proxmox 7.0 sdn beta test

Ruffy91

Member
May 23, 2017
10
0
21
31
Enjoy your holiday :)

The config as generated now is:
Code:
frr version 8.0.1
frr defaults datacenter
hostname chsfl1-cl01-pve01
log syslog informational
service integrated-vtysh-config
!
!
vrf vrf_evpn
 vni 500
exit-vrf
!
router bgp 65002
 bgp router-id 100.111.64.3
 no bgp default ipv4-unicast
 coalesce-time 1000
 neighbor BGP peer-group
 neighbor BGP remote-as external
 neighbor BGP bfd
 neighbor BGP ebgp-multihop 4
 neighbor 100.111.64.1 peer-group BGP
 neighbor VTEP peer-group
 neighbor VTEP remote-as external
 neighbor VTEP bfd
 neighbor 192.168.102.102 peer-group VTEP
 neighbor 192.168.102.103 peer-group VTEP
 !
 address-family ipv4 unicast
  neighbor BGP activate
  neighbor BGP soft-reconfiguration inbound
  import vrf vrf_evpn
 exit-address-family
 !
 address-family ipv6 unicast
  import vrf vrf_evpn
 exit-address-family
 !
 address-family l2vpn evpn
  neighbor VTEP route-map MAP_VTEP_IN in
  neighbor VTEP route-map MAP_VTEP_OUT out
  neighbor VTEP activate
  advertise-all-vni
  autort as 65010
 exit-address-family
!
router bgp 65002 vrf vrf_evpn
 bgp router-id 192.168.102.101
 !
 address-family ipv4 unicast
  redistribute connected
 exit-address-family
 !
 address-family ipv6 unicast
  redistribute connected
 exit-address-family
 !
 address-family l2vpn evpn
  route-target import 65010:500
  route-target export 65010:500
  default-originate ipv4
  default-originate ipv6
 exit-address-family
!
route-map MAP_VTEP_IN deny 1
 match evpn route-type prefix
!
route-map MAP_VTEP_IN permit 2
!
route-map MAP_VTEP_OUT permit 1
!
line vty

I would change it to:
Code:
frr version 8.0.1
frr defaults datacenter
hostname chsfl1-cl01-pve01
log syslog informational
service integrated-vtysh-config
!
!
vrf vrf_evpn
 vni 500
exit-vrf
!
router bgp 65002
 bgp router-id 100.111.64.3
 no bgp default ipv4-unicast
 coalesce-time 1000
 neighbor VTEP peer-group
 neighbor VTEP remote-as external
 neighbor VTEP bfd
 neighbor 192.168.102.102 peer-group VTEP
 neighbor 192.168.102.103 peer-group VTEP
 !
 address-family ipv4 unicast
  neighbor BGP activate
  neighbor BGP soft-reconfiguration inbound
 exit-address-family
 !
 address-family ipv6 unicast
 exit-address-family
 !
 address-family l2vpn evpn
  neighbor VTEP route-map MAP_VTEP_IN in
  neighbor VTEP route-map MAP_VTEP_OUT out
  neighbor VTEP activate
  advertise-all-vni
  autort as 65010
 exit-address-family
!
router bgp 65002 vrf vrf_evpn
 bgp router-id 192.168.102.101
 neighbor BGP peer-group
 neighbor BGP remote-as external
 neighbor BGP bfd
 neighbor BGP ebgp-multihop 4
 neighbor 100.111.64.1 peer-group BGP
 !
 address-family ipv4 unicast
 exit-address-family
 !
 address-family ipv6 unicast
 exit-address-family
 !
 address-family l2vpn evpn
  route-target import 65010:500
  route-target export 65010:500
  default-originate ipv4
  default-originate ipv6
 exit-address-family
!
route-map MAP_VTEP_IN deny 1
 match evpn route-type prefix
!
route-map MAP_VTEP_IN permit 2
!
route-map MAP_VTEP_OUT permit 1
!
line vty

After I do this a session to my eBGP peer is no longer established.
Unfortunately I am not as fluent with routing and am not sure what I am doing, as a consequence there are probably some errors in there.
 

spirit

Famous Member
Apr 2, 2010
5,686
626
133
www.odiso.com
Enjoy your holiday :)

The config as generated now is:
Code:
frr version 8.0.1
frr defaults datacenter
hostname chsfl1-cl01-pve01
log syslog informational
service integrated-vtysh-config
!
!
vrf vrf_evpn
 vni 500
exit-vrf
!
router bgp 65002
 bgp router-id 100.111.64.3
 no bgp default ipv4-unicast
 coalesce-time 1000
 neighbor BGP peer-group
 neighbor BGP remote-as external
 neighbor BGP bfd
 neighbor BGP ebgp-multihop 4
 neighbor 100.111.64.1 peer-group BGP
 neighbor VTEP peer-group
 neighbor VTEP remote-as external
 neighbor VTEP bfd
 neighbor 192.168.102.102 peer-group VTEP
 neighbor 192.168.102.103 peer-group VTEP
 !
 address-family ipv4 unicast
  neighbor BGP activate
  neighbor BGP soft-reconfiguration inbound
  import vrf vrf_evpn
 exit-address-family
 !
 address-family ipv6 unicast
  import vrf vrf_evpn
 exit-address-family
 !
 address-family l2vpn evpn
  neighbor VTEP route-map MAP_VTEP_IN in
  neighbor VTEP route-map MAP_VTEP_OUT out
  neighbor VTEP activate
  advertise-all-vni
  autort as 65010
 exit-address-family
!
router bgp 65002 vrf vrf_evpn
 bgp router-id 192.168.102.101
 !
 address-family ipv4 unicast
  redistribute connected
 exit-address-family
 !
 address-family ipv6 unicast
  redistribute connected
 exit-address-family
 !
 address-family l2vpn evpn
  route-target import 65010:500
  route-target export 65010:500
  default-originate ipv4
  default-originate ipv6
 exit-address-family
!
route-map MAP_VTEP_IN deny 1
 match evpn route-type prefix
!
route-map MAP_VTEP_IN permit 2
!
route-map MAP_VTEP_OUT permit 1
!
line vty

I would change it to:
Code:
frr version 8.0.1
frr defaults datacenter
hostname chsfl1-cl01-pve01
log syslog informational
service integrated-vtysh-config
!
!
vrf vrf_evpn
 vni 500
exit-vrf
!
router bgp 65002
 bgp router-id 100.111.64.3
 no bgp default ipv4-unicast
 coalesce-time 1000
 neighbor VTEP peer-group
 neighbor VTEP remote-as external
 neighbor VTEP bfd
 neighbor 192.168.102.102 peer-group VTEP
 neighbor 192.168.102.103 peer-group VTEP
 !
 address-family ipv4 unicast
  neighbor BGP activate
  neighbor BGP soft-reconfiguration inbound
 exit-address-family
 !
 address-family ipv6 unicast
 exit-address-family
 !
 address-family l2vpn evpn
  neighbor VTEP route-map MAP_VTEP_IN in
  neighbor VTEP route-map MAP_VTEP_OUT out
  neighbor VTEP activate
  advertise-all-vni
  autort as 65010
 exit-address-family
!
router bgp 65002 vrf vrf_evpn
 bgp router-id 192.168.102.101
 neighbor BGP peer-group
 neighbor BGP remote-as external
 neighbor BGP bfd
 neighbor BGP ebgp-multihop 4
 neighbor 100.111.64.1 peer-group BGP
 !
 address-family ipv4 unicast
 exit-address-family
 !
 address-family ipv6 unicast
 exit-address-family
 !
 address-family l2vpn evpn
  route-target import 65010:500
  route-target export 65010:500
  default-originate ipv4
  default-originate ipv6
 exit-address-family
!
route-map MAP_VTEP_IN deny 1
 match evpn route-type prefix
!
route-map MAP_VTEP_IN permit 2
!
route-map MAP_VTEP_OUT permit 1
!
line vty

After I do this a session to my eBGP peer is no longer established.
Unfortunately I am not as fluent with routing and am not sure what I am doing, as a consequence there are probably some errors in there.
Enjoy your holiday :)

The config as generated now is:
Code:
frr version 8.0.1
frr defaults datacenter
hostname chsfl1-cl01-pve01
log syslog informational
service integrated-vtysh-config
!
!
vrf vrf_evpn
 vni 500
exit-vrf
!
router bgp 65002
 bgp router-id 100.111.64.3
 no bgp default ipv4-unicast
 coalesce-time 1000
 neighbor BGP peer-group
 neighbor BGP remote-as external
 neighbor BGP bfd
 neighbor BGP ebgp-multihop 4
 neighbor 100.111.64.1 peer-group BGP
 neighbor VTEP peer-group
 neighbor VTEP remote-as external
 neighbor VTEP bfd
 neighbor 192.168.102.102 peer-group VTEP
 neighbor 192.168.102.103 peer-group VTEP
 !
 address-family ipv4 unicast
  neighbor BGP activate
  neighbor BGP soft-reconfiguration inbound
  import vrf vrf_evpn
 exit-address-family
 !
 address-family ipv6 unicast
  import vrf vrf_evpn
 exit-address-family
 !
 address-family l2vpn evpn
  neighbor VTEP route-map MAP_VTEP_IN in
  neighbor VTEP route-map MAP_VTEP_OUT out
  neighbor VTEP activate
  advertise-all-vni
  autort as 65010
 exit-address-family
!
router bgp 65002 vrf vrf_evpn
 bgp router-id 192.168.102.101
 !
 address-family ipv4 unicast
  redistribute connected
 exit-address-family
 !
 address-family ipv6 unicast
  redistribute connected
 exit-address-family
 !
 address-family l2vpn evpn
  route-target import 65010:500
  route-target export 65010:500
  default-originate ipv4
  default-originate ipv6
 exit-address-family
!
route-map MAP_VTEP_IN deny 1
 match evpn route-type prefix
!
route-map MAP_VTEP_IN permit 2
!
route-map MAP_VTEP_OUT permit 1
!
line vty

I would change it to:
Code:
frr version 8.0.1
frr defaults datacenter
hostname chsfl1-cl01-pve01
log syslog informational
service integrated-vtysh-config
!
!
vrf vrf_evpn
 vni 500
exit-vrf
!
router bgp 65002
 bgp router-id 100.111.64.3
 no bgp default ipv4-unicast
 coalesce-time 1000
 neighbor VTEP peer-group
 neighbor VTEP remote-as external
 neighbor VTEP bfd
 neighbor 192.168.102.102 peer-group VTEP
 neighbor 192.168.102.103 peer-group VTEP
 !
 address-family ipv4 unicast
  neighbor BGP activate
  neighbor BGP soft-reconfiguration inbound
 exit-address-family
 !
 address-family ipv6 unicast
 exit-address-family
 !
 address-family l2vpn evpn
  neighbor VTEP route-map MAP_VTEP_IN in
  neighbor VTEP route-map MAP_VTEP_OUT out
  neighbor VTEP activate
  advertise-all-vni
  autort as 65010
 exit-address-family
!
router bgp 65002 vrf vrf_evpn
 bgp router-id 192.168.102.101
 neighbor BGP peer-group
 neighbor BGP remote-as external
 neighbor BGP bfd
 neighbor BGP ebgp-multihop 4
 neighbor 100.111.64.1 peer-group BGP
 !
 address-family ipv4 unicast
 exit-address-family
 !
 address-family ipv6 unicast
 exit-address-family
 !
 address-family l2vpn evpn
  route-target import 65010:500
  route-target export 65010:500
  default-originate ipv4
  default-originate ipv6
 exit-address-family
!
route-map MAP_VTEP_IN deny 1
 match evpn route-type prefix
!
route-map MAP_VTEP_IN permit 2
!
route-map MAP_VTEP_OUT permit 1
!
line vty

After I do this a session to my eBGP peer is no longer established.
Unfortunately I am not as fluent with routing and am not sure what I am doing, as a consequence there are probably some errors in there.
Maybe copy "neighbor bgp activate" in vrf router ipv4 unicast section. But keep it too in main section. I ll do test next week.
 

Ruffy91

Member
May 23, 2017
10
0
21
31
I added a PBR for any traffic on interface evpn01 which added a rule and route table which seem correct, but the rule is ignored by the route selection:
root@chsfl1-cl01-pve01:~# ip rule
300: from all iif evpn01 lookup 10000 proto zebra
1000: from all lookup [l3mdev-table]
32765: from all lookup local
32766: from all lookup main
32767: from all lookup default
root@chsfl1-cl01-pve01:~# ip route list table 10000
default nhid 673 via 100.111.64.1 dev vmbr0_164 proto pbr metric 20

root@chsfl1-cl01-pve01:~# ip route get 1.1.1.1 from 10.182.3.100 iif evpn01
1.1.1.1 from 10.182.3.100 via 10.182.2.1 dev vmbr0_182
cache iif evpn01

I think it should even be possible to select the correct vrf with PBR (set vrf VRF-NAME) but this wont help if the rules are ignored.
 

spirit

Famous Member
Apr 2, 2010
5,686
626
133
www.odiso.com
I added a PBR for any traffic on interface evpn01 which added a rule and route table which seem correct, but the rule is ignored by the route selection:
root@chsfl1-cl01-pve01:~# ip rule
300: from all iif evpn01 lookup 10000 proto zebra
1000: from all lookup [l3mdev-table]
32765: from all lookup local
32766: from all lookup main
32767: from all lookup default
root@chsfl1-cl01-pve01:~# ip route list table 10000
default nhid 673 via 100.111.64.1 dev vmbr0_164 proto pbr metric 20

root@chsfl1-cl01-pve01:~# ip route get 1.1.1.1 from 10.182.3.100 iif evpn01
1.1.1.1 from 10.182.3.100 via 10.182.2.1 dev vmbr0_182
cache iif evpn01

I think it should even be possible to select the correct vrf with PBR (set vrf VRF-NAME) but this wont help if the rules are ignored.
thanks for testing. I'll do a lab next week when I'll be back at work.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!