Proxmox VE SDN VXLAN Setup

Поділитися
Вставка
  • Опубліковано 24 гру 2024

КОМЕНТАРІ • 27

  • @penttimuhli9442
    @penttimuhli9442 10 днів тому +1

    Admittedly I know know that much about Proxmox yet, have been using it in the home lab and really like.
    But one question I have when it comes to what people are calling SDN with Proxmox, how much automation is involved?
    Compared to other vendors such as Cisco's SD-Access, SD-Wan or Vmware's offering?

    • @TechTutorialsDavidMcKone
      @TechTutorialsDavidMcKone  9 днів тому

      I think Proxmox are still primarily focused on the hypervisor being just a hypervisor
      Although to be fair, it's Debian underneath the hood
      While VXLAN is in public release, EVPN is still in tech-preview
      The deployment of virtual networks is simple, but it's not fully automated
      You can't define an application for instance and everything that goes with it is deployed automatically through the click of a button
      I doubt Proxmox have the deep pockets of Broadcom, but VMWare have had a head start on this for well over a decade after their acquisition of Nicira
      But even at this stage you should be able to save a lot of time and money deploying a basic physical network and PVE can build an SDN over that
      Any further network changes would be in PVE, hence the need for only a basic physical network
      And if a physical switch needed replacing, it would be very easy to swap it out
      It's only a matter of time I think before a 3rd party taps into this Proxmox API though to let you automate things
      You can get Ansible to roll out an entire deployment if you like, it just needs a lot of thought and coding to build the playbooks
      I don't know how good AI is, but at some point that should simplify things even further
      To me, companies like Cisco don't bring anything to the table for SDN because they don't make hypervisors
      For SDN, you only need enough from physical Layer 2 switches to allow the hypervisors their basic connectivity
      Everything else is done by the hypervisor
      So physical Data Centre networking solutions from the likes of Cisco, Arista and Juniper are old school
      You'll still need an entry and exit point for the building and that will be a virtual router offering an SDWAN solution
      At the moment for PVE, that would have to be a 3rd party offering
      But I fail to understand why anybody would want to buy an SD-WAN solution that's managed through a public facing Internet cloud
      I think at this turning point, you may as well just pay an ISP the money to include a basic physical router along with the WAN link and leave them to manage both
      All the physical router needs to do is to route the IP addressing for the SD-WAN router and know how to reach your firewall
      The SD-WAN router will take care of everything else through DMVPN/IPSec tunnels between the sites
      And if you ever need to change providers, it would be very easy to do

  • @MadalinIgnisca
    @MadalinIgnisca Місяць тому +1

    Seems that communication between 2 vnets in same vxlan zone can’t talk out of the box. Would you have a hint?

    • @TechTutorialsDavidMcKone
      @TechTutorialsDavidMcKone  Місяць тому

      Use a firewall or router if you need to connect them
      VNets are similar to VLANs, i.e. they provide logical separation of traffic
      From a private user/company perspective, each VNet will represent a different subnet e.g. 192.168.1.0/24 and 192.168.2.0/24
      These days, computers in two different subnets shouldn't be able to communicate directly
      So in this case we've been given VNet instead of VLAN separation to achieve that
      You could setup a virtual router to route between the two
      But a firewall would be better from a security perspective

  • @MrStarbuckel
    @MrStarbuckel 24 дні тому +1

    Thank you for the video! Any chance to give a host itself an ip address inside a SDN VXLAN? So that the vms in the vmnet can connect to the host without routing?

    • @TechTutorialsDavidMcKone
      @TechTutorialsDavidMcKone  22 дні тому

      Not that I can see
      The documentation says a VNet will be "available as a common Linux Bridge" and can "be assigned to VMs and Containers"
      I'm not seeing any option to connect a node's physical interface to a VNet or to create a virtual interface for a node in a VNet

  • @ZifeRRoT
    @ZifeRRoT 2 місяці тому +1

    Great video, thx a lot!
    By the way, is there any solution to allow vms to connect to the internet from vxlan without adding additional interface?

    • @TechTutorialsDavidMcKone
      @TechTutorialsDavidMcKone  2 місяці тому +2

      Normally you'd want computers behind a firewall
      So I have a virtual firewall that has an interface in the vxlan network of the vms and its wan interface connects to the default linux bridge
      I still have a physical firewall in between the internet and my hypervisors though for extra security

    • @ZifeRRoT
      @ZifeRRoT 2 місяці тому

      @@TechTutorialsDavidMcKone normally i would do the same😁 Interesting just for some kind of weird practice

  • @simo47768
    @simo47768 4 місяці тому +2

    Hi
    Is a kubernetes sdn network a good use case for this?

    • @TechTutorialsDavidMcKone
      @TechTutorialsDavidMcKone  4 місяці тому +1

      As long as there's no need for direct contact with a physical device, then anything virtual should benefit
      Proxmox VE just needs to be able to put the traffic into a tunnel and then it can send it to any other node

  • @exteraNL
    @exteraNL 4 місяці тому +2

    Very usefull, thank you! I hope we will see support for anycast gateways in the future (one and the same on each node) to really make life simpler 😊 with dhcp or dhcp relay.
    I hope you will also cover EVPN and I hope you will cover the IPAM and DNS integrations. I couldn't get them to work in my lab...
    Some extra feedback: maybe you can show a diagram of what you are demonstrating. For example, the firewall VM you have running wasn't very clear to me at first

    • @TechTutorialsDavidMcKone
      @TechTutorialsDavidMcKone  4 місяці тому +2

      Thanks for the feedback, much appreciated
      I like diagrams myself and was using them in my earlier videos, so I'm not sure why I've stopped adding them in
      It will be interesting to see where this SDN solution goes mind
      For now I'm not touching DHCP or EVPN as they're still in tech preview
      I did try the DHCP server for instance but I was getting error messages after uninstalling Dnsmasq
      Even in a lab that's not a good situation to be in
      Fortunately I use nested hypervisors so I just rolled them back to a snapshot

  • @barma1309
    @barma1309 4 місяці тому +1

    Thanks, very helpfull!!!!

    • @TechTutorialsDavidMcKone
      @TechTutorialsDavidMcKone  4 місяці тому

      Thanks for the feedback
      I'm glad this SDN module is now supported as it's very useful
      Looking forward to other parts being added

  • @barma1309
    @barma1309 4 місяці тому +1

    i'll do exactly but i got problem with dhcp (( vm inside zone didn't custom ip address. VM got only 192.168.1.10x addresses((

    • @TechTutorialsDavidMcKone
      @TechTutorialsDavidMcKone  4 місяці тому +2

      Not sure on your setup
      In mine, although I configured a VNet and 192.168.50.x subnet, it's only for reference
      Even if the extra software is installed, at the moment, Proxmox VE will only supply an address for that subnet via DHCP if a Simple Zone is configured
      So for now, to supply an IP address via DHCP to VNets in a VXLAN Zone, you have to use a separate DHCP server
      And I had one connected to the subnet handing out IP addresses in the 192.168.1.x range
      Later on, hopefully, we'll be able to take advantage of the IPAM and DHCP solution for SDN

  • @eduardooroedell
    @eduardooroedell 2 місяці тому +1

    DHCP doesn't work for vxlan on Proxmox 8.1...

    • @TechTutorialsDavidMcKone
      @TechTutorialsDavidMcKone  2 місяці тому +1

      Yeah, like I was mentioning in the video it's still in tech preview
      It only works for simple networks, which is a shame
      And you can't take advantage of the built-in IPAM solution either
      So I just carried on using an external DHCP server

    • @eduardooroedell
      @eduardooroedell 2 місяці тому

      @@TechTutorialsDavidMcKone thanks for replying! I'm using a Mikrotik GR3 to make my network. Is possible to use mix Mikrotik with Proxmox vxlan?

    • @TechTutorialsDavidMcKone
      @TechTutorialsDavidMcKone  2 місяці тому

      @@eduardooroedell None of my devices support vxlan so it's not something I've tried
      I haven't seen any mention of connecting to other devices in the documentation
      But all the config asks for is IP addressing, so it could be worth trying

  • @Zambiziify
    @Zambiziify Місяць тому +1

    Absolute gold dust! "_udp_4789 !" So much to wrap my head around.. Well explained demo, very helpful to debug VNet using tcpdump the and factoring in MTU sizes incl the extra additional overhead needs factoring in for real MTU. Very powerful technology!

    • @TechTutorialsDavidMcKone
      @TechTutorialsDavidMcKone  Місяць тому

      I see this as a real game changer, and there's more to come when EVPN comes out of tech preview
      But VXLAN alone really simplifies Datacenter design as you just need to build the underlying physical network once and then after that you just make changes in the PVE cluster
      So much time and money to be saved and it will make life so much simpler

  • @AdrianuX1985
    @AdrianuX1985 4 місяці тому +1

    ++

  • @andrey0001
    @andrey0001 3 дні тому

    Very unpleasant presentation of information, everything is stretched out. And a bunch of errors:
    In particular, DHCP will not work for VXLAN as well as SNAT. Because proxmox does not create gateway addresses for this type of SDN. This is relevant for Simple SDN.
    The author himself does not know what he is talking about, and is trying to teach others incorrectly. Moreover, why talk about each point just reading the name of this point and reasoning about what you do not know. Do not shoot such content anymore - this is not yours, from the word AT ALL.

    • @TechTutorialsDavidMcKone
      @TechTutorialsDavidMcKone  2 дні тому

      Disappointing to know this video wasn't to your liking, but thanks for the feedback
      Personally I prefer detailed presentations, rather than someone just saying do this, do that
      An explanation for the choices is a vital part of the learning experience
      So that's why my videos are done this way
      To some they'll be informative, to others stretched out
      C'est la vie
      I did make it clear at the start of the video mind that IPAM and the DHCP service do not work with VXLAN
      I can only assume therefore you skipped that chapter since you're trying to point out to me the very thing I mentioned
      I also pointed out that these are currently in tech preview
      In other words, as I mentioned, these shouldn't go into a production environment
      Currently, these features are more for niche users who run labs and are interested in learning about technology as Proxmox develops it
      However, as I demonstrated, you can still use the traditional DHCP server to provide IP addressing for vNets you deploy with VXLAN
      And chances are, companies will continue to use 3rd party IPAM solutions anyway
      From a business perspective alone, it would be difficult to justify the extra work when you already have a working solution
      The main gain I see from this use of VXLAN at the moment though is the ability to create an SDN overlay and simplify the underlying network
      What I certainly wouldn't do though is have the hypervisor act as a gateway for vNets using SNAT
      Not only does NAT cause all sorts of complications for security and troubleshooting but some applications can't work with it; Just look at some of the workarounds firewall vendors had to deploy over the years
      Besides, the default gateway should be a dedicated firewall
      Granted Proxmox offers the ability to firewall traffic using iptables, but it's not as sophisticated as a dedicated firewall