X-Git-Url: https://git.proxmox.com/?a=blobdiff_plain;f=pvesdn.adoc;h=223ba6de526ad0f535475e83824e302d4e92ab13;hb=fc9c969da4295500759c2576b761cb4b1007a73b;hp=ecf0d254e1f1ff794a4429804adab16967881d4f;hpb=9a4f3c957e86341d85ee382d220c719285f94a4c;p=pve-docs.git diff --git a/pvesdn.adoc b/pvesdn.adoc index ecf0d25..223ba6d 100644 --- a/pvesdn.adoc +++ b/pvesdn.adoc @@ -17,25 +17,21 @@ xref:getting_help[mailing lists or in the forum] for questions and feedback. Installation ------------ -To enable the experimental SDN integration, you need to install -"libpve-network-perl" package +To enable the experimental SDN integration, you need to install the +`libpve-network-perl` and `ifupdown2` package on every node: ---- -apt install libpve-network-perl +apt update +apt install libpve-network-perl ifupdown2 ---- -You need to have `ifupdown2` package installed on each node to manage local -configuration reloading without reboot: +After that you need to add the following line: ----- -apt install ifupdown2 ----- - -You need to add ---- source /etc/network/interfaces.d/* ---- -at the end of /etc/network/interfaces to have the sdn config included +at the end of the `/etc/network/interfaces` configuration file, so that the SDN +config gets included and activated. Basic Overview @@ -224,21 +220,30 @@ Routing and Forwarding) interface. Specific EVPN configuration options: -VRF VXLAN Tag:: This is a vxlan-id used for routing interconnect between vnets, +VRF VXLAN tag:: This is a vxlan-id used for routing interconnect between vnets, it must be different than VXLAN-id of VNets controller:: an EVPN-controller need to be defined first (see controller plugins section) -Vnet Mac Address:: An unique, anycast macaddress for all vnets in this zone. - Auto-generated if you don't define it. +VNet MAC address:: A unique anycast MAC address for all VNets in this zone. + Will be auto-generated if not defined. -Exit Nodes:: This is used if you want to defined some proxmox nodes, as - exit gateway from evpn network through real network. This nodes - will announce a default route in the evpn network. +Exit Nodes:: This is used if you want to define some proxmox nodes, as exit + gateway from evpn network through real network. The configured nodes will + announce a default route in the EVPN network. -mtu:: because VXLAN encapsulation use 50bytes, the MTU need to be 50 bytes -lower than the outgoing physical interface. +Advertise Subnets:: Optional. If you have silent vms/CT (for example, multiples + ips by interfaces, and the anycast gateway don't see traffic from theses ips, + the ips addresses won't be able to be reach inside the evpn network). This + option will announce the full subnet in the evpn network in this case. + +Exit Nodes local routing:: Optional. This is a special option if you need to + reach a vm/ct service from an exit node. (By default, the exit nodes only + allow forwarding traffic between real network and evpn network). + +MTU:: because VXLAN encapsulation use 50 bytes, the MTU needs to be 50 bytes + lower than the maximal MTU of the outgoing physical interface. [[pvesdn_config_vnet]] @@ -811,7 +816,6 @@ peers: 192.168.0.1,192.168.0.2,192.168.0.3 Create an EVPN zone named `myevpnzone' using the previously created EVPN-controller Define 'node1' and 'node2' as exit nodes. - ---- id: myevpnzone vrf vxlan tag: 10000 @@ -829,6 +833,7 @@ tag: 11000 ---- Create a subnet 10.0.1.0/24 with 10.0.1.1 as gateway on vnet1 + ---- subnet: 10.0.1.0/24 gateway: 10.0.1.1 @@ -844,6 +849,7 @@ tag: 12000 ---- Create a different subnet 10.0.2.0/24 with 10.0.2.1 as gateway on vnet2 + ---- subnet: 10.0.2.0/24 gateway: 10.0.2.1 @@ -853,7 +859,6 @@ gateway: 10.0.2.1 Apply the configuration on the main SDN web-interface panel to create VNets locally on each nodes and generate the FRR config. - Create a Debian-based Virtual Machine (vm1) on node1, with a vNIC on `myvnet1'. Use the following network configuration for this VM: @@ -893,3 +898,58 @@ public network can reply back. If you have configured an external BGP router, the BGP-EVPN routes (10.0.1.0/24 and 10.0.2.0/24 in this example), will be announced dynamically. + + +Notes +----- + +VXLAN IPSEC Encryption +~~~~~~~~~~~~~~~~~~~~~~ +If you need to add encryption on top of VXLAN, it's possible to do so with +IPSEC through `strongswan`. You'll need to reduce the 'MTU' by 60 bytes (IPv4) +or 80 bytes (IPv6) to handle encryption. + +So with default real 1500 MTU, you need to use a MTU of 1370 (1370 + 80 (IPSEC) ++ 50 (VXLAN) == 1500). + +.Install strongswan +---- +apt install strongswan +---- + +Add configuration in `/etc/ipsec.conf'. We only need to encrypt traffic from +the VXLAN UDP port '4789'. + +---- +conn %default + ike=aes256-sha1-modp1024! # the fastest, but reasonably secure cipher on modern HW + esp=aes256-sha1! + leftfirewall=yes # this is necessary when using Proxmox VE firewall rules + +conn output + rightsubnet=%dynamic[udp/4789] + right=%any + type=transport + authby=psk + auto=route + +conn input + leftsubnet=%dynamic[udp/4789] + type=transport + authby=psk + auto=route +---- + +Then generate a preshared key with + +---- +openssl rand -base64 128 +---- + +and copy the key in `/etc/ipsec.secrets' so that the file content looks like: + +---- +: PSK +---- + +You need to copy the PSK and the config on other nodes.