From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id C0AB91FF146 for ; Tue, 09 Jun 2026 15:26:31 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id A063F123FB; Tue, 9 Jun 2026 15:25:58 +0200 (CEST) From: Hannes Laimer To: pve-devel@lists.proxmox.com Subject: [PATCH pve-docs 14/16] sdn: add microsegmentation section Date: Tue, 9 Jun 2026 15:25:20 +0200 Message-ID: <20260609132522.235917-15-h.laimer@proxmox.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260609132522.235917-1-h.laimer@proxmox.com> References: <20260609132522.235917-1-h.laimer@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1781011484282 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.084 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Message-ID-Hash: RBGMPNJPR332DJBKRYNB656LTCITCYD6 X-Message-ID-Hash: RBGMPNJPR332DJBKRYNB656LTCITCYD6 X-MailFrom: h.laimer@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox VE development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Signed-off-by: Hannes Laimer --- pvesdn.adoc | 77 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 77 insertions(+) diff --git a/pvesdn.adoc b/pvesdn.adoc index a09a443..09ec087 100644 --- a/pvesdn.adoc +++ b/pvesdn.adoc @@ -443,6 +443,83 @@ DNS Zone Prefix:: Add a prefix to the domain registration, like .prefix. Optional. +[[pvesdn_config_microseg]] +Microsegmentation +----------------- + +Microsegmentation enforces an allow/deny policy between groups of guests at the +guest network interface, independent of IP addressing. Each interface can be +assigned to a *group*, and *rules* between groups decide which traffic is +allowed. Enforcement happens in the kernel via eBPF programs attached to the +guest interfaces, on the receiving side. + +The default is deny: without a matching rule, traffic between groups is +dropped, so every allowed flow needs an explicit rule. + +To carry the group identity between nodes, the underlying VXLAN must have Group +Based Policy enabled via the `VXLAN-GBP` option on the zone (see +xref:pvesdn_zone_plugin_vxlan[VXLAN Zones] and +xref:pvesdn_zone_plugin_evpn[EVPN Zones]). Traffic that stays on a single +node needs no extra configuration. A guest cannot forge its own group, as the +host stamps it at the interface; the underlay is trusted, much like a VLAN tag. + +[[pvesdn_microseg_group]] +Groups +~~~~~~ + +A group is a label applied to one or more guest interfaces. Groups can be +nested: a group may have a single parent, and a rule on a group also applies to +every group below it. When several rules match, the most specific one wins - +the rule naming the destination group closest in the tree, then the source +group. + +Group configuration options: + +Name:: An identifier for the group. + +Mark:: A unique numeric tag from 1 to 65535, carried on the wire to identify the + group. + +Parent:: Optional parent group, whose rules this group inherits and can refine. + +Comment:: Optional descriptive comment. + +[[pvesdn_microseg_rule]] +Rules +~~~~~ + +A rule maps a `(source group, destination group)` pair to *allow* or *deny*. As +the default is deny, rules are only needed to permit traffic, or to deny a flow +within a broader allow inherited from a parent. Traffic within a single group is +not permitted implicitly; add an explicit rule from a group to itself for that. + +Rule configuration options: + +Source group:: Where the traffic comes from. Leave empty to match unstamped + traffic, that is, traffic from interfaces not in any group. + +Destination group:: Where the traffic is destined. + +Action:: Allow or deny. + +NOTE: An interface with a group assigned drops unstamped traffic unless a rule +with an empty source for that group explicitly allows it. + +[[pvesdn_microseg_assignment]] +Assignments +~~~~~~~~~~~ + +An assignment places a specific guest network interface into a group. Each +interface can belong to at most one group. + +Assignment configuration options: + +Guest:: The VM or container. + +Network interface:: The interface of that guest to place in the group. + +Group:: The group to assign it to. + [[pvesdn_config_controllers]] Controllers ----------- -- 2.47.3