Integrating Proxmox SDN with existing SDN network

M

mbosma

Well-Known Member
Dec 3, 2018
124
24
58
30
I've been trying to integrate the Proxmox SDN into an existing vxlan network using IS-IS.
This way we'll be able to use the different vnets across multiple clusters as well as bind that to a vlan to attach legacy devices.

Our lab setup is using a route-reflector on a spine switch and 2 leaf switches.
Using IS-IS as underlay and evpn the proxmox servers (2 in a cluster and 1 separate) are able to receive routes from the route-reflector.
This way vm's can communicate with other vm's in the vnet as well as vm's on other clusters and devices connected to that vni.

This lab setup turned out sort of successfully but here's the catch.
There are a couple of options the Proxmox SDN plugin pushes (and doesn't push) which requires manual steps each time the config reloads.

A couple of changes I can configure in frr.conf.local:
The isis router:
Code: 
router isis 1
 net 10.0000.0000.0005.00
 redistribute ipv4 connected level-1
 log-adjacency-changes
exit

And:
Code: 
router bgp 65000
 address-family l2vpn evpn
  no neighbor VTEP route-map MAP_VTEP_IN in
  no neighbor VTEP route-map MAP_VTEP_OUT out
 exit
exit
For some reason frr doesn't want to act as route-reflector client when these settings are applied even though permit is set to 1.
I'm no frr expert by all means but removing these worked.

The following changes however are not parsed in frr.conf.local and is actually the most vital one.
Code: 
interface vmbr1
 ip router isis 1
exit
Without this change the servers lose the IS-IS underlay and all routes essentially bringing down the whole network on the hosts.

I tried a bit of hacking in the SDN plugin but my perl is not up to the task.
Would it be possible to parse the interface codeblocks?

Here's some more information for those interested:

A diagram of the connected devices:
image.png

These are are the SDN configs:
Code: 
root@pve1-test:~# cat /etc/pve/sdn/controllers.cfg
evpn: evpn
        asn 65000
        peers 10.99.99.1

root@pve1-test:~# cat /etc/pve/sdn/zones.cfg
evpn: evpnz1
        controller evpn
        vrf-vxlan 1001
        advertise-subnets 1
        ipam pve
        mac DE:AA:11:CD:D5:98
        mtu 9000

root@pve1-test:~# cat /etc/pve/sdn/vnets.cfg
vnet: vni100
        zone evpnz1
        tag 100

vnet: vni300
        zone evpnz1
        tag 300

vnet: vni200
        zone evpnz1
        tag 200

And network config:
Code: 
auto lo
iface lo inet static
        address 10.99.99.4/32

iface lo inet static
        address 10.99.99.4/32

iface eno1 inet manual

iface eno2 inet manual

iface enp8s0f0 inet manual

auto enp8s0f1
iface enp8s0f1 inet manual
        mtu 9000

auto vmbr0
iface vmbr0 inet static
        address 192.168.245.201/24
        gateway 192.168.245.1
        bridge-ports eno1
        bridge-stp off
        bridge-fd 0

auto vmbr1
iface vmbr1 inet static
        address 10.1.0.1/31
        bridge-ports enp8s0f1
        bridge-stp off
        bridge-fd 0
        mtu 9000

auto vmbr2
iface vmbr2 inet static
        address 10.66.100.20/24
        bridge-ports enp8s0f0
        bridge-stp off
        bridge-fd 0

source /etc/network/interfaces.d/*

And the working running config of frr:
Code: 
!
frr version 8.5.1
frr defaults datacenter
hostname pve1-test
log syslog informational
service integrated-vtysh-config
!
vrf vrf_evpnz1
 vni 1001
exit-vrf
!
interface vmbr1
 ip router isis 1
exit
!
router bgp 65000
 bgp router-id 10.1.0.1
 no bgp hard-administrative-reset
 no bgp default ipv4-unicast
 coalesce-time 1000
 no bgp graceful-restart notification
 neighbor VTEP peer-group
 neighbor VTEP remote-as 65000
 neighbor VTEP bfd
 neighbor 10.99.99.1 peer-group VTEP
 !
 address-family l2vpn evpn
  neighbor VTEP activate
  advertise-all-vni
 exit-address-family
exit
!
router bgp 65000 vrf vrf_evpnz1
 bgp router-id 10.1.0.1
 no bgp hard-administrative-reset
 no bgp graceful-restart notification
 !
 address-family ipv4 unicast
  redistribute connected
 exit-address-family
 !
 address-family ipv6 unicast
  redistribute connected
 exit-address-family
 !
 address-family l2vpn evpn
  advertise ipv4 unicast
  advertise ipv6 unicast
 exit-address-family
exit
!
router isis 1
 net 10.0000.0000.0004.00
 redistribute ipv4 connected level-1
 log-adjacency-changes
exit
!
route-map MAP_VTEP_IN permit 1
exit
!
route-map MAP_VTEP_OUT permit 1
exit
!
end

I hope the output of my journey might help someone stumbling upon this topic in the future.
If a dev could look into my request regarding parsing the interface block in frr.conf.local that would be greatly appreciated.
 
Hi, thanks for the detailed infos.

I'll look to add the parsing of "interface" block tomorrow. (I can send you a patched .deb for testing)

can you open a bugzilla.proxmox.com ? (with this forum thread as reference, no need to resend all infos)


Note that I could look to add a isis option for underlay in the gui. (currently we only have "bgp controller" option, but I could add "isis controller" too).
Seem pretty trivial looking at your configuration.
 
Hi Spirit,

I opened 2 feature requests, one for the "interface" block and another for the GUI addition.
https://bugzilla.proxmox.com/show_bug.cgi?id=4901
https://bugzilla.proxmox.com/show_bug.cgi?id=4902

I saw more FRR users with issues regarding the route-map on Github, that part might be resolved in a later version of FRR.
https://github.com/FRRouting/frr/issues/13792
This issue is using type 3 but the error is the same:
Code: 
2023-08-10 11:31:13.622 [DEBG] bgpd: [KZK58-6T4Y6] No best match sequence for pfx: [2]:[0]:[48]:[5a:0c:39:49:31:e9] in route-map: MAP_VTEP_IN, result: no match
2023-08-10 11:31:13.622 [DEBG] bgpd: [H5AW4-JFYQC] Route-map: MAP_VTEP_IN, prefix: [2]:[0]:[48]:[5a:0c:39:49:31:e9], result: deny

I would love to try out the .deb when it is available.
If there is anything I can do to help during the process please let me know.

Kind regards,
Michael
 
mbosma said:
I saw more FRR users with issues regarding the route-map on Github, that part might be resolved in a later version of FRR.
https://github.com/FRRouting/frr/issues/13792
This issue is using type 3 but the error is the same:
Code: 
2023-08-10 11:31:13.622 [DEBG] bgpd: [KZK58-6T4Y6] No best match sequence for pfx: [2]:[0]:[48]:[5a:0c:39:49:31:e9] in route-map: MAP_VTEP_IN, result: no match
2023-08-10 11:31:13.622 [DEBG] bgpd: [H5AW4-JFYQC] Route-map: MAP_VTEP_IN, prefix: [2]:[0]:[48]:[5a:0c:39:49:31:e9], result: deny

I would love to try out the .deb when it is available.
If there is anything I can do to help during the process please let me know.
Click to expand...
see to be backported in 8.5 stable
https://github.com/FRRouting/frr/pull/14094

so, I think we could update current version.

I'll work the features next week.
 
Hi,
can you try:

Code: 
wget https://mutulin1.odiso.net/libpve-network-perl_0.8.1_all.deb
dpkg -i libpve-network-perl_0.8.1_all.deb
systemctl restart pvedaemon
systemctl restart pveproxy

Then:
1) test if frr.conf.local is working with" interface".

2) I have add a new isis controller, can you try to edit

/etc/pve/sdn/controllers.cfg

Code: 
evpn: evpn
        asn 65000
        peers 10.99.99.1

isis: isisyournodehostname1
        isis-iface vmbr0
        isis-net 10.0000.0000.0005.00
        node yournodehostname1

(for example : isisyournodehostname ---> isismynode ), it's important to have isis)


then reload sdn, it should generate the correct isis config.
 
  • Like
Reactions: mbosma
Both fixed work so far!

I tried setting the interface block in frr.conf.local and it appeared in the frr.conf as expected.

Your other change is working as wel, I managed to get the setup working without the need to use frr.conf.local which is nice!
My controller.cfg looks like this:
Code: 
evpn: evpn
        asn 65000
        peers 10.99.99.1

isis: pve1-test
        isis-iface enp8s0f1
        isis-net 10.0000.0000.0004.00
        node pve1-test

isis: pve2-test
        isis-iface enp65s0f3
        isis-net 10.0000.0000.0005.00
        node pve2-test

isis: pve4-test
        isis-iface eno8
        isis-net 10.0000.0000.0007.00

Which results in this frr.conf:
Code: 
frr version 8.5.1
frr defaults datacenter
hostname pve1-test
log syslog informational
service integrated-vtysh-config
!
!
vrf vrf_evpnz1
 vni 1001
exit-vrf
!
interface enp8s0f1
 ip router isis isis1
!
router
 !
 address-family l2vpn evpn
  #  no neighbor VTEP route-map MAP_VTEP_IN in
  #  no neighbor VTEP route-map MAP_VTEP_OUT out
  # exit
  #exit
 exit-address-family
exit
!
router bgp 65000
 bgp router-id 10.1.0.1
 no bgp hard-administrative-reset
 no bgp graceful-restart notification
 no bgp default ipv4-unicast
 coalesce-time 1000
 neighbor VTEP peer-group
 neighbor VTEP remote-as 65000
 neighbor VTEP bfd
 neighbor 10.99.99.1 peer-group VTEP
 !
 address-family l2vpn evpn
  neighbor VTEP activate
  advertise-all-vni
 exit-address-family
exit
!
router bgp 65000 vrf vrf_evpnz1
 bgp router-id 10.1.0.1
 no bgp hard-administrative-reset
 no bgp graceful-restart notification
 !
 address-family ipv4 unicast
  redistribute connected
 exit-address-family
 !
 address-family ipv6 unicast
  redistribute connected
 exit-address-family
 !
 address-family l2vpn evpn
  advertise ipv4 unicast
  advertise ipv6 unicast
 exit-address-family
exit
!
router isis isis1
 net 10.0000.0000.0004.00
 redistribute ipv4 connected level-1
 redistribute ipv6 connected level-1
 log-adjacency-changes
exit
!
route-map MAP_VTEP_IN permit 1
exit
!
route-map MAP_VTEP_OUT permit 1
exit
!
line vty
!

My suggestion would be to make the ISIS id dynamic in case you want create another connection.
router isis isis1 is a valid option for frr https://docs.frrouting.org/en/latest/isisd.html#clicmd-router-isis-WORD-vrf-NAME, it would be nice to add an option for "WORD" instead of hardcoding it to "isis1".

Also, would it be possible to add multiple interfaces to one isis block in controller.cfg?
This way you can multi-home switches for redundancy.
A codeblock like this:
Code: 
isis: pve2-test
        isis-iface enp65s0f3,enp65s0f4
        isis-net 10.0000.0000.0005.00
        node pve2-test
Would result in:
Code: 
interface enp65s0f3
 ip router isis isis1
!
interface enp65s0f4
 ip router isis isis1

Thank you so much for the work you put into this plugin.
These changes really help us to taking the next step towards using this in production.
 
Last edited:
Hi, thanks for testing !
mbosma said:
My suggestion would be to make the ISIS id dynamic in case you want create another connection.
router isis isis1 is a valid option for frr https://docs.frrouting.org/en/latest/isisd.html#clicmd-router-isis-WORD-vrf-NAME, it would be nice to add an option for "WORD" instead of hardcoding it to "isis1".
Click to expand...
I have hardcoded it, as from the doc, it seem that only 1 router is currently supported ?

" isisd does not yet support multiple ISIS processes but you must specify the name of ISIS process"


mbosma said:
Also, would it be possible to add multiple interfaces to one isis block in controller.cfg?
This way you can multi-home switches for redundancy.
A codeblock like this:
Code: 
isis: pve2-test
        isis-iface enp65s0f3,enp65s0f4
        isis-net 10.0000.0000.0005.00
        node pve2-test
Would result in:
Code: 
interface enp65s0f3
 ip router isis isis1
!
interface enp65s0f4
 ip router isis isis1
Click to expand...
Yes sure ! I'll sent a patch for testing tomorrow.
(Sorry, I don't known too much how is working the isis-protocol, so your advices are welcome :)



BTW, about the route-map bug, do you test on proxmox8 / frr 8.5 ?

because we have found a bug in frr && route-map bug
https://bugzilla.proxmox.com/show_bug.cgi?id=4810
and a fixed version should be available soon.

could you test this version:

Code: 
wget https://mutulin1.odiso.net/frr_8.5.2-1+pve1_amd64.deb
wget https://mutulin1.odiso.net/frr-pythontools_8.5.2-1+pve1_all.deb
dpkg -i frr_8.5.2-1+pve1_amd64.deb frr-pythontools_8.5.2-1+pve1_all.deb

and keep the 2 lines in frr.conf:
Code: 
neighbor VTEP route-map MAP_VTEP_IN in
neighbor VTEP route-map MAP_VTEP_OUT out

to see if it's working or not.
 
spirit said:
I have hardcoded it, as from the doc, it seem that only 1 router is currently supported ?

" isisd does not yet support multiple ISIS processes but you must specify the name of ISIS process"
Click to expand...
I wan't very clear on this one.
The idea for the dynamic name is more administrative.
FRR can only have one isis process/domain but the network doesn't.
Making the name dynamic will help in case your network has multiple isis domains.

spirit said:
BTW, about the route-map bug, do you test on proxmox8 / frr 8.5 ?

because we have found a bug in frr && route-map bug
https://bugzilla.proxmox.com/show_bug.cgi?id=4810
and a fixed version should be available soon.

could you test this version:

Code: 
wget https://mutulin1.odiso.net/frr_8.5.2-1+pve1_amd64.deb
wget https://mutulin1.odiso.net/frr-pythontools_8.5.2-1+pve1_all.deb
dpkg -i frr_8.5.2-1+pve1_amd64.deb frr-pythontools_8.5.2-1+pve1_all.deb

and keep the 2 lines in frr.conf:
Code: 
neighbor VTEP route-map MAP_VTEP_IN in
neighbor VTEP route-map MAP_VTEP_OUT out

to see if it's working or not.
Click to expand...

I am testing on the latest stable release of proxmox.
We already found out we were able to connect using your latest patch with the route-maps in place.
It seems like having the route-map before isis was established caused the issue.
After the patch isis is established directly because no manual command in the shell are required.

I tested the new FRR patch and it still works as intended.
We weren't able to reproduce the old frr issue with the new libpve-network-perl beta installed.
 
mbosma said:
I wan't very clear on this one.
The idea for the dynamic name is more administrative.
FRR can only have one isis process/domain but the network doesn't.
Making the name dynamic will help in case your network has multiple isis domains.
Click to expand...
oh, if I understand, the name is important ? it's not only something internal to frr ?

"router isis isis1" ----> will not work with other network devices if they don't use same domain name ? (like an asn with bgp for example?)


mbosma said:
I am testing on the latest stable release of proxmox.
We already found out we were able to connect using your latest patch with the route-maps in place.
It seems like having the route-map before isis was established caused the issue.
After the patch isis is established directly because no manual command in the shell are required.

I tested the new FRR patch and it still works as intended.
We weren't able to reproduce the old frr issue with the new libpve-network-perl beta installed.
Click to expand...
So, just to be sure to understand, can I keep
"
neighbor VTEP route-map MAP_VTEP_IN in
neighbor VTEP route-map MAP_VTEP_OUT out
"
generated in frr.conf ? (instead removing them when isis controller is defined).

I would like to keep same config than with bgp underlay if possible, to be sure to break other features with exit-nodes,...
 
spirit said:
oh, if I understand, the name is important ? it's not only something internal to frr ?

"router isis isis1" ----> will not work with other network devices if they don't use same domain name ? (like an asn with bgp for example?)
Click to expand...
The name itself in FRR is not used for anything outside the FRR config, only the isis-net 10.0000.0000.0005.00 is important to the other devices.
It is nice however to have it configurable to match your other devices to administration.
If we were to create another proxmox cluster in a different ISIS domain it's easier to have a different name setup so it matches the switches/routers.

spirit said:
"
neighbor VTEP route-map MAP_VTEP_IN in
neighbor VTEP route-map MAP_VTEP_OUT out
"
generated in frr.conf ? (instead removing them when isis controller is defined).

I would like to keep same config than with bgp underlay if possible, to be sure to break other features with exit-nodes,...
Click to expand...
I misunderstood your previous comment about this one.
I'll test again actually adding it to the frr.conf.local to see if it still works.
 
spirit said:
So, just to be sure to understand, can I keep
"
neighbor VTEP route-map MAP_VTEP_IN in
neighbor VTEP route-map MAP_VTEP_OUT out
"
generated in frr.conf ? (instead removing them when isis controller is defined).

I would like to keep same config than with bgp underlay if possible, to be sure to break other features with exit-nodes,...
Click to expand...
I did some more testing with and without the libpve-network-perl patch so I could control the route-map easier.

With the old frr and frr-pythontools packages I was not able to get a connection with route-map enabled.
After disabling route-map as stated in my first post the connection suddenly came online for the clients.

After the upgrade of these packages and restarting the FRR service the connection comes up route-map enabled.
Looks like the FRR patch is a success.

If you updated the libpve-network-perl without the route-map part in it, can you send me the new package so I can test it for you?

Kind regards,

Michael
 
spirit said:
can you try this new version:
https://mutulin1.odiso.net/libpve-network-perl_0.8.1_all.deb
Click to expand...
I downloaded the file but it doesn't seem to be the new one, are you sure this is the correct link?
Code: 
root@pve1-test:~# sha1sum libpve-network-perl_0.8.1_all.deb
0c8d46ce6d88400324718d28e260050b928fcc4c  libpve-network-perl_0.8.1_all.deb
root@pve1-test:~# sha1sum libpve-network-perl_0.8.1_all.deb.old
0c8d46ce6d88400324718d28e260050b928fcc4c  libpve-network-perl_0.8.1_all.deb.old
 
mbosma said:
I downloaded the file but it doesn't seem to be the new one, are you sure this is the correct link?
Code: 
root@pve1-test:~# sha1sum libpve-network-perl_0.8.1_all.deb
0c8d46ce6d88400324718d28e260050b928fcc4c  libpve-network-perl_0.8.1_all.deb
root@pve1-test:~# sha1sum libpve-network-perl_0.8.1_all.deb.old
0c8d46ce6d88400324718d28e260050b928fcc4c  libpve-network-perl_0.8.1_all.deb.old
Click to expand...
oh sorry.
I have re-uploaded it

a9a067e7b24004c18b8eb256b1bc6516 libpve-network-perl_0.8.1_all.deb
 
The route-map part is back, the other changes broke isis.

Interfaces are not added in frr config anymore.
Same goes for isis settings.

controller.cfg:
Code: 
root@pve1-test:~# cat /etc/pve/sdn/controllers.cfg
evpn: evpn
        asn 65000
        peers 10.99.99.1

isis: pve1-test
        isis-ifaces enp8s0f1,eno1
        isis-net 10.0000.0000.0004.00
        isis-domain isis1
        node pve1-test

isis: pve2-test
        isis-ifaces enp65s0f3
        isis-net 10.0000.0000.0005.00
        isis-domain isis1
        node pve2-test

isis: pve4-test
        isis-ifaces eno8
        isis-net 10.0000.0000.0007.00
        isis-domain isis1
        node pve4-test

frr.conf (no frr.conf.local):
Code: 
frr version 8.5.1
frr defaults datacenter
hostname pve1-test
log syslog informational
service integrated-vtysh-config
!
!
vrf vrf_evpnz1
 vni 1001
exit-vrf
!
router bgp 65000
 bgp router-id 192.168.245.201
 no bgp hard-administrative-reset
 no bgp graceful-restart notification
 no bgp default ipv4-unicast
 coalesce-time 1000
 neighbor VTEP peer-group
 neighbor VTEP remote-as 65000
 neighbor VTEP bfd
 neighbor 10.99.99.1 peer-group VTEP
 !
 address-family l2vpn evpn
  neighbor VTEP route-map MAP_VTEP_IN in
  neighbor VTEP route-map MAP_VTEP_OUT out
  neighbor VTEP activate
  advertise-all-vni
 exit-address-family
exit
!
router bgp 65000 vrf vrf_evpnz1
 bgp router-id 192.168.245.201
 no bgp hard-administrative-reset
 no bgp graceful-restart notification
 !
 address-family ipv4 unicast
  redistribute connected
 exit-address-family
 !
 address-family ipv6 unicast
  redistribute connected
 exit-address-family
 !
 address-family l2vpn evpn
  advertise ipv4 unicast
  advertise ipv6 unicast
 exit-address-family
exit
!
route-map MAP_VTEP_IN permit 1
exit
!
route-map MAP_VTEP_OUT permit 1
exit
!
line vty

Playing around with single/multiple interfaces and isis-domain does nothing.
If i revert back to isis-iface and/or delete isis-domain it results in an error in the reload.
 
mmm, that's strange. I'll verify on my side. (I have tested with eth0,eth1 , but maybe they are a parser limitation).

I'll keep you in touch, thanks for your patience. (Sorry to be late, I was very busy at work this week)
 
ok, fixed, it's was a small bug on "node" param not parsed, then the isis config was not loaded and frr config not generated.

can you try it again (same link)
libpve-network-perl_0.8.1_all.deb 9e318acae4455e4339980d1099e09074
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back