Doubt in configuration using OVS; duplicate macadress when using OVSINTPORT

[lp_xanclas]

Hello all,
I'm a new starter in proxmox, and I have a doubt regarding OVS and SDN.
I have two proxmox servers, each one dual port NIC
My doubt, first regarding OVS:
1- created two OVS bridges on each proxmox server, using a dual port NIC, but one OVS bridge associated with one port, and second OVS bridge associated with another port
2- In each OVS bridge I created one ovsintport, with an IP address and without tagging any vlan
3- what's happening here, and the reason of my doubt:
the IPs configured on each ovsinport, which each ovsintport associated to one bridge, are in the same network segment. When I ping one IP, I get one mac address from the arp table. Pinging the second IP, returns the same mac address, generating a warning of two different IPs having the same mac address.
Do you know if I'm configuring this correctly? My design is to use a different NIC port for proxmox management, and the other to the VTEP on SDN.
This makes sense for all of you?

Thank you
LP_xanclas

 

[spirit]

Hi, I don't have tested vtep/Vxlan too much with ovs, but they are pure linux interfaces without any relation to ovs.
Only traffic is routed through the ip of the server, so here (I think) through the ovsintport ip.

Do you have any reason to use ovs here ? because if you only use vtep/vxlan, you really don't need it.


Anyway, could you share your current /etc/network/interfaces ?

do you have already geneated the sdn configuration ?

 

[lp_xanclas]

Hello @spirit;
Thank you for your reply. Thought that VXLANs are only available when using OVS. i'm trying to getting the much I can with SDN (including BGP, EVPN).

I went into this post: https://forum.proxmox.com/threads/duplicate-arp-problem.56929/ and find that adding the arp_ignore=2 to both interfaces I received the correct ARP.

However, by reading your message, can SDN be achieved without the using of OVS?

 

[spirit]

Thought that VXLANs are only available when using OVS.
However, by reading your message, can SDN be achieved without the using of OVS?

No, really, this don't use ovs. (and if you want to use evpn, I'll really recommend to not use ovs, I'm not sure that frr routing daemon is working fine, because it's parsing mac address of kernel devices).

You don't even need any vmbrX linux bridge or ovs in /etc/network/interfaces. you can setup ip address directly on physical interfaces.

The sdn plugin create linux bridge for each vnet with a linux vxlan interfaces. (this is generated in /etc/nework/interfaces.d/sdn)

Then, the vxlan is transported on top of your physical interface ip address.


All the differents sdn plugins (vlan,qinq,vxlan,...) are working without ovs.

 

[lp_xanclas]

Hello,
Thank you so much for the help @spirit . I will test it without OVS.
I'll provide feedback than in this thread.

 

[lp_xanclas]

Hello, it's working with EVPN+VXLAN.
I got this on the local peer:

Flags: I=local-inactive, P=peer-active, X=peer-proxy Neighbor Type Flags State MAC Remote ES/VTEP Seq #'s fe80::a0ab:52ff:feb1:9a26 local active a2:ab:52:b1:9a:26 0/0 fe80::c8b9:cdff:fec5:7dcf remote active [B]ca:b9:cd:c5:7d:cf 192.168.2.29 [/B] 0/0

The remote VM as the MAC ca:b9:cd:c5:7d:cf, which matches.
L2 Network is working, between two different hosts.
Thanks one more time for your help @spirit

 

[lp_xanclas]

By the way, what limitations can I face by not using OVS and using Linux Bridges instead? Can I use BGP with an external firewall?

 

[spirit]

By the way, what limitations can I face by not using OVS and using Linux Bridges instead?

Maybe if you need to do port mirroring, it's easier with ovs.
For all others features, linux bridge is 100% complete.

Can I use BGP with an external firewall?

Well, bgp is not related to ovs or linux bridge.
Do you talk about an external bgp peer (without evpn) with a firewall ? (Like routing to an external pfsense maybe ?)

 

[lp_xanclas]

Hello @spirit

Well, bgp is not related to ovs or linux bridge.
Do you talk about an external bgp peer (without evpn) with a firewall ? (Like routing to an external pfsense maybe ?)

Yes, that's my plan. That the workloads on proxmox can communicate externally. I'm only now talking about VMs, not containers. For connecting a pfsense for example, I need an additional BGP controller, correct? Then I need to define what routes I want to advertise to pfsense in proxmox server?

 

[spirit]

Hello @spirit


Yes, that's my plan. That the workloads on proxmox can communicate externally. I'm only now talking about VMs, not containers. For connecting a pfsense for example, I need an additional BGP controller, correct? Then I need to define what routes I want to advertise to pfsense in proxmox server?

Hi, sorry, I didn't see your response.

pfsense don't support evpn currently. (with evpn support, il could be defined as evpn exit-node natively)

So, what you need to do:

-define exit-nodes in evpn . (so the traffic will go out through theses nodes from evpn network to external network).

by default, the traffic will go out through the default gw of theses exit-node. (this could be your pfsense firewall, then, without extra bgp, you could add a static route in your pfsense to the evpn subnets via the exit-node ips.).

but, you could also add a classis bgp session between the exit-nodes and your pfsense.
(you can add an extra bgp controller in sdn config, for each exit-node, and define here and extra peer wih your pfsense.

I'll try to add some examples in the doc soon, but maybe look in the forum, I have already talked about this setup with some othe proxmox users.

 

[lp_xanclas]

Hello @spirit thanks for your message, and apologize for my late reply. If I set an extra bgp controller, do I need to set what subnets need to advertise to pfsense? If yes, how can I configure what subnets of the SDN I want to advertise to pfsense?
Thank you so much

 

[lp_xanclas]

Hello @spirit I'm trying to find some guide to configure pfsense and BGP. I've configured the BPG on pfsense and on proxmox. After configured a BPG controlller selecting EBGP and a different AS number, I receive the network advertsided from pfsense. I'm trying to advertise some VNETs from the proxmox SDN to this pfsense. I accessed "vtysh" cli and use this commands:
(changed my VNET network and the bgp AS number)

router bgp 1
address-family ipv4 unicast
network 10.0.0.0/8
exit-address-family

However I'm not getting this network added on the frr.conf, and also I don't see it being advertised to the pfsense. Do you have any tip for this?
Thank you.