Overview

A Pica8 Network device implements Open vSwitch Database (OVSDB) management protocol, has connections with network virtualization controller, and can use Open vSwitch Database management protocol to deploy and manage VXLANs on VTEPs. For more OVSDB management protocol details, please read RFC7047.

NOTE:

VXLAN can be configured remotely via OVSDB. And MAC addresses learned can be synced to the OVSDB and vice versa.

Configuring an OVSDB Connection with a Controller

The device supports the following types OVSDB connections:

• SSL —The device initiates an SSL connection to an network virtualization controller.
• PSSL —The device accepts the SSL connection from an network virtualization controller.
• TCP —The device initiates a TCP connection to an network virtualization controller.
• PTCP —The device accepts the TCP connection from an network virtualization controller.

Creating and Installing an SSL Key and Certificate on a Pica8 Device

To secure a connection between a Pica8 device that supports the Open vSwitch Database (OVSDB) management protocol and one or more network virtualization controllers, the following Secure Sockets Layer (SSL) files must be present in the /ovs/var/lib/openvswitch/pki directory on the device:

• pica8-cert.pem
• pica8-privkey.pem
• pica8-req.pem

You must create the pica8-privkey.pem and pica8-cert.pem files for the device, and then install the two files in the /ovs/var/lib/openvswitch/pki directory on the device.

To create and install an SSL key and certificate on a Pica device:

1. Update the system time, or certificate will show expired.
2. Install openssl on Pica8 device or linux computer
3. Initialize a PKI on Pica8 device or linux computer
   # ovs-pki init --force
4. On Pica8 device or the same Linux computer on which the PKI exists, create a new key and certificate for the Pica8 device.
   # ovs-pki req+sign pica8
5. Copy only the pica8-privkey.pem and pica8-cert.pem files from the Linux computer to the /ovs/var/lib/openvswitch/pki directory on the Pica8 device.
   
   

Configure a OVSDB VTEP Step

OVSDB VTEP supported on PicOS L2/L3 switch, the commands configure step as below.

Enabling the OVSDB server

set vxlans ovsdb-managed true

Configuring a source address for VXLAN tunnels

set vxlans source-interface loopback address 10.10.10.1

Disabling VXLAN tunnels address learning

set vxlans tunnel-mac-leaning disable true

Configuring the VTEP management interface IP address

set protocols ovsdb management-ip 10.10.51.157  

Configuring an SSL connection to a network virtualization controller

set protocols ovsdb SSL private-key "/ovs/var/lib/openvswitch/pki/pica8-privkey.pem"
set protocols ovsdb SSL certificate "/ovs/var/lib/openvswitch/pki/pica8-cert.pem"
set protocols ovsdb SSL ca-cert "/ovs/var/lib/openvswitch/pki/controller.cacert"
set protocols ovsdb SSL bootstrap true
set protocols ovsdb controller c1 address 10.10.50.220 
set protocols ovsdb controller c1 protocol ssl

Configuring PSSL connection requests from a network virtualization controller

set protocols ovsdb SSL private-key "/ovs/var/lib/openvswitch/pki/pica8-privkey.pem"
set protocols ovsdb SSL certificate "/ovs/var/lib/openvswitch/pki/pica8-cert.pem"
set protocols ovsdb SSL ca-cert "/ovs/var/lib/openvswitch/pki/controller.cacert"
set protocols ovsdb SSL bootstrap true
set protocols ovsdb controller c1 protocol ssl

Configuring TCP connection to a network virtualization controller

set protocols ovsdb controller c1 address 10.10.50.220 
set protocols ovsdb controller c1 protocol tcp

Configuring PTCP connection requests from a network virtualization controller

set protocols ovsdb controller c1 protocol ptcp