github.com/cilium/cilium@v1.16.2/Documentation/network/vtep.rst (about) 1 .. only:: not (epub or latex or html) 2 3 WARNING: You are looking at unreleased Cilium documentation. 4 Please use the official rendered version released here: 5 https://docs.cilium.io 6 7 .. _enable_vtep: 8 9 *********************************************** 10 VXLAN Tunnel Endpoint (VTEP) Integration (beta) 11 *********************************************** 12 13 .. include:: ../beta.rst 14 15 The VTEP integration allows third party VTEP devices to send and receive traffic to 16 and from Cilium-managed pods directly using VXLAN. This allows for example external 17 load balancers like BIG-IP to load balance traffic to Cilium-managed pods using VXLAN. 18 19 This document explains how to enable VTEP support and configure Cilium with VTEP 20 endpoint IPs, CIDRs, and MAC addresses. 21 22 23 .. note:: 24 25 This guide assumes that Cilium has been correctly installed in your 26 Kubernetes cluster. Please see :ref:`k8s_quick_install` for more 27 information. If unsure, run ``cilium status`` and validate that Cilium is up 28 and running. This guide also assumes VTEP devices has been configured with 29 VTEP endpoint IP, VTEP CIDRs, VTEP MAC addresses (VTEP MAC). The VXLAN network 30 identifier (VNI) *must* be configured as VNI ``2``, which represents traffic 31 from the VTEP as the world identity. See :ref:`reserved_labels` for more details. 32 33 Enable VXLAN Tunnel Endpoint (VTEP) integration 34 =============================================== 35 36 This feature requires a Linux 5.2 kernel or later, and is disabled by default. When enabling the 37 VTEP integration, you must also specify the IPs, CIDR ranges and MACs for each VTEP device 38 as part of the configuration. 39 40 .. tabs:: 41 42 .. group-tab:: Helm 43 44 If you installed Cilium via ``helm install``, you may enable 45 the VTEP support with the following command: 46 47 .. parsed-literal:: 48 49 helm upgrade cilium |CHART_RELEASE| \ 50 --namespace kube-system \ 51 --reuse-values \ 52 --set vtep.enabled="true" \ 53 --set vtep.endpoint="10.169.72.236 10.169.72.238" \ 54 --set vtep.cidr="10.1.1.0/24 10.1.2.0/24" \ 55 --set vtep.mask="255.255.255.0" \ 56 --set vtep.mac="82:36:4c:98:2e:56 82:36:4c:98:2e:58" \ 57 58 .. group-tab:: ConfigMap 59 60 VTEP support can be enabled by setting the 61 following options in the ``cilium-config`` ConfigMap: 62 63 .. code-block:: yaml 64 65 enable-vtep: "true" 66 vtep-endpoint: "10.169.72.236 10.169.72.238" 67 vtep-cidr: "10.1.1.0/24 10.1.2.0/24" 68 vtep-mask: "255.255.255.0" 69 vtep-mac: "82:36:4c:98:2e:56 82:36:4c:98:2e:58" 70 71 Restart Cilium daemonset: 72 73 .. code-block:: bash 74 75 kubectl -n $CILIUM_NAMESPACE rollout restart ds/cilium 76 77 78 How to test VXLAN Tunnel Endpoint (VTEP) Integration 79 ==================================================== 80 81 Start up a Linux VM with node network connectivity to Cilium node. 82 To configure the Linux VM, you will need to be ``root`` user or 83 run the commands below using ``sudo``. 84 85 :: 86 87 Test VTEP Integration 88 89 Node IP: 10.169.72.233 90 +--------------------------+ VM IP: 10.169.72.236 91 | | +------------------+ 92 | CiliumNode | | Linux VM | 93 | | | | 94 | +---------+ | | | 95 | | busybox | | | | 96 | | | ens192<------>ens192 | 97 | +--eth0---+ | | | 98 | | | +-----vxlan2-------+ 99 | | | 100 | lxcxxx | 101 | | | 102 +------+-----cilium_vxlan--+ 103 104 .. code-block:: bash 105 106 # Create a vxlan device and set the MAC address. 107 ip link add vxlan2 type vxlan id 2 dstport 8472 local 10.169.72.236 dev ens192 108 ip link set dev vxlan2 address 82:36:4c:98:2e:56 109 ip link set vxlan2 up 110 # Configure the VTEP with IP 10.1.1.236 to handle CIDR 10.1.1.0/24. 111 ip addr add 10.1.1.236/24 dev vxlan2 112 # Assume Cilium podCIDR network is 10.0.0.0/16, add route to 10.0.0.0/16 113 ip route add 10.0.0.0/16 dev vxlan2 proto kernel scope link src 10.1.1.236 114 # Allow Linux VM to send ARP broadcast request to Cilium node for busybox pod 115 # ARP resolution through vxlan2 device 116 bridge fdb append 00:00:00:00:00:00 dst 10.169.72.233 dev vxlan2 117 118 If you are managing multiple VTEPs, follow the above process for each instance. 119 Once the VTEPs are configured, you can configure Cilium to use the MAC, IP and CIDR ranges that 120 you have configured on the VTEPs. Follow the instructions to :ref:`enable_vtep`. 121 122 To test the VTEP network connectivity: 123 124 .. code-block:: bash 125 126 # ping Cilium-managed busybox pod IP 10.0.1.1 for example from Linux VM 127 ping 10.0.1.1 128 129 Limitations 130 =========== 131 132 * This feature does not work with ipsec encryption between Cilium managed pod and VTEPs.