machine (vm1) on node1, with a vNIC on `myvnet1'.
|
||
|
||
Use the following network configuration for this VM:
|
||
|
||
----
|
||
auto eth0
|
||
iface eth0 inet static
|
||
address 10.0.3.100/24
|
||
----
|
||
|
||
Create a second virtual machine (vm2) on node2, with a vNIC on the same VNet
|
||
`myvnet1' as vm1.
|
||
|
||
Use the following network configuration for this VM:
|
||
|
||
----
|
||
auto eth0
|
||
iface eth0 inet static
|
||
address 10.0.3.101/24
|
||
----
|
||
|
||
Following this, you should be able to ping between both VMs over that network.
|
||
|
||
|
||
[[pvesdn_setup_example_qinq]]
|
||
QinQ Setup Example
|
||
~~~~~~~~~~~~~~~~~~
|
||
|
||
TIP: While we show plaintext configuration content here, almost everything
|
||
should be configurable using the web-interface only.
|
||
|
||
Node1: /etc/network/interfaces
|
||
|
||
----
|
||
auto vmbr0
|
||
iface vmbr0 inet manual
|
||
bridge-ports eno1
|
||
bridge-stp off
|
||
bridge-fd 0
|
||
bridge-vlan-aware yes
|
||
bridge-vids 2-4094
|
||
|
||
#management ip on vlan100
|
||
auto vmbr0.100
|
||
iface vmbr0.100 inet static
|
||
address 192.168.0.1/24
|
||
|
||
source /etc/network/interfaces.d/*
|
||
----
|
||
|
||
Node2: /etc/network/interfaces
|
||
|
||
----
|
||
auto vmbr0
|
||
iface vmbr0 inet manual
|
||
bridge-ports eno1
|
||
bridge-stp off
|
||
bridge-fd 0
|
||
bridge-vlan-aware yes
|
||
bridge-vids 2-4094
|
||
|
||
#management ip on vlan100
|
||
auto vmbr0.100
|
||
iface vmbr0.100 inet static
|
||
address 192.168.0.2/24
|
||
|
||
source /etc/network/interfaces.d/*
|
||
----
|
||
|
||
Create a QinQ zone named `qinqzone1' with service VLAN 20
|
||
|
||
----
|
||
id: qinqzone1
|
||
bridge: vmbr0
|
||
service vlan: 20
|
||
----
|
||
|
||
Create another QinQ zone named `qinqzone2' with service VLAN 30
|
||
|
||
----
|
||
id: qinqzone2
|
||
bridge: vmbr0
|
||
service vlan: 30
|
||
----
|
||
|
||
Create a VNet named `myvnet1' with customer VLAN-ID 100 on the previously
|
||
created `qinqzone1' zone.
|
||
|
||
----
|
||
id: myvnet1
|
||
zone: qinqzone1
|
||
tag: 100
|
||
----
|
||
|
||
Create a `myvnet2' with customer VLAN-ID 100 on the previously created
|
||
`qinqzone2' zone.
|
||
|
||
----
|
||
id: myvnet2
|
||
zone: qinqzone2
|
||
tag: 100
|
||
----
|
||
|
||
Apply the configuration on the main SDN web-interface panel to create VNets
|
||
locally on each nodes.
|
||
|
||
Create a Debian-based virtual machine (vm1) on node1, with a vNIC on `myvnet1'.
|
||
|
||
Use the following network configuration for this VM:
|
||
|
||
----
|
||
auto eth0
|
||
iface eth0 inet static
|
||
address 10.0.3.100/24
|
||
----
|
||
|
||
Create a second virtual machine (vm2) on node2, with a vNIC on the same VNet
|
||
`myvnet1' as vm1.
|
||
|
||
Use the following network configuration for this VM:
|
||
|
||
----
|
||
auto eth0
|
||
iface eth0 inet static
|
||
address 10.0.3.101/24
|
||
----
|
||
|
||
Create a third virtual machine (vm3) on node1, with a vNIC on the other VNet
|
||
`myvnet2'.
|
||
|
||
Use the following network configuration for this VM:
|
||
|
||
----
|
||
auto eth0
|
||
iface eth0 inet static
|
||
address 10.0.3.102/24
|
||
----
|
||
|
||
Create another virtual machine (vm4) on node2, with a vNIC on the same VNet
|
||
`myvnet2' as vm3.
|
||
|
||
Use the following network configuration for this VM:
|
||
|
||
----
|
||
auto eth0
|
||
iface eth0 inet static
|
||
address 10.0.3.103/24
|
||
----
|
||
|
||
Then, you should be able to ping between the VMs 'vm1' and 'vm2', as well as
|
||
between 'vm3' and 'vm4'. However, neither of VMs 'vm1' or 'vm2' can ping VMs
|
||
'vm3' or 'vm4', as they are on a different zone with a different service-vlan.
|
||
|
||
|
||
[[pvesdn_setup_example_vxlan]]
|
||
VXLAN Setup Example
|
||
~~~~~~~~~~~~~~~~~~~
|
||
|
||
TIP: While we show plaintext configuration content here, almost everything
|
||
is configurable through the web-interface.
|
||
|
||
node1: /etc/network/interfaces
|
||
|
||
----
|
||
auto vmbr0
|
||
iface vmbr0 inet static
|
||
address 192.168.0.1/24
|
||
gateway 192.168.0.254
|
||
bridge-ports eno1
|
||
bridge-stp off
|
||
bridge-fd 0
|
||
mtu 1500
|
||
|
||
source /etc/network/interfaces.d/*
|
||
----
|
||
|
||
node2: /etc/network/interfaces
|
||
|
||
----
|
||
auto vmbr0
|
||
iface vmbr0 inet static
|
||
address 192.168.0.2/24
|
||
gateway 192.168.0.254
|
||
bridge-ports eno1
|
||
bridge-stp off
|
||
bridge-fd 0
|
||
mtu 1500
|
||
|
||
source /etc/network/interfaces.d/*
|
||
----
|
||
|
||
node3: /etc/network/interfaces
|
||
|
||
----
|
||
auto vmbr0
|
||
iface vmbr0 inet static
|
||
address 192.168.0.3/24
|
||
gateway 192.168.0.254
|
||
bridge-ports eno1
|
||
bridge-stp off
|
||
bridge-fd 0
|
||
mtu 1500
|
||
|
||
source /etc/network/interfaces.d/*
|
||
----
|
||
|
||
Create a VXLAN zone named `myvxlanzone', using a lower MTU to ensure the extra
|
||
50 bytes of the VXLAN header can fit. Add all previously configured IPs from
|
||
the nodes to the peer address list.
|
||
|
||
----
|
||
id: myvxlanzone
|
||
peers address list: 192.168.0.1,192.168.0.2,192.168.0.3
|
||
mtu: 1450
|
||
----
|
||
|
||
Create a VNet named `myvnet1' using the VXLAN zone `myvxlanzone' created
|
||
previously.
|
||
|
||
----
|
||
id: myvnet1
|
||
zone: myvxlanzone
|
||
tag: 100000
|
||
----
|
||
|
||
Apply the configuration on the main SDN web-interface panel to create VNets
|
||
locally on each nodes.
|
||
|
||
Create a Debian-based virtual machine (vm1) on node1, with a vNIC on `myvnet1'.
|
||
|
||
Use the following network configuration for this VM (note the lower MTU).
|
||
|
||
----
|
||
auto eth0
|
||
iface eth0 inet static
|
||
address 10.0.3.100/24
|
||
mtu 1450
|
||
----
|
||
|
||
Create a second virtual machine (vm2) on node3, with a vNIC on the same VNet
|
||
`myvnet1' as vm1.
|
||
|
||
Use the following network configuration for this VM:
|
||
|
||
----
|
||
auto eth0
|
||
iface eth0 inet static
|
||
address 10.0.3.101/24
|
||
mtu 1450
|
||
----
|
||
|
||
Then, you should be able to ping between between 'vm1' and 'vm2'.
|
||
|
||
|
||
[[pvesdn_setup_example_evpn]]
|
||
EVPN Setup Example
|
||
~~~~~~~~~~~~~~~~~~
|
||
|
||
node1: /etc/network/interfaces
|
||
|
||
----
|
||
auto vmbr0
|
||
iface vmbr0 inet static
|
||
address 192.168.0.1/24
|
||
gateway 192.168.0.254
|
||
bridge-ports eno1
|
||
bridge-stp off
|
||
bridge-fd 0
|
||
mtu 1500
|
||
|
||
source /etc/network/interfaces.d/*
|
||
----
|
||
|
||
node2: /etc/network/interfaces
|
||
|
||
----
|
||
auto vmbr0
|
||
iface vmbr0 inet static
|
||
address 192.168.0.2/24
|
||
gateway 192.168.0.254
|
||
bridge-ports eno1
|
||
bridge-stp off
|
||
bridge-fd 0
|
||
mtu 1500
|
||
|
||
source /etc/network/interfaces.d/*
|
||
----
|
||
|
||
node3: /etc/network/interfaces
|
||
|
||
----
|
||
auto vmbr0
|
||
iface vmbr0 inet static
|
||
address 192.168.0.3/24
|
||
gateway 192.168.0.254
|
||
bridge-ports eno1
|
||
bridge-stp off
|
||
bridge-fd 0
|
||
mtu 1500
|
||
|
||
source /etc/network/interfaces.d/*
|
||
----
|
||
|
||
Create an EVPN controller, using a private ASN number and the above node
|
||
addresses as peers.
|
||
|
||
----
|
||
id: myevpnctl
|
||
asn: 65000
|
||
peers: 192.168.0.1,192.168.0.2,192.168.0.3
|
||
----
|
||
|
||
Create an EVPN zone named `myevpnzone', using the previously created
|
||
EVPN-controller. Define 'node1' and 'node2' as exit nodes.
|
||
|
||
----
|
||
id: myevpnzone
|
||
vrf vxlan tag: 10000
|
||
controller: myevpnctl
|
||
mtu: 1450
|
||
vnet mac address: 32:F4:05:FE:6C:0A
|
||
exitnodes: node1,node2
|
||
----
|
||
|
||
Create the first VNet named `myvnet1' using the EVPN zone `myevpnzone'.
|
||
----
|
||
id: myvnet1
|
||
zone: myevpnzone
|
||
tag: 11000
|
||
----
|
||
|
||
Create a subnet 10.0.1.0/24 with 10.0.1.1 as gateway on `myvnet1`.
|
||
|
||
----
|
||
subnet: 10.0.1.0/24
|
||
gateway: 10.0.1.1
|
||
----
|
||
|
||
Create the second VNet named `myvnet2' using the same EVPN zone `myevpnzone', a
|
||
different IPv4 CIDR network.
|
||
|
||
----
|
||
id: myvnet2
|
||
zone: myevpnzone
|
||
tag: 12000
|
||
----
|
||
|
||
Create a different subnet 10.0.2.0/24 with 10.0.2.1 as gateway on vnet2
|
||
|
||
----
|
||
subnet: 10.0.2.0/24
|
||
gateway: 10.0.2.1
|
||
----
|
||
|
||
|
||
Apply the configuration from the main SDN web-interface panel to create VNets
|
||
locally on each node and generate the FRR config.
|
||
|
||
Create a Debian-based virtual machine (vm1) on node1, with a vNIC on `myvnet1'.
|
||
|
||
Use the following network configuration for this VM:
|
||
|
||
----
|
||
auto eth0
|
||
iface eth0 inet static
|
||
address 10.0.1.100/24
|
||
gateway 10.0.1.1 #this is the ip of the vnet1
|
||
mtu 1450
|
||
----
|
||
|
||
Create a second virtual machine (vm2) on node2, with a vNIC on the other VNet
|
||
`myvnet2'.
|
||
|
||
Use the following network configuration for this VM:
|
||
|
||
----
|
||
auto eth0
|
||
iface eth0 inet static
|
||
address 10.0.2.100/24
|
||
gateway 10.0.2.1 #this is the ip of the myvnet2
|
||
mtu 1450
|
||
----
|
||
|
||
|
||
Then, you should be able to ping vm2 from vm1, and vm1 from vm2.
|
||
|
||
If you ping an external IP from 'vm2' on the non-gateway 'node3', the packet
|
||
will go to the configured 'myvnet2' gateway, then will be routed to the exit
|
||
nodes ('node1' or 'node2') and from there it will leave those nodes over the
|
||
default gateway configured on node1 or node2.
|
||
|
||
NOTE: You need to add reverse routes for the '10.0.1.0/24' and '10.0.2.0/24'
|
||
networks to node1 and node2 on your external gateway, so that the public network
|
||
can reply back.
|
||
|
||
If you have configured an external BGP router, the BGP-EVPN routes (10.0.1.0/24
|
||
and 10.0.2.0/24 in this example), will be announced dynamically.
|
||
|
||
|
||
Notes
|
||
-----
|
||
|
||
Multiple EVPN Exit Nodes
|
||
~~~~~~~~~~~~~~~~~~~~~~~~
|
||
|
||
If you have multiple gateway nodes, you should disable the `rp_filter` (Strict
|
||
Reverse Path Filter) option, because packets can arrive at one node but go out
|
||
from another node.
|
||
|
||
.sysctl.conf disabling `rp_filter`
|
||
-----
|
||
net.ipv4.conf.default.rp_filter=0
|
||
net.ipv4.conf.all.rp_filter=0
|
||
-----
|
||
|
||
VXLAN IPSEC Encryption
|
||
~~~~~~~~~~~~~~~~~~~~~~
|
||
|
||
If you need to add encryption on top of a VXLAN, it's possible to do so with
|
||
IPSEC, through `strongswan`. You'll need to reduce the 'MTU' by 60 bytes (IPv4)
|
||
or 80 bytes (IPv6) to handle encryption.
|
||
|
||
So with default real 1500 MTU, you need to use a MTU of 1370 (1370 + 80 (IPSEC)
|
||
+ 50 (VXLAN) == 1500).
|
||
|
||
.Install strongswan
|
||
----
|
||
apt install strongswan
|
||
----
|
||
|
||
Add configuration to `/etc/ipsec.conf'. We only need to encrypt traffic from
|
||
the VXLAN UDP port '4789'.
|
||
|
||
----
|
||
conn %default
|
||
ike=aes256-sha1-modp1024! # the fastest, but reasonably secure cipher on modern HW
|
||
esp=aes256-sha1!
|
||
leftfirewall=yes # this is necessary when using Proxmox VE firewall rules
|
||
|
||
conn output
|
||
rightsubnet=%dynamic[udp/4789]
|
||
right=%any
|
||
type=transport
|
||
authby=psk
|
||
auto=route
|
||
|
||
conn input
|
||
leftsubnet=%dynamic[udp/4789]
|
||
type=transport
|
||
authby=psk
|
||
auto=route
|
||
----
|
||
|
||
Then generate a pre-shared key with:
|
||
|
||
----
|
||
openssl rand -base64 128
|
||
----
|
||
|
||
and add the key to `/etc/ipsec.secrets', so that the file contents looks like:
|
||
|
||
----
|
||
: PSK <generatedbase64key>
|
||
----
|
||
|
||
You need to copy the PSK and the configuration onto the other nodes.
|