wido commented on code in PR #444: URL: https://github.com/apache/cloudstack-documentation/pull/444#discussion_r1793272701
########## source/plugins/vxlan.rst: ########## @@ -328,70 +234,134 @@ Since VXLAN uses UDP packet to forward encapsulated the L2 frames, UDP/8472 port must be opened. -Configure in RHEL or CentOS -''''''''''''''''''''''''''' - -RHEL and CentOS use iptables for firewalling the system, you can open -extra ports by executing the following iptable commands: - -:: - - $ sudo iptables -I INPUT -p udp -m udp --dport 8472 -j ACCEPT - - -These iptable settings are not persistent accross reboots, we have to -save them first. +Make sure that your firewall (firewalld, ufw, ...) allows UDP packets on port 8472, as an example: :: - $ sudo iptables-save > /etc/sysconfig/iptables - - -With this configuration you should be able to restart the Network, -although a reboot is recommended to see if everything works properly. - -:: - - $ sudo service network restart - $ sudo reboot + $ sudo firewall-cmd --zone=public --permanent --add-port=8472/udp + $ sudo ufw allow proto udp from any to any port 8472 -.. warning:: - Make sure you have an alternative way like IPMI or ILO to reach the machine - in case you made a configuration error and the Network stops functioning! +VXLAN using EVPN +--------------------- +Using VXLAN with BGP+EVPN as underlay is more complex to set up, but does allow for more scaling and provides much more flexibility. -Configure in Ubuntu -''''''''''''''''''' +This documentation can not cover all elements of deploying BGP+EVPN in your environment. -The default firewall under Ubuntu is UFW (Uncomplicated FireWall), which -is a Python wrapper around iptables. +It is recommend to read `this blogpost <https://vincent.bernat.ch/en/blog/2017-vxlan-bgp-evpn>`_ before you continue. -To open the required ports, execute the following commands: +The main items for using EVPN: -:: +- BGP Routing Daemon on the hypervisor +- No LACP/Bonding will be used +- Modified script is required to use EVPN instead of Multicast - $ sudo ufw allow proto udp from any to any port 8472 +EVPN Bash script +~~~~~~~~~~~~~~~~ +The default 'modifyvxlan.sh' script this is installed by CloudStack uses Multicast for VXLAN. -.. note:: - By default UFW is not enabled on Ubuntu. Executing these commands with the - firewall disabled does not enable the firewall. +A different version of this script is available which will use EVPN instead of Multicast and ships with CloudStack by default. -With this configuration you should be able to restart the Network, -although a reboot is recommended to see if everything works properly. +In order to use this script create a symlink on **each** KVM hypervisor :: - $ sudo service networking restart - $ sudo reboot - -.. warning:: - Make sure you have an alternative way like IPMI or ILO to reach the machine - in case you made a configuration error and the Network stops functioning! - + $ ln -s /usr/share/modifyvxlan.sh /usr/share/cloudstack-common/scripts/vm/network/vnet/modifyvxlan-evpn.sh + +This script is also available on `download.cloudstack.org <https://download.cloudstack.org/tools/scripts/vxlan/modifyvxlan.sh>`_. + +View the contents of the script to understand it's inner workings, some key items: + +- VXLAN (vtep) devices are created using 'nolearning', disabling the use of multicast +- UDP port 4789 (RFC 7348) Review Comment: Yes, otherwise UDP packets will not work. 4789 is being used by Cumulus, Arista, Juniper and others as the default VXLAN port. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@cloudstack.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
