1.\" 2.\" This file and its contents are supplied under the terms of the 3.\" Common Development and Distribution License ("CDDL"), version 1.0. 4.\" You may only use this file in accordance with the terms of version 5.\" 1.0 of the CDDL. 6.\" 7.\" A full copy of the text of the CDDL should have accompanied this 8.\" source. A copy of the CDDL is also available via the Internet at 9.\" http://www.illumos.org/license/CDDL. 10.\" 11.\" 12.\" Copyright 2015 Joyent, Inc. 13.\" 14.Dd March 30, 2022 15.Dt OVERLAY 7 16.Os 17.Sh NAME 18.Nm overlay 19.Nd Overlay Devices 20.Sh DESCRIPTION 21Overlay devices are a GLDv3 device that allows users to create overlay 22networks that can be used to form the basis of network virtualization 23and software defined networking. 24Overlay networks allow a single physical network, often called an 25.Sy underlay 26network, to provide the means for creating multiple logical, isolated, 27and discrete layer two and layer three networks on top of it. 28.Pp 29Overlay devices are administered through 30.Xr dladm 8 . 31Overlay devices themselves cannot be plumbed up with 32.Sy IP , 33.Sy vnd , 34or any other protocol. 35Instead, like an 36.Sy etherstub , 37they allow for VNICs to be created on top of them. 38Like an 39.Sy etherstub , 40an overlay device acts as a local switch; however, when it encounters a 41non-local destination address, it instead looks up where it should send 42the packet, encapsulates it, and sends it out another interface in the 43system. 44.Pp 45A single overlay device encapsulates the logic to answer two different, 46but related, questions: 47.Pp 48.Bl -enum -offset indent -compact 49.It 50How should a packet be transformed and put on the wire? 51.It 52Where should a transformed packet be sent? 53.El 54.Pp 55Each of these questions is answered by a plugin. 56The first question is answered by what's called an 57.Em encapsulation plugin . 58The second question is answered by what's called a 59.Em search plugin . 60Packets are encapsulated and decapsulated using the encapsulation plugin 61by the kernel. 62The search plugins are all user land plugins that are consumed by the 63varpd service whose FMRI is 64.Em svc:/network/varpd:default . 65This separation allows for the kernel to be responsible for the data 66path, while having the search plugins in userland allows the system to 67provide a much more expressive interface. 68.Ss Overlay Types 69Overlay devices come in two different flavors, one where all packets are 70always sent to a single address, the other, where the destination of a 71packet varies based on the target MAC address of the packet. 72This information is maintained in a 73.Em target table , 74which is independent and unique to each overlay device. 75We call the plugins that send traffic to a single location, for example 76a single unicast or multicast IP address, a 77.Sy point to point 78overlay and the overlay devices that can send traffic to different 79locations based on the MAC address of that packet a 80.Sy dynamic 81overlay. 82The plugin type is determined based on the type of the 83.Sy search plugin . 84These are all fully listed in the section 85.Sx Plugins and their Properties . 86.Ss Overlay Destination 87Both encapsulation and search plugins define the kinds of destinations 88that they know how to support. 89An encapsulation plugin always has a single destination type that's 90determined based on how the encapsulation is defined. 91A search plugin, on the other hand, can support multiple combinations of 92destinations. 93A search plugin must support the destination type of the encapsulation 94device. 95The destination may require any of the following three pieces of 96information, depending on the encapsulation plugin: 97.Bl -hang -width Ds 98.It Sy MAC Address 99.Bd -filled -compact 100An Ethernet MAC address is required to determine the destination. 101.Ed 102.It Sy IP Address 103.Bd -filled -compact 104An IP address is required. 105Both IPv4 and IPv6 addresses are supported. 106.Ed 107.It Sy Port 108.Bd -filled -compact 109An IP protocol level (TCP, UDP, SCTP, etc.) port is required. 110.Ed 111.El 112.Pp 113The list of destination types that are supported by both the search and 114encapsulation plugins is listed in the section 115.Sx Plugins and their Properties . 116.Ss varpd 117The varpd service, mentioned above, is responsible for providing the 118virtual ARP daemon. 119Its responsibility is conceptually similar to ARP. 120It runs all instances of search plugins in the system and is responsible 121for answering the kernel's ARP-like questions for where packets should 122be sent. 123.Pp 124The varpd service, svc:/network/varpd:default, must be enabled for 125overlay devices to function. 126If it is disabled while there are active devices, then most overlay 127devices will not function correctly and likely will end up dropping 128traffic. 129.Sh PLUGINS AND PROPERTIES 130Properties fall into three categories in the system: 131.Bl -enum -offset indent -compact 132.It 133Generic properties all overlay devices have 134.It 135Properties specific to the encapsulation plugin 136.It 137Properties specific to the search plugin 138.El 139.Pp 140Each property in the system has the following attributes, which mirror 141the traditional 142.Xr dladm 8 143link properties: 144.Bl -hang -width Ds 145.It Sy Name 146.Bd -filled -compact 147The name of a property is namespaced by its module and always structured 148and referred to as as module/property. 149This allows for both an encapsulation and search plugin to have a 150property with the same name. 151Properties that are valid for all overlay devices and not specific to a 152module do not generally use a module prefix. 153.Pp 154For example, the property 155.Sy vxlan/listen_ip 156is associated with the 157.Sy vxlan 158encapsulation module. 159.Ed 160.It Sy Type 161.Bd -filled -compact 162Each property in the system has a type. 163.Xr dladm 8 164takes care of converting between the internal representation and a 165value, but the type influences the acceptable input range. 166The types are: 167.Bl -hang -width Ds 168.It Sy INT 169A signed integer that is up to eight bytes long 170.Pq Sy int64_t . 171.It Sy UINT 172An unsigned integer that is up to eight bytes long 173.Pq Sy uint64_t . 174.It Sy IP 175Either an IPv4 or IPv6 address in traditional string form. 176For example, 192.168.128.23 or 2001:470:8af4::1:1. 177IPv4 addresses may also be encoded as IPv4-mapped IPv6 addresses. 178.It Sy STRING 179A string of ASCII or UTF-8 encoded characters terminated with a 180.Sy NUL 181byte. 182The maximum string length, including the terminator, is currently 183256 bytes. 184.El 185.Ed 186.It Sy Permissions 187.Bd -filled -compact 188Each property has permissions associated with it, which indicate whether 189the system considers them read-only properties or read-write properties. 190A read-only property can never be updated once the device is created. 191This generally includes things like the overlay's encapsulation module. 192.Ed 193.It Sy Required 194.Bd -filled -compact 195This property indicates whether the property is required for the given 196plugin. 197If it is not specified during a call to 198.Sy dladm create-overlay , 199then the overlay cannot be successfully created. 200Properties which have a 201.Sy default 202will use that value if one is not specified rather than cause the 203overlay creation to fail. 204.Ed 205.It Sy Current Value 206.Bd -filled -compact 207The current value of a property, if the property has a value set. 208Required properties always have a value set. 209.Ed 210.It Sy Default Value 211.Bd -filled -compact 212The default value is an optional part of a given property. 213If a property does define a default value, then it will be used when an 214overlay is created and no other value is given. 215.Ed 216.It Sy Value ranges 217.Bd -filled -compact 218Value ranges are an optional part of a given property. 219They indicate a range or set of values that are valid and may be set for 220a property. 221A property may not declare such a range as it may be impractical or 222unknown. 223For example, most properties based on IP addresses will not 224declare a range. 225.Ed 226.El 227.Pp 228The following sections describe both the modules and the properties that 229exist for each module, noting their name, type, permissions, whether or 230not they are required, and if there is a default value. 231In addition, the effects of each property will be described. 232.Ss Encapsulation Plugins 233.Bl -hang -width Ds 234.It Sy vxlan 235The 236.Sy vxlan 237module is a UDP based encapsulation method. 238It takes a frame that would be put on the wire, wraps it up in a VXLAN 239header and places it in a UDP packet that gets sent out on the 240underlying network. 241For more details about the specific format of the VXLAN header, see 242.Xr vxlan 4P . 243.Pp 244The 245.Sy vxlan 246module requires both an 247.Sy IP address 248and 249.Sy port 250to address it. 251It has a 24-bit virtual network ID space, allowing for 252virtual network identifiers that range from 253.Sy 0 254- 255.Sy 16777215 . 256.Pp 257The 258.Sy vxlan 259module has the following properties: 260.Bl -hang -width Ds 261.It Sy vxlan/listen_ip 262.Bd -filled -compact 263Type: 264.Sy IP | 265Permissions: 266.Sy Read/Write | 267.Sy Required 268.Ed 269.Bd -filled 270The 271.Sy vxlan/listen_ip 272property determines the IP address that the system will accept VXLAN 273encapsulated packets on for this overlay. 274.Ed 275.It Sy vxlan/listen_port 276.Bd -filled -compact 277Type: 278.Sy UINT | 279Permissions: 280.Sy Read/Write | 281.Sy Required 282.Ed 283.Bd -filled -compact 284Default Value: 285.Sy 4789 | 286Range: 287.Sy 0 - 65535 288.Ed 289.Bd -filled 290The 291.Sy vxlan/listen_port 292property determines the UDP port that the system will listen on for 293VXLAN traffic for this overlay. 294The default value is 295.Sy 4789 , 296the IANA assigned port for VXLAN. 297.Ed 298.El 299.Pp 300The 301.Sy vxlan/listen_ip 302and 303.Sy vxlan/listen_port 304properties determine how the system will accept VXLAN encapsulated 305packets for this interface. 306It does not determine the interface that packets will be sent out over. 307Multiple overlays that all use VXLAN can share the same IP and port 308combination, as the virtual network identifier can be used to tell the 309different overlays apart. 310.El 311.Ss Search Plugins 312Because search plugins may support multiple destinations, they may have 313more properties listed than necessarily show up for a given overlay. 314For example, the 315.Sy direct 316plugin supports destinations that are identified by both an IP address 317and a port, or just an IP address. 318In cases where the device is created over an overlay that only uses an 319IP address for its destination, then it will not have the 320.Sy direct/dest_port 321property. 322.Bl -hang -width Ds 323.It Sy direct 324The 325.Sy direct 326plugin is a point to point module that can be used to create an overlay 327that forwards all non-local traffic to a single destination. 328It supports destinations that are a combination of an 329.Sy IP Address 330and a 331.Sy port . 332.Pp 333The 334.Sy direct 335plugin has the following properties: 336.Bl -hang -width Ds 337.It Sy direct/dest_ip 338.Bd -filled -compact 339Type: 340.Sy IP | 341Permissions: 342.Sy Read/Write | 343.Sy Required 344.Ed 345.Bd -filled 346The 347.Sy direct/dest_ip 348property indicates the IP address that all traffic will be sent out. 349Traffic will be sent out the corresponding interface based on 350traditional IP routing rules and the configuration of the networking 351stack of the global zone. 352.Ed 353.It Sy direct/dest_port 354.Bd -filled -compact 355Type: 356.Sy UINT | 357Permissions: 358.Sy Read/Write | 359.Sy Required 360.Ed 361.Bd -filled -compact 362Default Value: 363.Sy - | 364Range: 365.Sy 0 - 65535 366.Ed 367.Bd -filled 368The 369.Sy direct/dest_port 370property indicates the TCP or UDP port that all traffic will be directed 371to. 372.Ed 373.El 374.It Sy files 375The 376.Sy files 377plugin implements a 378.Sy dynamic 379plugin that specifies where traffic should be sent based on a file. 380It is a glorified version of /etc/ethers. 381The 382.Sy dynamic 383plugin does not support broadcast or multicast traffic, but it has 384support for proxy ARP, NDP, and DHCPv4. 385For the full details of the file format, see 386.Xr overlay_files 5 . 387.Pp 388The 389.Sy files 390plugin has the following property: 391.Bl -hang -width Ds 392.It Sy files/config 393.Bd -filled -compact 394Type: 395.Sy String | 396Permissions: 397.Sy Read/Write | 398.Sy Required 399.Ed 400.Bd -filled 401The 402.Sy files/config 403property specifies an absolute path to a file to read. 404The file is a JSON file that is formatted according to 405.Xr overlay_files 5 . 406.Ed 407.El 408.El 409.Ss General Properties 410Each overlay has the following properties which are used to give 411additional information about the system. 412None of these properties may be specified as part of a 413.Sy dladm create-overlay , 414instead they come from other arguments or from internal parts of the 415system. 416.Bl -hang -width Ds 417.It Sy encap 418.Bd -filled -compact 419.Sy String | 420Permissions: 421.Sy Read Only 422.Ed 423.Bd -filled 424The 425.Sy encap 426property contains the name of the encapsulation module that's in use. 427.Ed 428.It Sy mtu 429.Bd -filled -compact 430.Sy UINT | 431Permissions: 432.Sy Read/Write 433.Ed 434.Bd -filled -compact 435Default Value: 436.Sy 1400 | 437Range: 438.Sy 576 - 9000 439.Ed 440.Bd -filled 441The 442.Sy mtu 443property describes the maximum transmission unit of the overlay. 444The default value is 445.Sy 1400 446bytes, which ensures that in a traditional deployment with an MTU of 4471500 bytes, the overhead that is added from encapsulation is all 448accounted for. 449It is the administrator's responsibility to ensure that 450the device's MTU and the encapsulation overhead does not exceed that of 451the interfaces that the encapsulated traffic will be sent out of. 452.Pp 453To modify the 454.Sy mtu 455property, use 456.Sy dladm set-linkprop . 457.Ed 458.It Sy search 459.Bd -filled -compact 460.Sy String | 461Permissions: 462.Sy Read Only 463.Ed 464.Bd -filled 465The 466.Sy search 467property contains the name of the search plugin that's in use. 468.Ed 469.It Sy varpd/id 470.Bd -filled -compact 471.Sy String | 472Permissions: 473.Sy Read Only 474.Ed 475.Bd -filled 476The 477.Sy varpd/id 478property indicates the identifier which the 479.Sy varpd 480service uses for this overlay. 481.Ed 482.It Sy vnetid 483.Bd -filled -compact 484.Sy UINT | 485Permissions: 486.Sy Read/Write 487.Ed 488.Bd -filled 489The 490.Sy vnetid 491property has the virtual network identifier that belongs to this overlay. 492The valid range for the virtual network identifier depends on the 493encapsulation engine. 494.Ed 495.El 496.Sh FMA INTEGRATION 497Overlay devices are wired into FMA, the illumos fault management 498architecture, and generates error reports depending on the 499.Sy search 500plugin in use. 501Due to limitations in FMA today, when a single overlay 502enters a degraded state, meaning that it cannot properly perform look 503ups or another error occurred, then it degrades the overall 504.Sy overlay 505pseudo-device driver. 506.Pp 507For more fine-grained information about which overlay is actually in a 508.Em degraded 509state, one should run 510.Sy dladm show-overlay -f . 511In addition, for each overlay in a degraded state a more useful 512diagnostic message is provided which describes the reason that caused 513this overlay to enter into a degraded state. 514.Pp 515The overlay driver is self-healing. 516If the problem corrects itself on its own, it will clear the fault on 517the corresponding device. 518.Sh SEE ALSO 519.Xr vxlan 4P , 520.Xr overlay_files 5 , 521.Xr dladm 8 522