Admittedly I know know that much about Proxmox yet, have been using it in the home lab and really like. But one question I have when it comes to what people are calling SDN with Proxmox, how much automation is involved? Compared to other vendors such as Cisco's SD-Access, SD-Wan or Vmware's offering?
I think Proxmox are still primarily focused on the hypervisor being just a hypervisor Although to be fair, it's Debian underneath the hood While VXLAN is in public release, EVPN is still in tech-preview The deployment of virtual networks is simple, but it's not fully automated You can't define an application for instance and everything that goes with it is deployed automatically through the click of a button I doubt Proxmox have the deep pockets of Broadcom, but VMWare have had a head start on this for well over a decade after their acquisition of Nicira But even at this stage you should be able to save a lot of time and money deploying a basic physical network and PVE can build an SDN over that Any further network changes would be in PVE, hence the need for only a basic physical network And if a physical switch needed replacing, it would be very easy to swap it out It's only a matter of time I think before a 3rd party taps into this Proxmox API though to let you automate things You can get Ansible to roll out an entire deployment if you like, it just needs a lot of thought and coding to build the playbooks I don't know how good AI is, but at some point that should simplify things even further To me, companies like Cisco don't bring anything to the table for SDN because they don't make hypervisors For SDN, you only need enough from physical Layer 2 switches to allow the hypervisors their basic connectivity Everything else is done by the hypervisor So physical Data Centre networking solutions from the likes of Cisco, Arista and Juniper are old school You'll still need an entry and exit point for the building and that will be a virtual router offering an SDWAN solution At the moment for PVE, that would have to be a 3rd party offering But I fail to understand why anybody would want to buy an SD-WAN solution that's managed through a public facing Internet cloud I think at this turning point, you may as well just pay an ISP the money to include a basic physical router along with the WAN link and leave them to manage both All the physical router needs to do is to route the IP addressing for the SD-WAN router and know how to reach your firewall The SD-WAN router will take care of everything else through DMVPN/IPSec tunnels between the sites And if you ever need to change providers, it would be very easy to do
Use a firewall or router if you need to connect them VNets are similar to VLANs, i.e. they provide logical separation of traffic From a private user/company perspective, each VNet will represent a different subnet e.g. 192.168.1.0/24 and 192.168.2.0/24 These days, computers in two different subnets shouldn't be able to communicate directly So in this case we've been given VNet instead of VLAN separation to achieve that You could setup a virtual router to route between the two But a firewall would be better from a security perspective
Thank you for the video! Any chance to give a host itself an ip address inside a SDN VXLAN? So that the vms in the vmnet can connect to the host without routing?
Not that I can see The documentation says a VNet will be "available as a common Linux Bridge" and can "be assigned to VMs and Containers" I'm not seeing any option to connect a node's physical interface to a VNet or to create a virtual interface for a node in a VNet
Normally you'd want computers behind a firewall So I have a virtual firewall that has an interface in the vxlan network of the vms and its wan interface connects to the default linux bridge I still have a physical firewall in between the internet and my hypervisors though for extra security
As long as there's no need for direct contact with a physical device, then anything virtual should benefit Proxmox VE just needs to be able to put the traffic into a tunnel and then it can send it to any other node
Very usefull, thank you! I hope we will see support for anycast gateways in the future (one and the same on each node) to really make life simpler 😊 with dhcp or dhcp relay. I hope you will also cover EVPN and I hope you will cover the IPAM and DNS integrations. I couldn't get them to work in my lab... Some extra feedback: maybe you can show a diagram of what you are demonstrating. For example, the firewall VM you have running wasn't very clear to me at first
Thanks for the feedback, much appreciated I like diagrams myself and was using them in my earlier videos, so I'm not sure why I've stopped adding them in It will be interesting to see where this SDN solution goes mind For now I'm not touching DHCP or EVPN as they're still in tech preview I did try the DHCP server for instance but I was getting error messages after uninstalling Dnsmasq Even in a lab that's not a good situation to be in Fortunately I use nested hypervisors so I just rolled them back to a snapshot
Not sure on your setup In mine, although I configured a VNet and 192.168.50.x subnet, it's only for reference Even if the extra software is installed, at the moment, Proxmox VE will only supply an address for that subnet via DHCP if a Simple Zone is configured So for now, to supply an IP address via DHCP to VNets in a VXLAN Zone, you have to use a separate DHCP server And I had one connected to the subnet handing out IP addresses in the 192.168.1.x range Later on, hopefully, we'll be able to take advantage of the IPAM and DHCP solution for SDN
Yeah, like I was mentioning in the video it's still in tech preview It only works for simple networks, which is a shame And you can't take advantage of the built-in IPAM solution either So I just carried on using an external DHCP server
@@eduardooroedell None of my devices support vxlan so it's not something I've tried I haven't seen any mention of connecting to other devices in the documentation But all the config asks for is IP addressing, so it could be worth trying
Absolute gold dust! "_udp_4789 !" So much to wrap my head around.. Well explained demo, very helpful to debug VNet using tcpdump the and factoring in MTU sizes incl the extra additional overhead needs factoring in for real MTU. Very powerful technology!
I see this as a real game changer, and there's more to come when EVPN comes out of tech preview But VXLAN alone really simplifies Datacenter design as you just need to build the underlying physical network once and then after that you just make changes in the PVE cluster So much time and money to be saved and it will make life so much simpler
Very unpleasant presentation of information, everything is stretched out. And a bunch of errors: In particular, DHCP will not work for VXLAN as well as SNAT. Because proxmox does not create gateway addresses for this type of SDN. This is relevant for Simple SDN. The author himself does not know what he is talking about, and is trying to teach others incorrectly. Moreover, why talk about each point just reading the name of this point and reasoning about what you do not know. Do not shoot such content anymore - this is not yours, from the word AT ALL.
Disappointing to know this video wasn't to your liking, but thanks for the feedback Personally I prefer detailed presentations, rather than someone just saying do this, do that An explanation for the choices is a vital part of the learning experience So that's why my videos are done this way To some they'll be informative, to others stretched out C'est la vie I did make it clear at the start of the video mind that IPAM and the DHCP service do not work with VXLAN I can only assume therefore you skipped that chapter since you're trying to point out to me the very thing I mentioned I also pointed out that these are currently in tech preview In other words, as I mentioned, these shouldn't go into a production environment Currently, these features are more for niche users who run labs and are interested in learning about technology as Proxmox develops it However, as I demonstrated, you can still use the traditional DHCP server to provide IP addressing for vNets you deploy with VXLAN And chances are, companies will continue to use 3rd party IPAM solutions anyway From a business perspective alone, it would be difficult to justify the extra work when you already have a working solution The main gain I see from this use of VXLAN at the moment though is the ability to create an SDN overlay and simplify the underlying network What I certainly wouldn't do though is have the hypervisor act as a gateway for vNets using SNAT Not only does NAT cause all sorts of complications for security and troubleshooting but some applications can't work with it; Just look at some of the workarounds firewall vendors had to deploy over the years Besides, the default gateway should be a dedicated firewall Granted Proxmox offers the ability to firewall traffic using iptables, but it's not as sophisticated as a dedicated firewall
Admittedly I know know that much about Proxmox yet, have been using it in the home lab and really like.
But one question I have when it comes to what people are calling SDN with Proxmox, how much automation is involved?
Compared to other vendors such as Cisco's SD-Access, SD-Wan or Vmware's offering?
I think Proxmox are still primarily focused on the hypervisor being just a hypervisor
Although to be fair, it's Debian underneath the hood
While VXLAN is in public release, EVPN is still in tech-preview
The deployment of virtual networks is simple, but it's not fully automated
You can't define an application for instance and everything that goes with it is deployed automatically through the click of a button
I doubt Proxmox have the deep pockets of Broadcom, but VMWare have had a head start on this for well over a decade after their acquisition of Nicira
But even at this stage you should be able to save a lot of time and money deploying a basic physical network and PVE can build an SDN over that
Any further network changes would be in PVE, hence the need for only a basic physical network
And if a physical switch needed replacing, it would be very easy to swap it out
It's only a matter of time I think before a 3rd party taps into this Proxmox API though to let you automate things
You can get Ansible to roll out an entire deployment if you like, it just needs a lot of thought and coding to build the playbooks
I don't know how good AI is, but at some point that should simplify things even further
To me, companies like Cisco don't bring anything to the table for SDN because they don't make hypervisors
For SDN, you only need enough from physical Layer 2 switches to allow the hypervisors their basic connectivity
Everything else is done by the hypervisor
So physical Data Centre networking solutions from the likes of Cisco, Arista and Juniper are old school
You'll still need an entry and exit point for the building and that will be a virtual router offering an SDWAN solution
At the moment for PVE, that would have to be a 3rd party offering
But I fail to understand why anybody would want to buy an SD-WAN solution that's managed through a public facing Internet cloud
I think at this turning point, you may as well just pay an ISP the money to include a basic physical router along with the WAN link and leave them to manage both
All the physical router needs to do is to route the IP addressing for the SD-WAN router and know how to reach your firewall
The SD-WAN router will take care of everything else through DMVPN/IPSec tunnels between the sites
And if you ever need to change providers, it would be very easy to do
Seems that communication between 2 vnets in same vxlan zone can’t talk out of the box. Would you have a hint?
Use a firewall or router if you need to connect them
VNets are similar to VLANs, i.e. they provide logical separation of traffic
From a private user/company perspective, each VNet will represent a different subnet e.g. 192.168.1.0/24 and 192.168.2.0/24
These days, computers in two different subnets shouldn't be able to communicate directly
So in this case we've been given VNet instead of VLAN separation to achieve that
You could setup a virtual router to route between the two
But a firewall would be better from a security perspective
Thank you for the video! Any chance to give a host itself an ip address inside a SDN VXLAN? So that the vms in the vmnet can connect to the host without routing?
Not that I can see
The documentation says a VNet will be "available as a common Linux Bridge" and can "be assigned to VMs and Containers"
I'm not seeing any option to connect a node's physical interface to a VNet or to create a virtual interface for a node in a VNet
Great video, thx a lot!
By the way, is there any solution to allow vms to connect to the internet from vxlan without adding additional interface?
Normally you'd want computers behind a firewall
So I have a virtual firewall that has an interface in the vxlan network of the vms and its wan interface connects to the default linux bridge
I still have a physical firewall in between the internet and my hypervisors though for extra security
@@TechTutorialsDavidMcKone normally i would do the same😁 Interesting just for some kind of weird practice
Hi
Is a kubernetes sdn network a good use case for this?
As long as there's no need for direct contact with a physical device, then anything virtual should benefit
Proxmox VE just needs to be able to put the traffic into a tunnel and then it can send it to any other node
Very usefull, thank you! I hope we will see support for anycast gateways in the future (one and the same on each node) to really make life simpler 😊 with dhcp or dhcp relay.
I hope you will also cover EVPN and I hope you will cover the IPAM and DNS integrations. I couldn't get them to work in my lab...
Some extra feedback: maybe you can show a diagram of what you are demonstrating. For example, the firewall VM you have running wasn't very clear to me at first
Thanks for the feedback, much appreciated
I like diagrams myself and was using them in my earlier videos, so I'm not sure why I've stopped adding them in
It will be interesting to see where this SDN solution goes mind
For now I'm not touching DHCP or EVPN as they're still in tech preview
I did try the DHCP server for instance but I was getting error messages after uninstalling Dnsmasq
Even in a lab that's not a good situation to be in
Fortunately I use nested hypervisors so I just rolled them back to a snapshot
Thanks, very helpfull!!!!
Thanks for the feedback
I'm glad this SDN module is now supported as it's very useful
Looking forward to other parts being added
i'll do exactly but i got problem with dhcp (( vm inside zone didn't custom ip address. VM got only 192.168.1.10x addresses((
Not sure on your setup
In mine, although I configured a VNet and 192.168.50.x subnet, it's only for reference
Even if the extra software is installed, at the moment, Proxmox VE will only supply an address for that subnet via DHCP if a Simple Zone is configured
So for now, to supply an IP address via DHCP to VNets in a VXLAN Zone, you have to use a separate DHCP server
And I had one connected to the subnet handing out IP addresses in the 192.168.1.x range
Later on, hopefully, we'll be able to take advantage of the IPAM and DHCP solution for SDN
DHCP doesn't work for vxlan on Proxmox 8.1...
Yeah, like I was mentioning in the video it's still in tech preview
It only works for simple networks, which is a shame
And you can't take advantage of the built-in IPAM solution either
So I just carried on using an external DHCP server
@@TechTutorialsDavidMcKone thanks for replying! I'm using a Mikrotik GR3 to make my network. Is possible to use mix Mikrotik with Proxmox vxlan?
@@eduardooroedell None of my devices support vxlan so it's not something I've tried
I haven't seen any mention of connecting to other devices in the documentation
But all the config asks for is IP addressing, so it could be worth trying
Absolute gold dust! "_udp_4789 !" So much to wrap my head around.. Well explained demo, very helpful to debug VNet using tcpdump the and factoring in MTU sizes incl the extra additional overhead needs factoring in for real MTU. Very powerful technology!
I see this as a real game changer, and there's more to come when EVPN comes out of tech preview
But VXLAN alone really simplifies Datacenter design as you just need to build the underlying physical network once and then after that you just make changes in the PVE cluster
So much time and money to be saved and it will make life so much simpler
++
Very unpleasant presentation of information, everything is stretched out. And a bunch of errors:
In particular, DHCP will not work for VXLAN as well as SNAT. Because proxmox does not create gateway addresses for this type of SDN. This is relevant for Simple SDN.
The author himself does not know what he is talking about, and is trying to teach others incorrectly. Moreover, why talk about each point just reading the name of this point and reasoning about what you do not know. Do not shoot such content anymore - this is not yours, from the word AT ALL.
Disappointing to know this video wasn't to your liking, but thanks for the feedback
Personally I prefer detailed presentations, rather than someone just saying do this, do that
An explanation for the choices is a vital part of the learning experience
So that's why my videos are done this way
To some they'll be informative, to others stretched out
C'est la vie
I did make it clear at the start of the video mind that IPAM and the DHCP service do not work with VXLAN
I can only assume therefore you skipped that chapter since you're trying to point out to me the very thing I mentioned
I also pointed out that these are currently in tech preview
In other words, as I mentioned, these shouldn't go into a production environment
Currently, these features are more for niche users who run labs and are interested in learning about technology as Proxmox develops it
However, as I demonstrated, you can still use the traditional DHCP server to provide IP addressing for vNets you deploy with VXLAN
And chances are, companies will continue to use 3rd party IPAM solutions anyway
From a business perspective alone, it would be difficult to justify the extra work when you already have a working solution
The main gain I see from this use of VXLAN at the moment though is the ability to create an SDN overlay and simplify the underlying network
What I certainly wouldn't do though is have the hypervisor act as a gateway for vNets using SNAT
Not only does NAT cause all sorts of complications for security and troubleshooting but some applications can't work with it; Just look at some of the workarounds firewall vendors had to deploy over the years
Besides, the default gateway should be a dedicated firewall
Granted Proxmox offers the ability to firewall traffic using iptables, but it's not as sophisticated as a dedicated firewall