# SDN Controller

The SDN Controller enables a user to create pool-wide and cross-pool private networks and more. It's available as a Xen Orchestra plugin (included in XOA Premium).

# Global Private Networks

Interconnect your VMs and hosts within a dedicated and secured private network, even accross different pools all around the world. This is a great way to protect "private links" (eg between applications and databases, management networks etc.) without any complicated deployment.

# How does it work?

Please read the dedicated devblog on the SDN Controller and its extension for cross-pool private networks.

WARNING

As VxLAN and GRE are protocols using extra encapsulation, they require extra bits on a network packet. If you create a Global Private Network with a default MTU at 1500, you won't be able to use it "as is" in your VMs, unless you configure a smaller MTU for each virtual interface, in your VM operating system (eg: 1400).

If you want something entirely transparent for your VMs, then you'll need to create a network with a MTU of 1546 for GRE or 1550 for VxLAN. However, larger MTU will require capable network equipements.

# Network creation

In the network creation view:

  • Select a pool
  • Select Private network
  • Select an interface on which to create the network's tunnels
  • Select the encapsulation: a choice is offered between GRE and VxLAN, if VxLAN is chosen, then port 4789 must be open for UDP traffic on all the network's hosts (see the requirements)
  • Choose if the network should be encrypted or not (see the requirements to use encryption)
  • Select other pools to add them to the network if desired
    • For each added pool: select an interface on which to create the tunnels
  • Create the network
  • Have fun! ☺

TIP

  • All hosts in a private network must be able to reach the other hosts' management interface.

    The term ‘management interface’ is used to indicate the IP-enabled NIC that carries the management traffic.

  • Only 1 encrypted GRE network and 1 encrypted VxLAN network per pool can exist at a time due to Open vSwitch limitation.

# Configuration

Like all other xo-server plugins, it can be configured directly via the web interface, see the plugin documentation.

The plugin's configuration contains:

  • cert-dir: The path where the plugin will look for the certificates to create SSL connections with the hosts. If none is provided, the plugin will create its own self-signed certificates.
  • override-certs: Enable to uninstall the existing SDN controller CA certificate in order to replace it with the plugin's one.

# Requirements

# VxLAN

  • On XCP-ng prior to 7.6:
    • To be able to use VxLAN, the following line needs to be added, if not already present, in /etc/sysconfig/iptables of all the hosts where VxLAN is wanted: -A xapi-INPUT -p udp -m conntrack --ctstate NEW -m udp --dport 4789 -j ACCEPT

# Encryption

Encryption is not available prior to 8.0.

  • On XCP-ng 8.0:
    • To be able to encrypt the networks, openvswitch-ipsec package must be installed on all the hosts:
      • yum install openvswitch-ipsec --enablerepo=xcp-ng-testing
      • systemctl enable ipsec
      • systemctl enable openvswitch-ipsec
      • systemctl start ipsec
      • systemctl start openvswitch-ipsec

# OpenFlow rules

TIP

This feature is about to be released soon. Stay tuned!