[PVE-User] VxLAN and tagged frames

Daniel Berteaud daniel at firewall-services.com
Fri Jan 24 08:20:22 CET 2020 


----- Le 23 Jan 20, à 20:53, Alexandre DERUMIER aderumier at odiso.com a écrit :

> Hi,
> 
>>>So, what's the recommended setup for this ? Create one (non vlan aware) bridge
>>>for each network zone, with 1 VxLAN tunnel per bridge between nodes ?
> 
> yes, you need 1 non-vlan aware bridge + 1 vxlan tunnel.

OK

> 
> Technically they are vlan (from aware bridge) to vxlan mapping in kernel, but
> it's realy new and unstable.
> I don't known if it's possible to send vlan tagged frame inside a vxlan, never
> tested it.
> 
>>>This doesn't look very scalable compared with >>vlan aware bridges (or OVS
>>>bridges) with GRE tunnels, does it ?
> 
> I have tested it with 2000 vxlans + 2000 bridges. Works fine. Is is enough for
> you ?


I mean, until the SDN plugin is ready, creating a new network zone requires manual editing of network config on every node (new bridge + new vxlan). Unlike vlan aware bridges where you setup network on the hypervisor once, and then just use a new VLAN id for a VM. But most likely your SDN plugin makes it easier.

> 
> 
> 
>>>Are the expirimental SDN plugins available somewhere as deb so I can play a bit
>>>with it ? (couldn't find it in pve-test or no-subscription)
> 
> #apt-get install libpve-network-perl  (try for pvetest repo if possible)


Oh, OK thanks. I was looking for a pve-something package name, that's why I haven't saw it :-)

> 
> 
> The gui is not finished yet, but you can try it at
> http://odisoweb1.odiso.net/pve-manager_6.1-5_amd64.deb
> 
> 
> 
> 
> 
> I think if you want to do something like a simple vxlan tunnel, with multiple
> vlan, something like this should work (need to be tested):
> 
> auto vxlan2
> iface vxlan2 inet manual
>        vxlan-id 2
>        vxlan_remoteip 192.168.0.2
>        vxlan_remoteip 192.168.0.3
> 
> auto vmbr2
> iface vmbr2 inet manual
>        bridge_ports vxlan2
>        bridge_stp off
>        bridge_fd 0
>        bridge-vlan-aware yes
>        bridge-vids 2-4096

I'll try something like that. Until now, I use this :

auto vmbr0
allow-ovs vmbr0
iface vmbr0 inet manual
  ovs_type OVSBridge
  ovs_ports none
  up ovs-vsctl set Bridge ${IFACE} rstp_enable=true


Then a script get all the cluster members, and create one gre tunnel with each other node like :

ovs-vsctl add-port vmbr0 gre0 -- set interface gre0 type=gre options:remote_ip=10.22.5.2
ovs-vsctl add-port vmbr0 gre1 -- set interface gre1 type=gre options:remote_ip=10.22.5.3

etc.

Not perfect, but working. The single GRE tunnel transport all the VLAN

++

-- 
[ https://www.firewall-services.com/ ] 	
Daniel Berteaud 
FIREWALL-SERVICES SAS, La sécurité des réseaux 
Société de Services en Logiciels Libres 
Tél : +33.5 56 64 15 32 
Matrix: @dani:fws.fr 
[ https://www.firewall-services.com/ | https://www.firewall-services.com ]

More information about the pve-user mailing list