2 Software Defined Network
3 ========================
8 The **S**oftware **D**efined **N**etwork (SDN) feature allows one to create
9 virtual networks (vnets) at datacenter level.
11 WARNING: SDN is currently an **experimental feature** in {pve}. This
12 Documentation for it is also still under development, ask on our
13 xref:getting_help[mailing lists or in the forum] for questions and feedback.
16 [[pvesdn_installation]]
20 To enable the experimental SDN integration, you need to install the
21 `libpve-network-perl` and `ifupdown2` package on every node:
25 apt install libpve-network-perl ifupdown2
28 After that you need to add the following line:
31 source /etc/network/interfaces.d/*
33 at the end of the `/etc/network/interfaces` configuration file, so that the SDN
34 config gets included and activated.
40 The {pve} SDN allows separation and fine grained control of Virtual Guests
41 networks, using flexible software controlled configurations.
43 Separation consists of zones, a zone is it's own virtual separated network area.
44 A 'VNet' is a type of a virtual network connected to a zone. Depending on which
45 type or plugin the zone uses it can behave differently and offer different
46 features, advantages or disadvantages.
47 Normally a 'VNet' shows up as a common Linux bridge with either a VLAN or
48 'VXLAN' tag, but some can also use layer 3 routing for control.
49 The 'VNets' are deployed locally on each node, after configuration was committed
50 from the cluster-wide datacenter SDN administration interface.
56 The configuration is done at datacenter (cluster-wide) level, it will be saved
57 in configuration files located in the shared configuration file system:
60 On the web-interface SDN feature have 3 main sections for the configuration
62 * SDN: a overview of the SDN state
64 * Zones: Create and manage the virtual separated network Zones
66 * VNets: Create virtual network bridges + subnets management.
70 * Controller: For complex setups to control Layer 3 routing
72 * Sub-nets: Used to defined ip networks on VNets.
74 * IPAM: Allow to use external tools for IP address management (guest IPs)
76 * DNS: Allow to define a DNS server api for registering a virtual guests
77 hostname and IP-addresses
79 [[pvesdn_config_main_sdn]]
84 This is the main status panel. Here you can see deployment status of zones on
87 There is an 'Apply' button, to push and reload local configuration on all
91 [[pvesdn_local_deployment_monitoring]]
92 Local Deployment Monitoring
93 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
95 After applying the configuration through the main SDN web-interface panel,
96 the local network configuration is generated locally on each node in
97 `/etc/network/interfaces.d/sdn`, and with ifupdown2 reloaded.
99 You can monitor the status of local zones and vnets through the main tree.
102 [[pvesdn_config_zone]]
106 A zone will define a virtually separated network.
108 It can use different technologies for separation:
110 * VLAN: Virtual LANs are the classic method to sub-divide a LAN
112 * QinQ: stacked VLAN (formally known as `IEEE 802.1ad`)
114 * VXLAN: (layer2 vxlan)
116 * Simple: Isolated Bridge, simple l3 routing bridge (NAT)
118 * bgp-evpn: vxlan using layer3 border gateway protocol routing
120 You can restrict a zone to specific nodes.
122 It's also possible to add permissions on a zone, to restrict user to use only a
123 specific zone and only the VNets in that zone
128 The following options are available for all zone types.
130 nodes:: Deploy and allow to use a VNets configured for this Zone only on these
133 ipam:: Optional, if you want to use an ipam tool to manage ips in this zone
135 dns:: Optional, dns api server.
137 reversedns:: Optional, reverse dns api server.
139 dnszone:: Optional, dns domain name. Use to register hostname like
140 `<hostname>.<domain>`. The dns zone need to be already existing in dns server.
143 [[pvesdn_zone_plugin_simple]]
147 This is the simplest plugin, it will create an isolated vnet bridge.
148 This bridge is not linked to physical interfaces, VM traffic is only
149 local to the node(s).
150 It can be also used for NAT or routed setup.
152 [[pvesdn_zone_plugin_vlan]]
156 This plugin will reuse an existing local Linux or OVS bridge,
157 and manage VLANs on it.
158 The benefit of using SDN module, is that you can create different zones with
159 specific VNets VLAN tag, and restrict Virtual Machines to separated zones.
161 Specific `VLAN` configuration options:
163 bridge:: Reuse this local bridge or OVS switch, already
164 configured on *each* local node.
166 [[pvesdn_zone_plugin_qinq]]
170 QinQ is stacked VLAN. The first VLAN tag defined for the zone
171 (so called 'service-vlan'), and the second VLAN tag defined for the vnets
173 NOTE: Your physical network switches must support stacked VLANs!
175 Specific QinQ configuration options:
177 bridge:: A local VLAN-aware bridge already configured on each local node
179 service vlan:: The main VLAN tag of this zone
181 service vlan protocol:: allow to define a 802.1q (default) or 802.1ad service vlan type.
183 mtu:: Due to the double stacking of tags you need 4 more bytes for QinQ VLANs.
184 For example, you reduce the MTU to `1496` if you physical interface MTU is
187 [[pvesdn_zone_plugin_vxlan]]
191 The VXLAN plugin will establish a tunnel (named overlay) on top of an existing
192 network (named underlay). It encapsulate layer 2 Ethernet frames within layer
193 4 UDP datagrams, using `4789` as the default destination port. You can, for
194 example, create a private IPv4 VXLAN network on top of public internet network
196 This is a layer2 tunnel only, no routing between different VNets is possible.
198 Each VNet will have use specific VXLAN id from the range (1 - 16777215).
200 Specific EVPN configuration options:
202 peers address list:: A list of IPs from all nodes through which you want to
203 communicate. Can also be external nodes.
205 mtu:: Because VXLAN encapsulation use 50bytes, the MTU need to be 50 bytes
206 lower than the outgoing physical interface.
208 [[pvesdn_zone_plugin_evpn]]
212 This is the most complex of all supported plugins.
214 BGP-EVPN allows one to create routable layer3 network. The VNet of EVPN can
215 have an anycast IP-address and or MAC-address. The bridge IP is the same on each
216 node, with this a virtual guest can use that address as gateway.
218 Routing can work across VNets from different zones through a VRF (Virtual
219 Routing and Forwarding) interface.
221 Specific EVPN configuration options:
223 VRF VXLAN tag:: This is a vxlan-id used for routing interconnect between vnets,
224 it must be different than VXLAN-id of VNets
226 controller:: an EVPN-controller need to be defined first (see controller
229 VNet MAC address:: A unique anycast MAC address for all VNets in this zone.
230 Will be auto-generated if not defined.
232 Exit Nodes:: Optionnal. This is used if you want to define some proxmox nodes, as exit
233 gateway from evpn network through real network. The configured nodes will
234 announce a default route in the EVPN network.
236 Primary Exit Node:: Optionnal. If you use multiple exit-nodes, this force traffic
237 to a primary exit-node instead loadbalancing on all nodes.
238 This is required if you want to use Snat or if your upstream router don't support
241 Exit Nodes local routing:: Optional. This is a special option if you need to
242 reach a vm/ct service from an exit node. (By default, the exit nodes only
243 allow forwarding traffic between real network and evpn network).
245 Advertise Subnets:: Optional. If you have silent vms/CT (for example, multiples
246 ips by interfaces, and the anycast gateway don't see traffic from theses ips,
247 the ips addresses won't be able to be reach inside the evpn network). This
248 option will announce the full subnet in the evpn network in this case.
250 Disable Arp-Nd Suppression:: Optional. Don't suppression arp or nd packets.
251 This is required if you use moving virtual ip in your guests vm.
252 (Ip is moving but mac address change)
254 Route-target import:: Optional. Allow to import a list of external evpn route-targets.
255 For Cross-DC or differents evpn networks interconnect.
257 MTU:: because VXLAN encapsulation use 50 bytes, the MTU needs to be 50 bytes
258 lower than the maximal MTU of the outgoing physical interface.
261 [[pvesdn_config_vnet]]
265 A `VNet` is in its basic form just a Linux bridge that will be deployed locally
266 on the node and used for Virtual Machine communication.
270 ID:: a 8 characters ID to name and identify a VNet
272 Alias:: Optional longer name, if the ID isn't enough
274 Zone:: The associated zone for this VNet
276 Tag:: The unique VLAN or VXLAN id
278 VLAN Aware:: Allow to add an extra VLAN tag in the virtual machine or
279 container vNIC configurations or allow the guest OS to manage the VLAN's tag.
281 [[pvesdn_config_subnet]]
286 A sub-network (subnet or sub-net) allows you to define a specific IP network
287 (IPv4 or IPv6). For each VNET, you can define one or more subnets.
289 A subnet can be used to:
291 * restrict IP-addresses you can define on a specific VNET
292 * assign routes/gateway on a VNET in layer 3 zones
293 * enable SNAT on a VNET in layer 3 zones
294 * auto assign IPs on virtual guests (VM or CT) through IPAM plugin
295 * DNS registration through DNS plugins
297 If an IPAM server is associated to the subnet zone, the subnet prefix will be
298 automatically registered in the IPAM.
301 Subnet properties are:
303 ID:: a cidr network address. Ex: 10.0.0.0/8
305 Gateway:: ip address for the default gateway of the network.
306 On layer3 zones (simple/evpn plugins), it'll be deployed on the vnet.
308 Snat:: Optional, Enable Snat for layer3 zones (simple/evpn plugins) for this subnet.
309 The subnet source ip will be natted to server outgoing interface/ip.
310 On evpn zone, it's done only on evpn gateway-nodes.
312 Dnszoneprefix:: Optional, add a prefix to domain registration, like <hostname>.prefix.<domain>
315 [[pvesdn_config_controllers]]
319 Some zone types need an external controller to manage the VNet control-plane.
320 Currently this is only required for the `bgp-evpn` zone plugin.
322 [[pvesdn_controller_plugin_evpn]]
326 For `BGP-EVPN`, we need a controller to manage the control plane.
327 The currently supported software controller is the "frr" router.
328 You may need to install it on each node where you want to deploy EVPN zones.
331 apt install frr frr-pythontools
334 Configuration options:
336 asn:: A unique BGP ASN number. It's highly recommended to use private ASN
337 number (64512 – 65534, 4200000000 – 4294967294), as else you could end up
338 breaking, or get broken, by global routing by mistake.
340 peers:: An ip list of all nodes where you want to communicate for the EVPN (could be also
341 external nodes or route reflectors servers)
344 [[pvesdn_controller_plugin_BGP]]
348 The bgp controller is not used directly by a zone.
349 You can used it to configure frr to manage bgp peers.
351 For BGP-evpn, it can be use to define a different ASN by node, so doing EBGP.
353 Configuration options:
355 node:: The node of this BGP controller
357 asn:: A unique BGP ASN number. It's highly recommended to use private ASN
358 number from the range (64512 - 65534) or (4200000000 - 4294967294), as else
359 you could end up breaking, or get broken, by global routing by mistake.
361 peers:: An IP list of peers you want to communicate with for the underlying
364 ebgp:: If your peer's remote-AS is different, it's enabling EBGP.
366 loopback:: If you want to use a loopback or dummy interface as source for the
367 evpn network. (for multipath)
369 ebgp-mutltihop:: if the peers are not directly connected or use loopback, you can increase the
370 number of hops to reach them.
372 bgp-multipath-as-path-relax:: Allow to do ECMP if your peers have differents ASN.
374 [[pvesdn_config_ipam]]
377 IPAM (IP address management) tools, are used to manage/assign ips on your devices on the network.
378 It can be used to find free ip address when you create a vm/ct for example (not yet implemented).
380 An IPAM is associated to 1 or multiple zones, to provide ip addresses for all subnets defined in this zone.
383 [[pvesdn_ipam_plugin_pveipam]]
387 This is the default internal IPAM for your proxmox cluster if you don't have
388 external ipam software
390 [[pvesdn_ipam_plugin_phpipam]]
395 You need to create an application in phpipam, and add an api token with admin
398 phpIPAM properties are:
400 url:: The REST-API endpoint: `http://phpipam.domain.com/api/<appname>/`
401 token:: An API access token
402 section:: An integer ID. Sections are group of subnets in phpIPAM. Default
403 installations use `sectionid=1` for customers.
405 [[pvesdn_ipam_plugin_netbox]]
409 NetBox is an IP address management (IPAM) and data center infrastructure
410 management (DCIM) tool, see the source code repository for details:
411 https://github.com/netbox-community/netbox
413 You need to create an api token in netbox
414 https://netbox.readthedocs.io/en/stable/api/authentication
416 NetBox properties are:
418 url:: The REST API endpoint: `http://yournetbox.domain.com/api`
419 token:: An API access token
421 [[pvesdn_config_dns]]
425 The DNS plugin in {pve} SDN is used to define a DNS API server for registration
426 of your hostname and IP-address. A DNS configuration is associated with one or
427 more zones, to provide DNS registration for all the sub-net IPs configured for
430 [[pvesdn_dns_plugin_powerdns]]
433 https://doc.powerdns.com/authoritative/http-api/index.html
435 You need to enable the webserver and the API in your PowerDNS config:
439 api-key=arandomgeneratedstring
444 Powerdns properties are:
446 url:: The REST API endpoint: http://yourpowerdnserver.domain.com:8081/api/v1/servers/localhost
447 key:: An API access key
448 ttl:: The default TTL for records
454 [[pvesdn_setup_example_vlan]]
458 TIP: While we show plain configuration content here, almost everything should
459 be configurable using the web-interface only.
461 Node1: /etc/network/interfaces
465 iface vmbr0 inet manual
469 bridge-vlan-aware yes
472 #management ip on vlan100
474 iface vmbr0.100 inet static
475 address 192.168.0.1/24
477 source /etc/network/interfaces.d/*
480 Node2: /etc/network/interfaces
484 iface vmbr0 inet manual
488 bridge-vlan-aware yes
491 #management ip on vlan100
493 iface vmbr0.100 inet static
494 address 192.168.0.2/24
496 source /etc/network/interfaces.d/*
499 Create a VLAN zone named `myvlanzone':
506 Create a VNet named `myvnet1' with `vlan-id` `10' and the previously created
507 `myvlanzone' as it's zone.
515 Apply the configuration through the main SDN panel, to create VNets locally on
518 Create a Debian-based Virtual Machine (vm1) on node1, with a vNIC on `myvnet1'.
520 Use the following network configuration for this VM:
524 iface eth0 inet static
525 address 10.0.3.100/24
528 Create a second Virtual Machine (vm2) on node2, with a vNIC on the same VNet
531 Use the following network configuration for this VM:
535 iface eth0 inet static
536 address 10.0.3.101/24
539 Then, you should be able to ping between both VMs over that network.
542 [[pvesdn_setup_example_qinq]]
546 TIP: While we show plain configuration content here, almost everything should
547 be configurable using the web-interface only.
549 Node1: /etc/network/interfaces
553 iface vmbr0 inet manual
557 bridge-vlan-aware yes
560 #management ip on vlan100
562 iface vmbr0.100 inet static
563 address 192.168.0.1/24
565 source /etc/network/interfaces.d/*
568 Node2: /etc/network/interfaces
572 iface vmbr0 inet manual
576 bridge-vlan-aware yes
579 #management ip on vlan100
581 iface vmbr0.100 inet static
582 address 192.168.0.2/24
584 source /etc/network/interfaces.d/*
587 Create an QinQ zone named `qinqzone1' with service VLAN 20
595 Create another QinQ zone named `qinqzone2' with service VLAN 30
603 Create a VNet named `myvnet1' with customer vlan-id 100 on the previously
604 created `qinqzone1' zone.
612 Create a `myvnet2' with customer VLAN-id 100 on the previously created
621 Apply the configuration on the main SDN web-interface panel to create VNets
622 locally on each nodes.
624 Create a Debian-based Virtual Machine (vm1) on node1, with a vNIC on `myvnet1'.
626 Use the following network configuration for this VM:
630 iface eth0 inet static
631 address 10.0.3.100/24
634 Create a second Virtual Machine (vm2) on node2, with a vNIC on the same VNet
637 Use the following network configuration for this VM:
641 iface eth0 inet static
642 address 10.0.3.101/24
645 Create a third Virtual Machine (vm3) on node1, with a vNIC on the other VNet
648 Use the following network configuration for this VM:
652 iface eth0 inet static
653 address 10.0.3.102/24
656 Create another Virtual Machine (vm4) on node2, with a vNIC on the same VNet
659 Use the following network configuration for this VM:
663 iface eth0 inet static
664 address 10.0.3.103/24
667 Then, you should be able to ping between the VMs 'vm1' and 'vm2', also
668 between 'vm3' and 'vm4'. But, none of VMs 'vm1' or 'vm2' can ping the VMs 'vm3'
669 or 'vm4', as they are on a different zone with different service-vlan.
672 [[pvesdn_setup_example_vxlan]]
676 TIP: While we show plain configuration content here, almost everything should
677 be configurable using the web-interface only.
679 node1: /etc/network/interfaces
683 iface vmbr0 inet static
684 address 192.168.0.1/24
685 gateway 192.168.0.254
691 source /etc/network/interfaces.d/*
694 node2: /etc/network/interfaces
698 iface vmbr0 inet static
699 address 192.168.0.2/24
700 gateway 192.168.0.254
706 source /etc/network/interfaces.d/*
709 node3: /etc/network/interfaces
713 iface vmbr0 inet static
714 address 192.168.0.3/24
715 gateway 192.168.0.254
721 source /etc/network/interfaces.d/*
724 Create an VXLAN zone named `myvxlanzone', use the lower MTU to ensure the extra
725 50 bytes of the VXLAN header can fit. Add all previously configured IPs from
726 the nodes as peer address list.
730 peers address list: 192.168.0.1,192.168.0.2,192.168.0.3
734 Create a VNet named `myvnet1' using the VXLAN zone `myvxlanzone' created
743 Apply the configuration on the main SDN web-interface panel to create VNets
744 locally on each nodes.
746 Create a Debian-based Virtual Machine (vm1) on node1, with a vNIC on `myvnet1'.
748 Use the following network configuration for this VM, note the lower MTU here.
752 iface eth0 inet static
753 address 10.0.3.100/24
757 Create a second Virtual Machine (vm2) on node3, with a vNIC on the same VNet
760 Use the following network configuration for this VM:
764 iface eth0 inet static
765 address 10.0.3.101/24
769 Then, you should be able to ping between between 'vm1' and 'vm2'.
772 [[pvesdn_setup_example_evpn]]
776 node1: /etc/network/interfaces
780 iface vmbr0 inet static
781 address 192.168.0.1/24
782 gateway 192.168.0.254
788 source /etc/network/interfaces.d/*
791 node2: /etc/network/interfaces
795 iface vmbr0 inet static
796 address 192.168.0.2/24
797 gateway 192.168.0.254
803 source /etc/network/interfaces.d/*
806 node3: /etc/network/interfaces
810 iface vmbr0 inet static
811 address 192.168.0.3/24
812 gateway 192.168.0.254
818 source /etc/network/interfaces.d/*
821 Create a EVPN controller, using a private ASN number and above node addreesses
827 peers: 192.168.0.1,192.168.0.2,192.168.0.3
830 Create an EVPN zone named `myevpnzone' using the previously created
831 EVPN-controller Define 'node1' and 'node2' as exit nodes.
836 controller: myevpnctl
838 vnet mac address: 32:F4:05:FE:6C:0A
839 exitnodes: node1,node2
842 Create the first VNet named `myvnet1' using the EVPN zone `myevpnzone'.
849 Create a subnet 10.0.1.0/24 with 10.0.1.1 as gateway on vnet1
856 Create the second VNet named `myvnet2' using the same EVPN zone `myevpnzone', a
857 different IPv4 CIDR network.
865 Create a different subnet 10.0.2.0/24 with 10.0.2.1 as gateway on vnet2
873 Apply the configuration on the main SDN web-interface panel to create VNets
874 locally on each nodes and generate the FRR config.
876 Create a Debian-based Virtual Machine (vm1) on node1, with a vNIC on `myvnet1'.
878 Use the following network configuration for this VM:
882 iface eth0 inet static
883 address 10.0.1.100/24
884 gateway 10.0.1.1 #this is the ip of the vnet1
888 Create a second Virtual Machine (vm2) on node2, with a vNIC on the other VNet
891 Use the following network configuration for this VM:
895 iface eth0 inet static
896 address 10.0.2.100/24
897 gateway 10.0.2.1 #this is the ip of the vnet2
902 Then, you should be able to ping vm2 from vm1, and vm1 from vm2.
904 If you ping an external IP from 'vm2' on the non-gateway 'node3', the packet
905 will go to the configured 'myvnet2' gateway, then will be routed to the exit
906 nodes ('node1' or 'node2') and from there it will leave those nodes over the
907 default gateway configured on node1 or node2.
909 NOTE: Of course you need to add reverse routes for the '10.0.1.0/24' and
910 '10.0.2.0/24' network to node1, node2 on your external gateway, so that the
911 public network can reply back.
913 If you have configured an external BGP router, the BGP-EVPN routes (10.0.1.0/24
914 and 10.0.2.0/24 in this example), will be announced dynamically.
920 VXLAN IPSEC Encryption
921 ~~~~~~~~~~~~~~~~~~~~~~
922 If you need to add encryption on top of VXLAN, it's possible to do so with
923 IPSEC through `strongswan`. You'll need to reduce the 'MTU' by 60 bytes (IPv4)
924 or 80 bytes (IPv6) to handle encryption.
926 So with default real 1500 MTU, you need to use a MTU of 1370 (1370 + 80 (IPSEC)
927 + 50 (VXLAN) == 1500).
931 apt install strongswan
934 Add configuration in `/etc/ipsec.conf'. We only need to encrypt traffic from
935 the VXLAN UDP port '4789'.
939 ike=aes256-sha1-modp1024! # the fastest, but reasonably secure cipher on modern HW
941 leftfirewall=yes # this is necessary when using Proxmox VE firewall rules
944 rightsubnet=%dynamic[udp/4789]
951 leftsubnet=%dynamic[udp/4789]
957 Then generate a preshared key with
960 openssl rand -base64 128
963 and copy the key in `/etc/ipsec.secrets' so that the file content looks like:
966 : PSK <generatedbase64key>
969 You need to copy the PSK and the config on other nodes.