A zone will define a virtually separated network.
It can use different technologies for separation:
-
VLAN: Virtual LANs are the classic method to sub-divide a LAN
-
QinQ: stacked VLAN (formally known as
IEEE 802.1ad
)
-
VXLAN: (layer2 vxlan)
-
Simple: Isolated Bridge, simple l3 routing bridge (NAT)
-
bgp-evpn: vxlan using layer3 border gateway protocol routing
You can restrict a zone to specific nodes.
It’s also possible to add permissions on a zone, to restrict user to use only a
specific zone and only the VNets in that zone
The following options are available for all zone types.
-
nodes
-
Deploy and allow to use a VNets configured for this Zone only on these
nodes.
-
ipam
-
Optional, if you want to use an ipam tool to manage ips in this zone
-
dns
-
Optional, dns api server.
-
reversedns
-
Optional, reverse dns api server.
-
dnszone
-
Optional, dns domain name. Use to register hostname like
<hostname>.<domain>
. The dns zone need to be already existing in dns server.
This is the simplest plugin, it will create an isolated vnet bridge.
This bridge is not linked to physical interfaces, VM traffic is only
local to the node(s).
It can be also used for NAT or routed setup.
This plugin will reuse an existing local Linux or OVS bridge,
and manage VLANs on it.
The benefit of using SDN module, is that you can create different zones with
specific VNets VLAN tag, and restrict Virtual Machines to separated zones.
Specific VLAN
configuration options:
-
bridge
-
Reuse this local bridge or OVS switch, already
configured on each local node.
QinQ is stacked VLAN. The first VLAN tag defined for the zone
(so called service-vlan), and the second VLAN tag defined for the vnets
Note
Your physical network switches must support stacked VLANs!
Specific QinQ configuration options:
-
bridge
-
A local VLAN-aware bridge already configured on each local node
-
service vlan
-
The main VLAN tag of this zone
-
service vlan protocol
-
allow to define a 802.1q (default) or 802.1ad service vlan type.
-
mtu
-
Due to the double stacking of tags you need 4 more bytes for QinQ VLANs.
For example, you reduce the MTU to
1496
if you physical interface MTU is
1500
.
The VXLAN plugin will establish a tunnel (named overlay) on top of an existing
network (named underlay). It encapsulate layer 2 Ethernet frames within layer
4 UDP datagrams, using 4789
as the default destination port. You can, for
example, create a private IPv4 VXLAN network on top of public internet network
nodes.
This is a layer2 tunnel only, no routing between different VNets is possible.
Each VNet will have use specific VXLAN id from the range (1 - 16777215).
Specific EVPN configuration options:
-
peers address list
-
A list of IPs from all nodes through which you want to
communicate. Can also be external nodes.
-
mtu
-
Because VXLAN encapsulation use 50bytes, the MTU need to be 50 bytes
lower than the outgoing physical interface.
This is the most complex of all supported plugins.
BGP-EVPN allows one to create routable layer3 network. The VNet of EVPN can
have an anycast IP-address and or MAC-address. The bridge IP is the same on each
node, with this a virtual guest can use that address as gateway.
Routing can work across VNets from different zones through a VRF (Virtual
Routing and Forwarding) interface.
Specific EVPN configuration options:
-
VRF VXLAN tag
-
This is a vxlan-id used for routing interconnect between vnets,
it must be different than VXLAN-id of VNets
-
controller
-
an EVPN-controller need to be defined first (see controller
plugins section)
-
VNet MAC address
-
A unique anycast MAC address for all VNets in this zone.
Will be auto-generated if not defined.
-
Exit Nodes
-
This is used if you want to define some proxmox nodes, as exit
gateway from evpn network through real network. The configured nodes will
announce a default route in the EVPN network.
-
Advertise Subnets
-
Optional. If you have silent vms/CT (for example, multiples
ips by interfaces, and the anycast gateway don’t see traffic from theses ips,
the ips addresses won’t be able to be reach inside the evpn network). This
option will announce the full subnet in the evpn network in this case.
-
Exit Nodes local routing
-
Optional. This is a special option if you need to
reach a vm/ct service from an exit node. (By default, the exit nodes only
allow forwarding traffic between real network and evpn network).
-
MTU
-
because VXLAN encapsulation use 50 bytes, the MTU needs to be 50 bytes
lower than the maximal MTU of the outgoing physical interface.