Current implementation of EVPN stack explicitly generates blackhole (null0) routes for each VRFs' each subnet that prevents zones to communicate with each other on exit nodes.
This behavior is undesired in setups where all nodes are also exit nodes: this happens when the nodes have dedicated links for external VM traffic to upstream router and the node itself needs to handle all the routing between the subnets (be it normal or EVPN managed) on other also dedicated high-bandwidth links (thus the local traffic never goes to the router and back, like that in a classic upstream topology).
We tested the operation by removing the explicit blackhole routes from frr VRFs and there were no reason why couldn't this be allowed if this is the desired way of the network.
We understand that every change needs consideration and the safe option is to generate the explicit routes by default, and thus what we ask is a simple way to enable free community on a per-zone basis by a boolean setting (default false). This way we could allow cross-zone communication for zones we don't want to limit. On long term development, it would be nice to have a setting for a list of zones to allow route to, and thus excluding them in the blackhole generate phase for that specific zones, allowing more fine grained security model. For now, the simple enable/disable option is sufficient to solve the broken model.
Related code part:
https://github.com/proxmox/pve-netw...VE/Network/SDN/Controllers/EvpnPlugin.pm#L266
Is it possible to schedule this quick allow feature for PVE 9?
If you need more info please let me know!
This behavior is undesired in setups where all nodes are also exit nodes: this happens when the nodes have dedicated links for external VM traffic to upstream router and the node itself needs to handle all the routing between the subnets (be it normal or EVPN managed) on other also dedicated high-bandwidth links (thus the local traffic never goes to the router and back, like that in a classic upstream topology).
We tested the operation by removing the explicit blackhole routes from frr VRFs and there were no reason why couldn't this be allowed if this is the desired way of the network.
We understand that every change needs consideration and the safe option is to generate the explicit routes by default, and thus what we ask is a simple way to enable free community on a per-zone basis by a boolean setting (default false). This way we could allow cross-zone communication for zones we don't want to limit. On long term development, it would be nice to have a setting for a list of zones to allow route to, and thus excluding them in the blackhole generate phase for that specific zones, allowing more fine grained security model. For now, the simple enable/disable option is sufficient to solve the broken model.
Related code part:
https://github.com/proxmox/pve-netw...VE/Network/SDN/Controllers/EvpnPlugin.pm#L266
Is it possible to schedule this quick allow feature for PVE 9?
If you need more info please let me know!
