We're evaluating Proxmox SDN for our multi-site setup and running into some design limitations.
We have several divisions, each spanning multiple physical sites. Each site assigns its own VLAN ID and subnet per division. Site-to-site connectivity is handled via IPsec tunnels at the router level.
Conceptually, I want each division to correspond to a single SDN zone (type VLAN). Under that, I’d like to define vNETs representing each site's VLAN ID for that division. The goal is for the vNET to map to a different VLAN ID depending on the node it's used on.
However, from what I can tell:
As a workaround, I've set up named Linux bridges like vmbrDivA, vmbrDivB, and so on, on each node. Each bridge reflects the local VLAN ID or is left untagged. This allows me to move VMs between sites successfully, assuming the destination node has a bridge with the same name.
However, this approach does not use SDN and still has the same migration limitation. If the destination node lacks the matching bridge, the migration will fail. There is also no option to select a different bridge during the migration process.
Another limitation is with untagged traffic. I cannot define more than one untagged bridge on the same physical interface, such as bond0. For example, I would like to have both a default vmbr0 and a separate vmbrDivX, both untagged but logically distinct. Linux bridge behavior prevents this, and SDN does not appear to address it either.
I am still looking for a clean and scalable solution that can handle per-site VLAN differences under a unified logical division, and support VM migrations without relying on every node having a specific static bridge configuration.
Has anyone found a better approach to this? Is there a way to make this work cleanly with SDN, or is there an alternative setup that supports these requirements more gracefully?
We have several divisions, each spanning multiple physical sites. Each site assigns its own VLAN ID and subnet per division. Site-to-site connectivity is handled via IPsec tunnels at the router level.
Conceptually, I want each division to correspond to a single SDN zone (type VLAN). Under that, I’d like to define vNETs representing each site's VLAN ID for that division. The goal is for the vNET to map to a different VLAN ID depending on the node it's used on.
However, from what I can tell:
- vNETs are global within a zone and can't have per-node VLAN ID overrides
- Zones can be limited to specific nodes, but vNETs can't
- As a result, it seems I need a separate zone for each site-division combination, with a vNET that matches the site's VLAN ID for that division. This introduces a lot of overhead
As a workaround, I've set up named Linux bridges like vmbrDivA, vmbrDivB, and so on, on each node. Each bridge reflects the local VLAN ID or is left untagged. This allows me to move VMs between sites successfully, assuming the destination node has a bridge with the same name.
However, this approach does not use SDN and still has the same migration limitation. If the destination node lacks the matching bridge, the migration will fail. There is also no option to select a different bridge during the migration process.
Another limitation is with untagged traffic. I cannot define more than one untagged bridge on the same physical interface, such as bond0. For example, I would like to have both a default vmbr0 and a separate vmbrDivX, both untagged but logically distinct. Linux bridge behavior prevents this, and SDN does not appear to address it either.
I am still looking for a clean and scalable solution that can handle per-site VLAN differences under a unified logical division, and support VM migrations without relying on every node having a specific static bridge configuration.
Has anyone found a better approach to this? Is there a way to make this work cleanly with SDN, or is there an alternative setup that supports these requirements more gracefully?
