OpenStack VXLAN

VXLAN is enabled by configuring the ML2 plugin, OVS agents, and physical MTU, then restarting services.

Prerequisites

• OpenStack: 2024.2 Dalmatian+ with Neutron.
• ML2 Plugin: Configured with openvswitch.
• Physical MTU: ≥1550 on all links.
• Kernel: Linux 3.12+.

Step 1: Configure the ML2 Plugin

Edit /etc/neutron/plugins/ml2/ml2_conf.ini on the controller node:

[ml2]
type_drivers = flat,vlan,vxlan
tenant_network_types = vxlan
mechanism_drivers = openvswitch

[ml2_type_vxlan]
vni_ranges = 1:10000

Step 2: Configure the OVS Agent

Edit /etc/neutron/plugins/ml2/openvswitch_agent.ini on every Compute and Network node:

[ovs]
local_ip = 10.0.1.11

[agent]
tunnel_types = vxlan
l2_population = true

[securitygroup]
firewall_driver = openvswitch

Step 3: Set the Physical MTU

On every Compute and Network node, set the physical interface MTU:

sudo ip link set ens192 mtu 9000

Configure Neutron in /etc/neutron/neutron.conf:

[DEFAULT]
global_physnet_mtu = 9000
path_mtu = 9000

Step 4: Configure the L3 Agent

Edit /etc/neutron/l3_agent.ini on Network nodes:

[DEFAULT]
interface_driver = openvswitch
external_network_bridge =

Step 5: Restart Services

Apply changes across the cluster:

# Controller
sudo systemctl restart neutron-server

# All Nodes
sudo systemctl restart neutron-openvswitch-agent
sudo systemctl restart neutron-l3-agent
sudo systemctl restart neutron-dhcp-agent

Step 6: Create a VXLAN Tenant Network

Source credentials and create the network:

source openrc admin admin

openstack network create --provider-network-type vxlan tenant-net
openstack subnet create --network tenant-net \
  --subnet-range 192.168.1.0/24 \
  --dns-nameserver 8.8.8.8 tenant-subnet

Verify the assigned VNI:

openstack network show tenant-net -c provider:segmentation_id

Step 7: Verify VXLAN Tunnels

Inspect the OVS database on a Compute node:

sudo ovs-vsctl show

Look for tunnel ports matching remote node IPs:

Port vxlan-0a000112
    Interface vxlan-0a000112
        type: vxlan
        options: {df_default=true, in_key=flow, local_ip="10.0.1.11", out_key=flow, remote_ip="10.0.1.12"}

Troubleshooting

• VMs cannot ping: Verify local_ip in openvswitch_agent.ini is reachable via ICMP between nodes.
• MTU issues: Ensure physical MTU ≥1550 and global_physnet_mtu matches in neutron.conf.
• No tunnels: Confirm neutron-openvswitch-agent is running, tunnel_types = vxlan is set, and UDP 4789 is open.
• VNI exhaustion: Increase vni_ranges in ml2_conf.ini and restart neutron-server.

VXLAN allows OpenStack to create millions of isolated virtual networks by wrapping Ethernet frames inside UDP packets. You configure this by setting the ML2 plugin to use VXLAN, defining tunnel IPs on each node, and ensuring your physical network supports the extra header size. Once configured, you can create tenant networks that automatically establish encrypted tunnels between hosts.