Oracle Cloud Infrastructure Documentation

Creating and Enabling a Flex Network

Learn about the system parameters you need to gather, and the required operations to set up a network connection between Private Cloud Appliance and an external system.

Flex Network Task Map

This task map describes the steps required to establish a Flex network between Private Cloud Appliance and an external system such as Oracle Exadata or Oracle Database Appliance.

No.

Task

Links

1

Identify the physical ports on the Spine switch you plan to use for the external connection, then cable the hardware together.

Connecting External Systems to Private Cloud Appliance Using Flex Networks

2

Create the Flex network from the Service enclave.

Adding the New Flex Network

3

From the Compute enclave, create a DRG to provide a way for compute instances to access the external system.

Creating a Dynamic Routing Gateway

4

From the Compute enclave, create VCNs, Subnets, Route Tables and Internet Gateways, if needed. See Other Considerations following this table.

Creating a VCN

Managing VCNs and Subnets

5

From the Compute enclave, create DRG attachments to enable VCN to use DRG.

Attaching VCNs to a Dynamic Routing Gateway

6

From the Service enclave, enable communication between the Flex network and the VM subnets.

Enabling Flex Network Access
Other Considerations

When implementing a Flex network, consider the following:

  • If a VM connected to a Flex network must also be accessed from a domain controller, you need to configure a second VNIC for that VM. See Creating and Attaching a Secondary VNIC.

  • Use an Internet Gateway (public subnet) for Domain Controller access using the primary VNIC.

  • Use a Dynamic Routing Gateway (private subnet) to access the Flex network.

  • Use separate Route Tables: one for the Internet Gateway with 0.0.0.0/0 and one for the DRG with a specific route rule for the Flex network.

  • Update Security Lists as needed to enable ingress traffic.

Flex Network with Route Table

In its original design, a flex network provides direct connectivity between a VCN and external devices, for example Oracle Exadata nodes or a ZFS Storage Appliance. This design is known as edge mode, and allows you to optionally advertise the flex network from the spine switches to the on-premises network.

A flex network in hub mode uses a gateway on the outside of Private Cloud Appliance instead of direct connections, to route traffic between external devices in an on-premises network and compute instances in a VCN. Flex network access is controlled by a route table, which is configured through the gatewayIp parameter.

Traffic between VCNs can also be routed through a flex network, for example if a firewall connected to the flex network needs to inspect the traffic.

Up to 6 route table entries can be specified in a flex network configuration. The syntax is as follows:

  • "r:" - route table entry (1 to 6)

  • "net_x" - destination subnet

  • "gw_x" - gateway IP for the associated subnet

  • ":" (colon) - separator between route table entries

r:<net_1>,<gw_1>:<net_2>,<gw_2>:<net_n>,<gw_n>

For example:

r:10.25.0.0/26,10.212.3.8:172.16.48.0/22,10.212.3.30:0.0.0.0/0,10.212.3.15

adds route table entries for:

10.25.0.0/26 via 10.212.3.8
172.16.48.0/22 via 10.212.3.30
0.0.0.0/0 (default) via 10.212.3.15
Important

In earlier Private Cloud Appliance software versions, these restrictions apply:

  • Only a single gateway IP address is accepted. It's configured as the default gateway, providing access to any connected subnet.

  • When a gateway is configured, the flex network cannot be advertised to the data center network. These settings are mutually exclusive.

  • When a VCN has access to a flex network, overlapping CIDRs are not allowed.

  • VCN-to-VCN traffic cannot flow through the flex ports on the spine switches, only through the uplink ports.

Required Parameters

To set up a network connection between Private Cloud Appliance and an external system, you need this set of parameters:

Parameter

Example Value

Description

cidr

10.nn.nn.0/24

Choose a valid CIDR range that is within the CIDR range of the external system.

spine1Ip

10.nn.nn.2

A valid IP address in the CIDR specified.

spine2Ip

10.nn.nn.3

A valid IP address in the CIDR specified.

spineVip

10.nn.nn.1

A valid IP address in the CIDR specified.

vlan

3062

Choose a VLAN from 2 to 3899 that isn't in use as the uplink VLAN or other Flex network VLANs. This parameter can be unspecified for attaching a device not supporting VLAN tagging.

speed

10

Speed of the aggregated switch links under the port-channel must be 10, 20, 25, 40, 50, or 100 Gbit.

ports

7/1

Ports 7/1-4, 8/1-4, 9/1-4, or 10/1-4 are valid for 10G or 25G speeds. Ports 7, 8, 9, or 10 are valid for 40G or 100G speeds. For more detail, see the next table.

gateway IP or route table entry

10.nn.nn.nn

r:172.16.0.0/24,10.nn.nn.nn

Valid IP address of gateway. Default is null.

Route to destination subnet (max. 6) through gateway, entered as r:<subnet_cidr>,<gateway_ip>

advertiseNetwork

True

True or False. Enables or disables the visibility of the Flex network to the customer data center servers.
Note

When enabling a flex network, compute instance access to the uplink depends on the active Private Cloud Appliance controller software version. With version 3.0.2-b1483396 and later, uplink access is provided for flex networks in edge mode (without gateway) through the external system VRF. With older software versions, compute instances can connect using a separate interface through an internet or NAT gateway.

Valid speeds and valid port configurations are related. The following table shows the valid port configurations based on speed selected. Ports must be bonded on the external system side to match the Private Cloud Appliance configuration.

Speed

Valid Port Configurations

10 Gbit

7/1-4, 8/1-4, 9/1-4, or 10/1-4

20 Gbit

7/1-2, 8/1-2, 9/1-2, or 10/1-2 (20G bonds two 10G ports)

25 Gbit

7/1-4, 8/1-4, 9/1-4, or 10/1-4

40 Gbit

7, 8, 9, or 10

50 Gbit

7/1-2, 8/1-2, 9/1-2, or 10/1-2 (50G bonds two 25G ports)

100 Gbit

7, 8, 9, or 10
Note

For 25G Flex networks, forward error correction (FEC) is always set to off, with or without a gateway.

Adding the New Flex Network

Using the Service Web UI

  1. Determine the Flex network parameters. See Required Parameters

  2. In the Dashboard, click the Racks quick action tile.

  3. In the PCA Config navigation menu on the Racks page, click Flex Networks.

  4. In the top-right corner above the table, click Create Flex Network.

  5. Fill out the Flex Network form using the parameters you collected in advance.

    By default the network is not advertised to the data center network. You have to click the slider to set it to "on"/"true".

  6. Click Submit to create the new network. It appears in the Flex Networks table and its Lifecycle State changes to Available when the configuration has been applied successfully.

  7. Next, add a subnet to the Flex network. See Enabling Flex Network Access.

Using the Service CLI

  1. Determine the Flex network parameters. See Required Parameters

  2. Create the Flex network by entering the parameters.

    PCA-ADMIN> create flexNetwork cidr=10.nn.nn.0/24  \
spine1Ip=10.nn.nn.1 spine2Ip=10.nn.nn.2 spinevip=10.nn.nn.3 \
vlan=900 gatewayIp=10.nn.nn.10 ports=7/1 advertiseNetwork=false
Status: Success
JobId: unique_id

  3. Next, add a subnet to the Flex network. See Enabling Flex Network Access.

Enabling Flex Network Access

Enable access from a subnet to the Flex network through the Service CLI. For Flex network access from that subnet, ensure that the configured IP address ranges of Flex networks do not overlap.

Note

Overlapping CIDRs can be used if the flex network configuration is considered safe and passes internal system tests. There must be clean separation between flex networks and spine switch VRFs.

Subnets that have been granted access, appear in the Flex network detail page under Access Lists, grouped by their parent VCN.

Using the Service CLI

  1. Get the OCID of the Flex network you want to enable, using the list FlexNetwork command.

  2. Enable access to a configured Flex network.

    PCA-ADMIN> flexNetworkEnableAccess flexNetworkId=ocid1.exadata.unique_id \
subnetId=ocid1.subnet.unique_id
Status: Success
Data:
 id
 --
 ocid1.vcn.unique_id

  3. If you are using a secondary VNIC to access the Flex network, you must add a route to the Flex network CIDR address range for interface eth1 (the secondary VNIC). Sign in to the compute instance configured with the secondary VNIC to add the route.

    [root@hostname]# Flex-CIDR-address-range via gateway dev vlan-interface

    For example, if the Flex address range is 192.168.0.0/24 and the gateway is 192.168.0.1 and the VLAN interface is bond0.900:

    [root@hostname]# 192.168.0.0/24 via 192.168.0.1 dev bond0.900

    This entry appears as a second interface in the IP routing table: 

    Destination Gateway      Genmask       Flags Metric Ref Use Iface
 . . . . . . . . . . . . . . . . . . . . 
 192.168.1.0 192.168.1.1 255.255.255.0 0     0      0       eth0 
 192.168.0.0 192.168.0.1 255.255.255.0 0     0      0       eth1

    A ping from the secondary VNIC, eth1, now succeeds to the Flex network.