12.3. Zones

A zone will define a virtually separated network.

It can use different technologies for separation:

You can restrict a zone to specific nodes.

It’s also possible to add permissions on a zone, to restrict user to use only a specific zone and only the VNets in that zone

The following options are available for all zone types.

This is the simplest plugin, it will create an isolated vnet bridge. This bridge is not linked to physical interfaces, VM traffic is only local to the node(s). It can be also used for NAT or routed setup.

This plugin will reuse an existing local Linux or OVS bridge, and manage VLANs on it. The benefit of using SDN module, is that you can create different zones with specific VNets VLAN tag, and restrict Virtual Machines to separated zones.

Specific VLAN configuration options:

QinQ is stacked VLAN. The first VLAN tag defined for the zone (so called service-vlan), and the second VLAN tag defined for the vnets

Specific QinQ configuration options:

The VXLAN plugin will establish a tunnel (named overlay) on top of an existing network (named underlay). It encapsulate layer 2 Ethernet frames within layer 4 UDP datagrams, using 4789 as the default destination port. You can, for example, create a private IPv4 VXLAN network on top of public internet network nodes. This is a layer2 tunnel only, no routing between different VNets is possible.

Each VNet will have use specific VXLAN id from the range (1 - 16777215).

Specific EVPN configuration options:

This is the most complex of all supported plugins.

BGP-EVPN allows one to create routable layer3 network. The VNet of EVPN can have an anycast IP-address and or MAC-address. The bridge IP is the same on each node, with this a virtual guest can use that address as gateway.

Routing can work across VNets from different zones through a VRF (Virtual Routing and Forwarding) interface.

Specific EVPN configuration options: