[SOLVED] Inter node SDN networking using EVPN-VXLAN

[nicof2000]

I also got it working with one BGP controller. But even with this "simpel setup" I experience some problems, where the same config works on one pve node, but not on the other... This is a bit strange, but I'll try to investivate this one on my own. (Edit: This is related to having multiple BGP controller)

In case of maintainence work (when the pve node with the bgp controller will be shut down), I'd like to add two more bgp controller, for the other hosts (ecmp).

As soon as I do this, my test containers become unreachable, if the traffic is being routed over the wrong pve node. To force this behavior I disabled the bgp sessions to the primary exit node. I'm not quiet sure how to debug this properly. Has this been tested at all? Is the fundamental idea of how to setup this correct?

 

[niel]

you can use same ASN for both evpn && bgp


put all your exit-nodes


indeed you don't need static route if you use bgp.



The route is announced by all exit-nodes (even if the vm is not on this node, even if you define exit-node on each).

So, in all case, you'll have ecmp. If a packet in coming to a exit-node when the vm is not present, it'll be rerouted again inside the evpn.


The only way to have direct routing from your fortigate to the evpn, is to have evpn support inside your fortigate (Then the fortigate is the evpn exit-node)




with 3 nodes, it seem to be overkill. just keep fullmesh peering with all nodes ip as evpn peer.

Thank you @spirit

Change of PLANS - I manged to get my self a six port Lanner Device and I installed VYOS 1.4 LTS on it.





I will replace my L2 switch with this VYOS device now. I will connect 1 port to my home router and other to the 3 proxmox nodes


Can you please guide how to setup EVPN-VXLAN on Vyos, you can give me high level steps that I need to follow, I'll try to figure out the details.

I am attaching my current SDN config.





I have removed my node names , but if understand correctly in Exit Nodes I will need to select ALL nodes + VYOS

And primary exit node will be VYOS



I have 5 subnets so I created 5 Vnets, so I can choose the bridge in the VM and it will get the ip address from the subnet

 

[niel]

I have a small 3 node cluster with vmbr0 allocated 192.168.1.0/24 host node IPs. From that LAN network I can reach all internal VM/CTs on each of the 3 host nodes. Fine. Now I have 2 OpenWrt CTs on two different nodes with a pair of Debian CTs also on each of those two nodes. I added a "blank" vmbr1 bridge to each host node where OpenWrt uses vmbr0 for each soft router and gets a 192.168.1.* IP for its wan and vmbr1 for lan (either 192.168.2.1/24 or 192.168.3.1/24). On each respective Debian CT I can ping 1.1.1.1, 192.168.1.* and also the other 192.168.2(or3).* Debian guest CTs "behind" each respective OpenWrt router. All good and working as expected.

Now, using SDN magic, how do I make it so that the Debian CTs behind each of the OpenWrt routers can see the other private network guests behind the other router on the other host node WITHOUT using VPN/wireguard or static routing?

Apologies @markc I may have hijacked your thread... but I have a similar setup and I wanted to get rid of the primary exit node bottleneck

 

[nicof2000]

I haven't try to setup EVPN on VyOS 1.4 yet. I was trying to use regular BGP with VyOS 1.3, so I can't say much about this, but this might help: https://docs.vyos.io/en/sagitta/configexamples/autotest/L3VPN_EVPN/L3VPN_EVPN.html

 

[niel]

I haven't try to setup EVPN on VyOS 1.4 yet. I was trying to use regular BGP with VyOS 1.3, so I can't say much about this, but this might help: https://docs.vyos.io/en/sagitta/configexamples/autotest/L3VPN_EVPN/L3VPN_EVPN.html

Thanks @nicof2000 , This example is between 3 sites I guess... if you have Vyos i think EVPN is the best, just select the exit node as the Vyos router

 

[nicof2000]

Yea, unfortunately I tried to migrate a pve node with a mikrotik router in front of it and this totally failed...

First of all I had problems exporting the routes using bgp (which worked in my lab setup), first it all worked as I expected, then the incoming packages were not routed into the vrf correctly (just 1 host, not in a evpn cluster, but still a evpn zone, to extend it afterwards). After solving this using static route I had the same issue a few hours later, which resulted in the whole network becoming unreachable. For now I have a virtualized router, which acts as a "proxy" to serve the layer 2 networks to this host. I need to debug this in the following days.

 

[niel]

Hi all, I struggled a lot with this and ended up installing ProxMox on the Lanner device and added it to my current cluster, I made the lanner a part of the evpn controller and selected it as the as an exit node in the zone and everything is working great... no need for any additional configuration

 

[markc]

Hi niel, would you mind elaborating on your solution and which Lanner device?

 

[niel]

Hi niel, would you mind elaborating on your solution and which Lanner device?

Hi Markc, if your proxmox nodes are gigabit you may use https://www.ebay.com.au/itm/126559885247

If you proxmox nodes are 10gigabit you may use https://teklager.se/en/products/routers/tlsense-10gbps-intel-atom-c3758r

As I mentioned in my last post, I installed ProxMox on it like a normal mini pc and then, I put all the ports in the same vmr0 bridge, so now the new device will act like a switch with one ip address.

Connect your 3 nodes to device and 1 port to your router.

for eg node1,node2,node3, node 4 = 192.168.10,192.168.11,192.168.12,192.168.13,

Add it to your existing cluster and make it a part of your SDN, and mark it as the primary exit node.

Than on your external router make a summary route of all your internal ip address ranges to the ip address of the new device, thats it.

 

[mrkhachaturov]

Lab Equipment Overview​

Router:
Mikrotik CCR2004-1G-12S-2XS

Switches:

• SW01: Mikrotik CRS504-4XQ-IN, equipped with four XQ+BC0003-XS+ cables
• SW02: Mikrotik CRS310-8G-25+IN
• SW03: Mikrotik CRS310-8G-25+IN

Proxmox Hosts:
Minisforum MS-01
I have successfully deployed a Proxmox cluster comprising six Minisforum MS-01 machines. Each host is outfitted with dual 10G NICs, dual 2.5G NICs, and dual Thunderbolt 4 NICs, effectively functioning as 25G network interface cards (NICs). Notably, one of the 2.5G NICs is connected to the switches as an access port for Intel vPro, while all other ports are connected to the switches' trunk ports.

In addition to this setup, I have configured three VLAN networks:

• VLAN 30 is designated for Proxmox Corosync on the 2.5G port.
• VLAN 60 and VLAN 70 utilize the bonded 10G NIC ports for Virtual Machines (VMs) and Kubernetes (K8s).

SW01 is connected to the router using two 25G ports configured in a bond (802.3ad, Layer 3+4). Additionally, SW02 and SW03 are linked via two 10G ports, also set up in a bonding configuration.
The router acts as a DHCP server and serves as the main gateway to the internet.



View attachment 80430
----
Following this guide I configured Thunderbolt networking

root@pve01:~# vtysh -c 'show openfabric route'
Area 1:
IS-IS L2 IPv4 routing table:

 Prefix        Metric  Interface  Nexthop    Label(s)
 ------------------------------------------------------
 10.0.0.81/32  0       -          -          -    
 10.0.0.82/32  20      en06       10.0.0.82  -    
 10.0.0.83/32  30      en06       10.0.0.82  -    
 10.0.0.84/32  20      en05       10.0.0.84  -    
 10.0.0.85/32  30      en05       10.0.0.84  -    
 10.0.0.86/32  40      en05       10.0.0.84  -    
                       en06       10.0.0.82  -    

IS-IS L2 IPv6 routing table:

root@pve01:~# vtysh -c 'show bgp summary'

L2VPN EVPN Summary (VRF default):
BGP router identifier 10.0.0.81, local AS number 65000 vrf-id 0
BGP table version 0
RIB entries 17, using 3264 bytes of memory
Peers 5, using 3623 KiB of memory
Peer groups 1, using 64 bytes of memory

Neighbor         V         AS   MsgRcvd   MsgSent   TblVer  InQ OutQ  Up/Down State/PfxRcd   PfxSnt Desc
pve02(10.0.0.82) 4      65000       366       366        0    0    0 00:18:07            1        1 N/A
pve03(10.0.0.83) 4      65000       371       368        0    0    0 00:15:53            1        1 N/A
pve04(10.0.0.84) 4      65000       366       367        0    0    0 00:18:05            1        1 N/A
pve05(10.0.0.85) 4      65000       370       371        0    0    0 00:15:39            1        1 N/A
pve06(10.0.0.86) 4      65000       377       373        0    0    0 00:15:48            1        1 N/A

Total number of neighbors 5

___

Proxmox hosts can ping each other using their loopback interface IP addresses.


I have installed and cofigured Ceph cluster overt that thunderbolt mesh network:

[global]
    auth_client_required = cephx
    auth_cluster_required = cephx
    auth_service_required = cephx
    cluster_network = 10.0.0.81/24
    fsid = 7b54fd80-5f11-416b-ad5b-6e0ce7cb0694
    mon_allow_pool_delete = true
    mon_host = 10.0.0.81 10.0.0.82 10.0.0.83 10.0.0.84 10.0.0.85 10.0.0.86
    ms_bind_ipv4 = true
    ms_bind_ipv6 = false
    osd_pool_default_min_size = 2
    osd_pool_default_size = 3
    public_network = 10.0.0.81/24

---
Currently, my network configuration across the Proxmox hosts is as follows:

• vmbr1.70 (2.5G NIC): Subnet 10.1.70.0/28 for Corosync and management purposes.
• vmbr0.60 (10G NICs in a bond): Subnet 10.1.60.0/24 designated for virtual machines (VMs).
• vmbr0.80 (10G NICs in a bond): Subnet 10.1.80.0/27 allocated for Kubernetes (K8S) operations.
  

I would like to implement Ceph-CSI in my Kubernetes (K8s) virtual machine environment. Could you advise on the optimal scenario for configuring network access from the K8s VMs to the Ceph network?

Currently, I am considering the following:

1. Directing traffic to each Proxmox VE (PVE) host's loopback interface (10.0.0.8x) through their respective IP addresses within VLAN 80.
2. Configuring a virtual network (vNet) that allows access to the loopback network and attaching it as a second NIC to the K8s VMs.

Thank you for your assistance!