Hey all, I am aiming to configure each host in my cluster with a /31 connection to a Cisco L3-capable switch (BGP is supported, but EVPN/VXLAN is not).
I've made some progress, but I'm encountering a few specific challenges that are hindering my ability to move forward. While I'm open to bypassing the web UI configuration options if necessary, I would like to exhaust all available settings before diving into direct FRR configuration.
Here are the issues I'm currently facing, and I’m unsure if they stem from my own misunderstandings of the configuration, or whether there is a software error (more unlikely):
I've made some progress, but I'm encountering a few specific challenges that are hindering my ability to move forward. While I'm open to bypassing the web UI configuration options if necessary, I would like to exhaust all available settings before diving into direct FRR configuration.
Here are the issues I'm currently facing, and I’m unsure if they stem from my own misunderstandings of the configuration, or whether there is a software error (more unlikely):
- When I tick the box in EVPN for "Advertise Subnets" - it only configures redistribute connected within the EVPN VRF in /etc/frr/frr.conf
- The BGP controller has no knowledge of /32s within the "prod" vxlan vnet, only the gateway. Ideally I would only want to advertise the /32s of the VMs (main issue)
- VM IP addresses do not show up in the IPAM menu under SDN.
- What type of zone should I consider using (VXLAN, EVPN) for additional subnets that I want to be reachable to "Prod", but not the Cisco switch (i.e., I redistribute with a route-map)
Code:
root@pve01:~# cat /etc/pve/sdn/controllers.cfg
bgp: bgppve01
asn 4200000001
node pve01
peers 192.168.65.3
bgp-multipath-as-path-relax 1
ebgp 1
ebgp-multihop 100
loopback lo
evpn: switch
asn 65000
peers 192.168.71.254
root@pve01:~# cat /etc/pve/sdn/subnets.cfg
subnet: prod-192.168.100.0-24
vnet data
dhcp-range start-address=192.168.100.10,end-address=192.168.100.250
gateway 192.168.100.1
snat 1
root@pve01:~# cat /etc/pve/sdn/vnets.cfg
vnet: data
zone prod
alias production data
tag 111
root@pve01:~# cat /etc/pve/sdn/zones.cfg
vxlan: prod
peers 192.168.72.4
ipam pve
evpn: public
controller switch
vrf-vxlan 123
advertise-subnets 1
exitnodes pve01
exitnodes-local-routing 1
exitnodes-primary pve01
ipam pve
mac BC:24:11:72:B1:33
rt-import 6500:123
root@pve01:~# cat /etc/frr/frr.conf
frr version 8.5.2
frr defaults datacenter
hostname pve01
log syslog informational
service integrated-vtysh-config
!
!
vrf vrf_public
vni 123
ip route 192.168.100.0/24 null0
exit-vrf
!
router bgp 4200000001
bgp router-id 192.168.72.3
no bgp default ipv4-unicast
coalesce-time 1000
bgp disable-ebgp-connected-route-check
bgp bestpath as-path multipath-relax
neighbor BGP peer-group
neighbor BGP remote-as external
neighbor BGP bfd
neighbor BGP ebgp-multihop 100
neighbor 192.168.65.3 peer-group BGP
neighbor VTEP peer-group
neighbor VTEP remote-as external
neighbor VTEP bfd
neighbor VTEP ebgp-multihop 10
neighbor VTEP update-source lo
neighbor 192.168.71.254 peer-group VTEP
!
address-family ipv4 unicast
network 192.168.72.3/32
neighbor BGP activate
neighbor BGP soft-reconfiguration inbound
exit-address-family
!
address-family l2vpn evpn
neighbor VTEP activate
neighbor VTEP route-map MAP_VTEP_IN in
neighbor VTEP route-map MAP_VTEP_OUT out
advertise-all-vni
autort as 65000
exit-address-family
exit
!
router bgp 4200000001 vrf vrf_public
bgp router-id 192.168.72.3
no bgp hard-administrative-reset
no bgp graceful-restart notification
!
address-family l2vpn evpn
route-target import 65000:123
route-target export 65000:123
default-originate ipv4
default-originate ipv6
route-target import 6500:123
exit-address-family
exit
!
ip prefix-list loopbacks_ips seq 10 permit 0.0.0.0/0 le 32
ip prefix-list only_default seq 1 permit 0.0.0.0/0
!
ipv6 prefix-list only_default_v6 seq 1 permit ::/0
!
route-map MAP_VTEP_IN deny 1
match ip address prefix-list only_default
exit
!
route-map MAP_VTEP_IN deny 2
match ipv6 address prefix-list only_default_v6
exit
!
route-map MAP_VTEP_IN permit 3
exit
!
route-map MAP_VTEP_OUT permit 1
exit
!
route-map correct_src permit 1
match ip address prefix-list loopbacks_ips
set src 192.168.72.3
exit
!
ip protocol bgp route-map correct_src
!
line vty
!
root@pve01:~#