From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id AC29F1FF146 for ; Tue, 23 Jun 2026 14:57:20 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 56BBD34687; Tue, 23 Jun 2026 14:57:05 +0200 (CEST) From: Hannes Laimer To: pve-devel@lists.proxmox.com Subject: [PATCH pve-docs v3 9/9] sdn: add IPv6 RA / SLAAC section Date: Tue, 23 Jun 2026 14:56:26 +0200 Message-ID: <20260623125626.1195681-10-h.laimer@proxmox.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260623125626.1195681-1-h.laimer@proxmox.com> References: <20260623125626.1195681-1-h.laimer@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1782219404016 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.086 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Message-ID-Hash: KW5OXBPDDHENA3R55N4IBBSGZHDLZMZ2 X-Message-ID-Hash: KW5OXBPDDHENA3R55N4IBBSGZHDLZMZ2 X-MailFrom: h.laimer@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox VE development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Signed-off-by: Hannes Laimer --- pvesdn.adoc | 68 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 68 insertions(+) diff --git a/pvesdn.adoc b/pvesdn.adoc index a09a443..d8a6a2d 100644 --- a/pvesdn.adoc +++ b/pvesdn.adoc @@ -409,6 +409,10 @@ xref:pvesdn_firewall_integration[VNET Firewall] to further isolate traffic in the VNET across nodes. For example, DROP by default and only allow traffic from the IP subnet to the gateway and vice versa. +For VNets in an EVPN zone, IPv6 Router Advertisements can be enabled so guests +autoconfigure via SLAAC. See +xref:pvesdn_ipv6_ra[IPv6 Router Advertisements (SLAAC)]. + [[pvesdn_config_subnet]] Subnets ------- @@ -442,6 +446,70 @@ SNAT:: Enable Source NAT which allows VMs from inside a DNS Zone Prefix:: Add a prefix to the domain registration, like .prefix. Optional. +On IPv6 subnets of an EVPN VNet with Router Advertisements enabled, additional +per-prefix options are available. See +xref:pvesdn_ipv6_ra[IPv6 Router Advertisements (SLAAC)]. + + +[[pvesdn_ipv6_ra]] +IPv6 Router Advertisements (SLAAC) +---------------------------------- + +VNets in an xref:pvesdn_zone_plugin_evpn[EVPN zone] can emit IPv6 Router +Advertisements (RAs) from their anycast gateway. Guests on the VNet then +autoconfigure their addresses via SLAAC and learn the default gateway, DNS +servers and other settings directly from the RA. + +RAs are enabled per VNet and require the VNet to have at least one IPv6 subnet. +The configuration follows the protocol's two layers: RA-wide settings live on +the VNet (the 'IPv6 Router Advertisement' tab), per-prefix settings on each +IPv6 subnet (the 'IPv6 Prefix Options' tab). The defaults are chosen so that +enabling RAs on a VNet with a /64 IPv6 subnet already lets guests +autoconfigure, without setting any of the options below. + +Per-VNet options: + +Send Router Advertisements:: Emit RAs on this VNet's bridge. Only available for + VNets in an EVPN zone that have at least one IPv6 subnet. The remaining + options only take effect while this is enabled. + +DHCP Managed (M):: Set the managed-address (M) flag, telling hosts to obtain + their addresses via DHCPv6 in addition to, or instead of, SLAAC. Optional, + off by default. + +DHCP Other (O):: Set the other-configuration (O) flag, telling hosts to obtain + other information, such as DNS servers, via DHCPv6. Optional, off by default. + +RDNSS:: Recursive DNS server IPv6 addresses to advertise, so hosts learn their + resolvers from the RA itself. Optional. + +Router Lifetime (s):: Seconds for which hosts may use this gateway as a default + router, 0 to 9000. A value of 0 advertises the gateway as not being a default + router, for example when the RA only distributes a prefix or DNS servers. A + non-zero value must be at least the RA interval. Optional. + +RA Interval (s):: Maximum number of seconds (4 to 1800) between two unsolicited + RAs. Optional, defaults to 600. + +Advertised MTU:: Link MTU to advertise to hosts, 1280 to 65535. Optional. + +Per-subnet options (IPv6 subnets only): + +SLAAC (A):: Set the autonomous (A) flag, advertising the prefix for SLAAC so + hosts can derive an address from it. SLAAC requires a /64 prefix, so this + defaults to enabled on /64 subnets and is disabled, and cannot be enabled, on + others. + +On-link (L):: Set the on-link (L) flag, advertising the prefix as reachable + directly on the link. Optional, on by default. + +Valid Lifetime (s):: Seconds an address derived from this prefix stays valid. + Optional, defaults to 2592000 (30 days). + +Preferred Lifetime (s):: Seconds an address derived from this prefix stays + preferred. Must not exceed the valid lifetime. Optional, defaults to 604800 + (7 days). + [[pvesdn_config_controllers]] Controllers -- 2.47.3