Installation
------------
-To enable the experimental SDN integration, you need to install
-"libpve-network-perl" package
+To enable the experimental SDN integration, you need to install the
+`libpve-network-perl` and `ifupdown2` package on every node:
----
-apt install libpve-network-perl
+apt update
+apt install libpve-network-perl ifupdown2
----
-You need to have `ifupdown2` package installed on each node to manage local
-configuration reloading without reboot:
+After that you need to add the following line:
-----
-apt install ifupdown2
-----
-
-You need to add
----
source /etc/network/interfaces.d/*
----
-at the end of /etc/network/interfaces to have the sdn config included
+at the end of the `/etc/network/interfaces` configuration file, so that the SDN
+config gets included and activated.
Basic Overview
service vlan:: The main VLAN tag of this zone
+service vlan protocol:: allow to define a 802.1q (default) or 802.1ad service vlan type.
+
mtu:: Due to the double stacking of tags you need 4 more bytes for QinQ VLANs.
For example, you reduce the MTU to `1496` if you physical interface MTU is
`1500`.
Specific EVPN configuration options:
-VRF VXLAN Tag:: This is a vxlan-id used for routing interconnect between vnets,
+VRF VXLAN tag:: This is a vxlan-id used for routing interconnect between vnets,
it must be different than VXLAN-id of VNets
controller:: an EVPN-controller need to be defined first (see controller
plugins section)
+VNet MAC address:: A unique anycast MAC address for all VNets in this zone.
+ Will be auto-generated if not defined.
-Exit Nodes:: This is used if you want to defined some proxmox nodes, as
- exit gateway from evpn network through real network. This nodes
- will announce a default route in the evpn network.
+Exit Nodes:: This is used if you want to define some proxmox nodes, as exit
+ gateway from evpn network through real network. The configured nodes will
+ announce a default route in the EVPN network.
-mtu:: because VXLAN encapsulation use 50bytes, the MTU need to be 50 bytes
-lower than the outgoing physical interface.
+Advertise Subnets:: Optional. If you have silent vms/CT (for example, multiples
+ ips by interfaces, and the anycast gateway don't see traffic from theses ips,
+ the ips addresses won't be able to be reach inside the evpn network). This
+ option will announce the full subnet in the evpn network in this case.
+
+Exit Nodes local routing:: Optional. This is a special option if you need to
+ reach a vm/ct service from an exit node. (By default, the exit nodes only
+ allow forwarding traffic between real network and evpn network).
+
+MTU:: because VXLAN encapsulation use 50 bytes, the MTU needs to be 50 bytes
+ lower than the maximal MTU of the outgoing physical interface.
[[pvesdn_config_vnet]]
Configuration options:
+node:: The node of this BGP controller
+
asn:: A unique BGP ASN number. It's highly recommended to use private ASN
number from the range (64512 - 65534) or (4200000000 - 4294967294), as else
you could end up breaking, or get broken, by global routing by mistake.
ebgp:: If your peer's remote-AS is different, it's enabling EBGP.
-node:: The node of this BGP controller
-
loopback:: If you want to use a loopback or dummy interface as source for the
evpn network. (for multipath)
+ebgp-mutltihop:: if the peers are not directly connected or use loopback, you can increase the
+ number of hops to reach them.
[[pvesdn_config_ipam]]
IPAMs
Create an EVPN zone named `myevpnzone' using the previously created
EVPN-controller Define 'node1' and 'node2' as exit nodes.
-
----
id: myevpnzone
vrf vxlan tag: 10000
controller: myevpnctl
mtu: 1450
+vnet mac address: 32:F4:05:FE:6C:0A
exitnodes: node1,node2
----
id: myvnet1
zone: myevpnzone
tag: 11000
-mac address: 8C:73:B2:7B:F9:60 #random generate mac address
----
-Create a subnet 10.0.1.0/24 with 10.0.1.1 as gateway
+Create a subnet 10.0.1.0/24 with 10.0.1.1 as gateway on vnet1
+
----
-id: 10.0.1.0/24
+subnet: 10.0.1.0/24
gateway: 10.0.1.1
----
Create the second VNet named `myvnet2' using the same EVPN zone `myevpnzone', a
-different IPv4 CIDR network and a different random MAC address than `myvnet1'.
+different IPv4 CIDR network.
----
id: myvnet2
zone: myevpnzone
tag: 12000
-mac address: 8C:73:B2:7B:F9:61 #random mac, need to be different on each vnet
----
-Create a different subnet 10.0.2.0/24 with 10.0.2.1 as gateway
+Create a different subnet 10.0.2.0/24 with 10.0.2.1 as gateway on vnet2
+
----
-id: 10.0.2.0/24
+subnet: 10.0.2.0/24
gateway: 10.0.2.1
----
Apply the configuration on the main SDN web-interface panel to create VNets
locally on each nodes and generate the FRR config.
-
Create a Debian-based Virtual Machine (vm1) on node1, with a vNIC on `myvnet1'.
Use the following network configuration for this VM:
If you have configured an external BGP router, the BGP-EVPN routes (10.0.1.0/24
and 10.0.2.0/24 in this example), will be announced dynamically.
+
+
+Notes
+-----
+
+VXLAN IPSEC Encryption
+~~~~~~~~~~~~~~~~~~~~~~
+If you need to add encryption on top of VXLAN, it's possible to do so with
+IPSEC through `strongswan`. You'll need to reduce the 'MTU' by 60 bytes (IPv4)
+or 80 bytes (IPv6) to handle encryption.
+
+So with default real 1500 MTU, you need to use a MTU of 1370 (1370 + 80 (IPSEC)
++ 50 (VXLAN) == 1500).
+
+.Install strongswan
+----
+apt install strongswan
+----
+
+Add configuration in `/etc/ipsec.conf'. We only need to encrypt traffic from
+the VXLAN UDP port '4789'.
+
+----
+conn %default
+ ike=aes256-sha1-modp1024! # the fastest, but reasonably secure cipher on modern HW
+ esp=aes256-sha1!
+ leftfirewall=yes # this is necessary when using Proxmox VE firewall rules
+
+conn output
+ rightsubnet=%dynamic[udp/4789]
+ right=%any
+ type=transport
+ authby=psk
+ auto=route
+
+conn input
+ leftsubnet=%dynamic[udp/4789]
+ type=transport
+ authby=psk
+ auto=route
+----
+
+Then generate a preshared key with
+
+----
+openssl rand -base64 128
+----
+
+and copy the key in `/etc/ipsec.secrets' so that the file content looks like:
+
+----
+: PSK <generatedbase64key>
+----
+
+You need to copy the PSK and the config on other nodes.
projects / pve-docs.git / blobdiff