proxmox 7.0 sdn beta test

[lp_xanclas]

What do you want to do exactly with your vyos router ? Because you can't route from outside to 1 vrf with 10.0.0.1 and another vrf 10.0.0.1. (they are no magic session tracking).

Multitenancy with same subnets can only live inside their own vrf (or zone in proxmox).


but even with differents subnet, I think your config is wrong. (you should try to enable the exit-node option on proxmox, and look the generated /etc/frr/frr.conf ,as vyos seem to use frr too, it can give your some inspiration).

I could be great to have your promox sdn config too (/etc/pve/sdn/*.cfg)




you should announce the default 0.0.0.0 in each vrf evpn network (and not the real netework), you need an vxlan (l3vni) interface for each vrf (same vxlanid than defined the proxmox zone). (5000 && 5002 from your config)

on proxmox, you can do #vtysh -c "sh ip bgp l2vpn evpn" , you should see 0.0.0.0/0 routes with your vyos ip as gateway.
This evpn default route is not imported in proxmox kernel routing table. (you don't see in #ip route)
From that, vm will send traffic ton his local anycast gateway on the vnet, and the vnet will forward to vyos because of the evpn 0.0.0.0 route.



After that, on Vyos, you can allow traffic going between different vrf (the defaut vrf (the real world - and the tenant vrf for example). You need to a vrf leak (importing/extporting routes between vrfs).
This is done with "import vrf <othervrfname>" in the source vrf router
But this can works of course, if you use differents subnets.

Hello,
thank you for your reply @spirit .
I want to achieve multi tenancy with overlapping IP addresses. I followed this instructions: https://blog.vyos.io/l3vpn-evpn-creating-a-multi-tenant-service-provider-network (sorry to not shared previously), and adapt them to my proxmox setup.
I realized I don't need the IP addresses on the bridges. Using pseudo-interfaces on vyos, and use them to do SNAT, I can reach outside "real world" (but only from one tenant, and I'm still understanding the NAT rules on vyos if the source addresses of two VMs are the same but belonging to different VRFs).
Today I still got the strange behavior when I announce the default route in each VRF through vyos (see the below output of the 'show ip route vrf all' command):

VRF vrf_customB:
K>* 0.0.0.0/0 [255/8192] unreachable (ICMP unreachable), 6d23h31m
C>* 10.3.2.0/24 is directly connected, custB9, 6d23h31m
B>* 10.3.2.17/32 [200/0] via 10.2.2.6, vrfbr_customB onlink, weight 1, 00:03:56

VRF vrf_tenantC:
B>* 0.0.0.0/0 [200/0] via 10.2.2.2, vrfbr_tenantC onlink, weight 1, 00:00:09
K * 0.0.0.0/0 [255/8192] unreachable (ICMP unreachable), 1d20h54m
C>* 10.3.2.0/24 is directly connected, tenantC1, 1d20h51m

As you can see, there's no default route on vrf_customB. The default route on vrf_customB disappears once I announce the same route through tenantC VRF.

Sorry for the following long *c,fg files from /etc/pve/sdn/

 cat /etc/pve/sdn/*.cfg
evpn: evpn01
        asn 65003
        peers 10.2.2.6,10.2.2.4,10.2.2.7,10.2.2.2

bgp: bgppve06
        asn 65003
        node pve06
        peers 10.2.2.1,10.2.2.11,10.2.2.12
        bgp-multipath-as-path-relax 0
        ebgp 0

subnet: customA-10.3.0.0-24
        vnet vnet5
        gateway 10.3.0.1

subnet: customA-10.3.1.0-24
        vnet MNGSDN
        gateway 10.3.1.1

subnet: customA-10.3.2.0-24
        vnet backups
        gateway 10.3.2.1

subnet: customB-10.3.2.0-24
        vnet custB9
        gateway 10.3.2.1

subnet: tenantC-10.3.2.0-24
        vnet tenantC1
        gateway 10.3.2.1

vnet: vnet5
        zone customA
        tag 4505

vnet: MNGSDN
        zone customA
        tag 4506

vnet: backups
        zone customA
        alias backups
        tag 4507

vnet: custB9
        zone customB
        tag 5001

vnet: tenantC1
        zone tenantC
        tag 5003

evpn: customA
        controller evpn01
        vrf-vxlan 4504
        ipam pve
        mac FE:2B:38:68:1F:23
        mtu 1500

evpn: customB
        controller evpn01
        vrf-vxlan 5000
        advertise-subnets 1
        ipam pve
        mac 56:13:CC:5D:68:1E
        mtu 1500

evpn: tenantC
        controller evpn01
        vrf-vxlan 5002
        advertise-subnets 1
        ipam pve
        mac DA:05:CF:4D:CC:1F
        mtu 1500

 

[spirit]

Hello,
thank you for your reply @spirit .
I want to achieve multi tenancy with overlapping IP addresses. I followed this instructions: https://blog.vyos.io/l3vpn-evpn-creating-a-multi-tenant-service-provider-network (sorry to not shared previously), and adapt them to my proxmox setup.

Note that they aren't any exit-node in this setup. It's simply evpn routing of different vrf/zone.

If you want to go outside from the vyos with 2vrf with same subnets, you'll 1 different public interface in each vrf too.
you can't have 1 public interface in default vrf vyos , and import/leak routes from others vrf as they use same subnet.

I realized I don't need the IP addresses on the bridges. Using pseudo-interfaces on vyos, and use them to do SNAT, I can reach outside "real world" (but only from one tenant).
Today I still got the strange behavior when I announce the default route in each VRF through vyos (see the below output of the 'show ip route vrf all' command):

VRF vrf_customB:
K>* 0.0.0.0/0 [255/8192] unreachable (ICMP unreachable), 6d23h31m
C>* 10.3.2.0/24 is directly connected, custB9, 6d23h31m
B>* 10.3.2.17/32 [200/0] via 10.2.2.6, vrfbr_customB onlink, weight 1, 00:03:56

VRF vrf_tenantC:
B>* 0.0.0.0/0 [200/0] via 10.2.2.2, vrfbr_tenantC onlink, weight 1, 00:00:09
K * 0.0.0.0/0 [255/8192] unreachable (ICMP unreachable), 1d20h54m
C>* 10.3.2.0/24 is directly connected, tenantC1, 1d20h51m

As you can see, there's no default route on vrf_customB. The default route on vrf_customB disappears once I announce the same route through tenantC VRF.

you shouldn't see default 0.0.0.0 in kernel (K) at all. As I said, it should be a pure evpn route.
It's look like you are announcing the default in the underlay bgp network && not evpn in vyos.


what is the output of "vtysh -c "sh bgp l2vpn evpn" ? you should see the 0.0.0.0 type5 route .

 

[lp_xanclas]

Note that they aren't any exit-node in this setup. It's simply evpn routing of different vrf/zone.

If you want to go outside from the vyos with 2vrf with same subnets, you'll 1 different public interface in each vrf too.
you can't have 1 public interface in default vrf vyos , and import/leak routes from others vrf as they use same subnet.




you shouldn't see default 0.0.0.0 in kernel (K) at all. As I said, it should be a pure evpn route.
It's look like you are announcing the default in the underlay bgp network && not evpn in vyos.


what is the output of "vtysh -c "sh bgp l2vpn evpn" ? you should see the 0.0.0.0 type5 route .

Hello, is just a simple homelab. I don't have public IPs, but I do NAT with a private IP address range (just for testing). I don't have a exit node configured because once I remove the exit node from any zone my setup worked fine and I was able to see the default route on each VRF. My setup includes (that I need to change, but I was testing this multi tenant scenario) a zone with a proxmox server exit node, and other two zones without any exit node configured (those are the customB and tenantC)

Here is the 'sh bgp l2vpn evpn' (some output ommited):

Route Distinguisher: 10.2.2.7:9
*> [5]:[0]:[24]:[10.3.2.0]
                    10.2.2.7(pve07)          0         32768 ?
                    ET:8 RT:65003:5002 Rmac:c6:b8:64:9f:ad:97
Route Distinguisher: 10.2.3.10:4
*>i[5]:[0]:[0]:[0.0.0.0]
                    10.2.2.2(r5)             0    100      0 i
                    RT:65003:5000 ET:8 Rmac:b6:08:f9:f4:59:b4
*>i[5]:[0]:[24]:[10.2.3.0]
                    10.2.2.2(r5)             0    100      0 ?
                    RT:65003:5000 ET:8 Rmac:b6:08:f9:f4:59:b4
Route Distinguisher: 10.2.3.11:5
*>i[5]:[0]:[0]:[0.0.0.0]
                    10.2.2.2(r5)             0    100      0 i
                    RT:65003:5002 ET:8 Rmac:8a:07:59:49:b9:d9
*>i[5]:[0]:[24]:[10.2.3.0]
                    10.2.2.2(r5)             0    100      0 ?
                    RT:65003:5002 ET:8 Rmac:8a:07:59:49:b9:d9

Now my setup "seems is working", with two VMs with the same IP address, in different zones, and using a different IP address for NAT in vyos. I'm able to reach internet on both of them. This is also my NAT translation output in vyos:

Pre-NAT          Post-NAT         Proto    Timeout    Mark    Zone
---------------  ---------------  -------  ---------  ------  ------
10.3.2.16        10.2.3.11        icmp     29         0
10.3.2.16        10.2.3.10        icmp     29         0

I can share the commands issued on vyos, but I also need to test the VMs in different proxmox servers.

 

[spirit]

Hello, is just a simple homelab. I don't have public IPs, but I do NAT with a private IP address range (just for testing). I don't have a exit node configured because once I remove the exit node from any zone my setup worked fine and I was able to see the default route on each VRF.

I mean, your vyos is the exit-node here. (as it seem to announce the default). Exit-node on proxmox is really simply a evpn node announcing the default.

My setup includes (that I need to change, but I was testing this multi tenant scenario) a zone with a proxmox server exit node, and other two zones without any exit node configured (those are the customB and tenantC)

Here is the 'sh bgp l2vpn evpn' (some output ommited):

Route Distinguisher: 10.2.2.7:9
*> [5]:[0]:[24]:[10.3.2.0]
                    10.2.2.7(pve07)          0         32768 ?
                    ET:8 RT:65003:5002 Rmac:c6:b8:64:9f:ad:97
Route Distinguisher: 10.2.3.10:4
*>i[5]:[0]:[0]:[0.0.0.0]
                    10.2.2.2(r5)             0    100      0 i
                    RT:65003:5000 ET:8 Rmac:b6:08:f9:f4:59:b4
*>i[5]:[0]:[24]:[10.2.3.0]
                    10.2.2.2(r5)             0    100      0 ?
                    RT:65003:5000 ET:8 Rmac:b6:08:f9:f4:59:b4
Route Distinguisher: 10.2.3.11:5
*>i[5]:[0]:[0]:[0.0.0.0]
                    10.2.2.2(r5)             0    100      0 i
                    RT:65003:5002 ET:8 Rmac:8a:07:59:49:b9:d9
*>i[5]:[0]:[24]:[10.2.3.0]
                    10.2.2.2(r5)             0    100      0 ?
                    RT:65003:5002 ET:8 Rmac:8a:07:59:49:b9:d9

Now my setup "seems is working", with two VMs with the same IP address, in different zones, and using a different IP address for NAT in vyos. I'm able to reach internet on both of them. This is also my NAT translation output in vyos:

Pre-NAT          Post-NAT         Proto    Timeout    Mark    Zone
---------------  ---------------  -------  ---------  ------  ------
10.3.2.16        10.2.3.11        icmp     29         0
10.3.2.16        10.2.3.10        icmp     29         0

I can share the commands issued on vyos, but I also need to test the VMs in different proxmox servers.

great

Indeed with nat && 2 ips it'll work. (As you don't need to route traffic between evpn && real-worl)


Could be interesting to share your full vyos config for other proxmox users.

I'm planning to add some examples for differents routers software in documentation or wiki soon.

 

[lp_xanclas]

Hello, sure, that's also my idea. Below the vyos configuration (some parts like system and service were removed). I can also share the commands.
Thank you for the help also, and hope this might help with the documentation.

interfaces {
    bridge br5000 {
        description customB
        member {
            interface vxlan5000 {
            }
        }
        vrf customB
    }
    bridge br5002 {
        description tenantC
        member {
            interface vxlan5002 {
            }
        }
        vrf tenantC
    }
    ethernet eth0 {
        address 10.2.1.2/24
        vrf management
    }
    ethernet eth1 {
        address dhcp
    }
    ethernet eth2 {
        address 10.2.2.2/24
        description "to proxmox VTEPs"
        mtu 1600
    }
    loopback lo {
    }
    pseudo-ethernet peth1 {
        address 10.2.3.10/24
        description NATcustomB
        source-interface eth1
        vrf customB
    }
    pseudo-ethernet peth2 {
        address 10.2.3.11/24
        description NATtenantC
        source-interface eth1
        vrf tenantC
    }
    vxlan vxlan5000 {
        mtu 1550
        parameters {
            nolearning
        }
        port 4789
        source-address 10.2.2.2
        vni 5000
    }
    vxlan vxlan5002 {
        mtu 1550
        parameters {
            nolearning
        }
        port 4789
        source-address 10.2.2.2
        vni 5002
    }
}
nat {
    source {
        rule 20 {
            outbound-interface {
                name peth2
            }
            translation {
                address masquerade
            }
        }
        rule 21 {
            outbound-interface {
                name peth1
            }
            source {
                group {
                }
            }
            translation {
                address masquerade
            }
        }
    }
}
protocols {
    bgp {
        address-family {
            ipv4-unicast {
                redistribute {
                }
            }
            l2vpn-evpn {
                advertise {
                    ipv4 {
                        unicast {
                        }
                    }
                }
                advertise-all-vni
            }
        }
        neighbor 10.2.2.4 {
            peer-group ibgp
        }
        neighbor 10.2.2.6 {
            peer-group ibgp
        }
        neighbor 10.2.2.7 {
            peer-group ibgp
        }
        parameters {
            log-neighbor-changes
        }
        peer-group ibgp {
            address-family {
                l2vpn-evpn {
                }
            }
            remote-as 65003
            update-source eth2
        }
        system-as 65003
    }
}
vrf {
    name customB {
        protocols {
            bgp {
                address-family {
                    ipv4-unicast {
                        network 0.0.0.0/0 {
                        }
                        redistribute {
                            connected {
                            }
                        }
                    }
                    l2vpn-evpn {
                        advertise {
                            ipv4 {
                                unicast {
                                }
                            }
                        }
                    }
                }
                system-as 65003
            }
            static {
                route 0.0.0.0/0 {
                    next-hop 10.2.3.1 {
                    }
                }
            }
        }
        table 5000
        vni 5000
    }
    name management {
        protocols {
            static {
                route 0.0.0.0/0 {
                    next-hop 10.2.1.1 {
                    }
                }
            }
        }
        table 100
    }
    name tenantC {
        protocols {
            bgp {
                address-family {
                    ipv4-unicast {
                        network 0.0.0.0/0 {
                        }
                        redistribute {
                            connected {
                            }
                        }
                    }
                    l2vpn-evpn {
                        advertise {
                            ipv4 {
                                unicast {
                                }
                            }
                        }
                    }
                }
                system-as 65003
            }
            static {
                route 0.0.0.0/0 {
                    next-hop 10.2.3.1 {
                    }
                }
            }
        }
        table 5002
        vni 5002
    }
}

 

[confusing-charger]

Hello,

I am currently setting up the SDN evpn between two independent Proxmox servers in a test-lab and am still learning what BGP, EVPN etc. are all about.
At the moment I still lack a bit of an idea of how everything is connected and I've kind of reverse-engineered how all the interfaces are connected. This makes it easier for me to understand the whole thing, especially as far as the function of BGP is concerned.

An "evpn" zone connects multiple VNets or/and two or more nodes via VXLAN with the specified "VRF-VXLAN" tag.
At which level are the "VNets" located, which are basically a "vrf bridge interface" to which the CT/VM interface is then connected and a VXLAN interface?

# brctl show
evpn1       8000.bc2411fc211f   no      veth108i0
                                        vxlan_evpn1

What exactly is the vxlan_evpn1 responsible for? I tried using tcpdump to find out when packets with the VXLAN tag are sent from the "VNet", but couldn't see any.
Is this the interface that connects the VNets of the nodes within a cluster?

What is the reason for creating several subnets in a VNet if the "evpn1" interface is then the gateway for each subnet with a different IP address?
A VM interface is attached to the VNet and not to the subnet.
I have already read https://pve.proxmox.com/wiki/Software-Defined_Network#pvesdn_config_subnet, but I find it difficult to understand.

I would be delighted if you could shed some light on this.

 

[spirit]

Hello,

I am currently setting up the SDN evpn between two independent Proxmox servers in a test-lab and am still learning what BGP, EVPN etc. are all about.
At the moment I still lack a bit of an idea of how everything is connected and I've kind of reverse-engineered how all the interfaces are connected. This makes it easier for me to understand the whole thing, especially as far as the function of BGP is concerned.

An "evpn" zone connects multiple VNets or/and two or more nodes via VXLAN with the specified "VRF-VXLAN" tag.
At which level are the "VNets" located, which are basically a "vrf bridge interface" to which the CT/VM interface is then connected and a VXLAN interface?

# brctl show
evpn1       8000.bc2411fc211f   no      veth108i0
                                        vxlan_evpn1

What exactly is the vxlan_evpn1 responsible for? I tried using tcpdump to find out when packets with the VXLAN tag are sent from the "VNet", but couldn't see any.
Is this the interface that connects the VNets of the nodes within a cluster?

Vnet are bridge/switch. Bgp-Evpn is a control plane whos is exchanging vms mac && ip between nodes + use vxlan for dataplane/traffic exchange.
(vs flooding to all nodes with classic vxlan where you don't have control plan).

At layer 2 level (bridging), same vnet on different host is connected through a vxlan interface (with a specific vxlanid). The vxlan_evpn1 interface in your explame. (you should see it with "tcpdump port 4789")

at layer3 level (routing), which allow to route between different vnets, the vm send traffic to his local vnet gateway, then the traffic is routed through the vrf-vxlan interface (l3vni)

What is the reason for creating several subnets in a VNet if the "evpn1" interface is then the gateway for each subnet with a different IP address?

A VM interface is attached to the VNet and not to the subnet.

I have already read https://pve.proxmox.com/wiki/Software-Defined_Network#pvesdn_config_subnet, but I find it difficult to understand.

I would be delighted if you could shed some light on this.

because some users want it. (for example, public ips in different subnets on same vnet/vxlan).

But generally, you do 1subnet/1vnet .

This is your choice

 

[spirit]

Hi,
I have found a bug with multiple exit-nodes on pve8 (it's a regression bug in frr 8.5.x)

I have workaround it with a frr new configuration, if you have problem, here a patch:

https://mutulin1.odiso.net/libpve-network-perl_0.9.5_all.deb

It should be available soon in the official repos.

 

[eset]

yes, but their dns service are also in vxlan/overlay,so it's basic routing.

yep.

It'll route traffic to outside through the exit(s) (node(s). (They you need a route in the reverse side, to be able to reach your evpn network. Or maybe you can enable s-nat on the subnet, to be natted on the exit node ip, so no need to reverse route).

you need 2 exit-nodes for redudancy, and primary exit node need to be defined for s-nat. (it's active/backup).



Note that if you have physical switch/routers supporting evpn, you can use them as exit-nodes instead proxmox nodes.

On my network, I have a pair of arista switches, used as exit node for evpn, and inter-vlan gateway for the legacy vlan network.

@spirit
Btw I upgraded my routeros6 to routeros7 that supports EVPN and VXLAN.
But You mention to set exit nodes instead proxmox nodes.. but how? When that field in proxmox settings for the ZONE doesn't accept any value that proxmox node , so how can I put there something else?

 

[eset]

oh, ok, vyos can do evpn. (I have just read the doc, it's simply a debian with frr, with a special cli to manage configuration).

so, indeed, you just need to configure an evpn controller (no need extra bgp controller), and add vyos in the evpn controller peers list.
use same asn for vyos and your proxmox nodes.
in evpn zone, don't configure exit-node. (as it'll be your vyos).

I don't known how is working the conf in vyos, but the idea is to announce the default 0.0.0.0 through evpn type-5 route.
also on vyos, you need to create a l3vxlan iface with same 1001000 vxlanid.

I'll try to do test next week with vyos.

And I'm confused each time @spirit when you mention this:
in evpn zone, don't configure exit-node. (as it'll be your vyos). but that's impossible !

It always force the Primary Exit Node, take a look on screenshot.

 

[eset]

sorry I'm currently on holiday, I have only access with my phone with poor connection.


if mikrotic don't support evpn correctly
---------------------------------------------------------
for evpn controller: peers: you need to use all proxmox host ips, to exchange evpn routes.

then, for the exit node(pve), you add the bgp controller with the additionnal mikrotik peer (exactly like on your screenshot)


if mikrotic support evpn correctly (with full symmetric l3vni)
--------------------------------------------------------------------------------------

on epvn controler: peers: define all proxmox hosts ip + mikrotik ip
don't define exit node on zone
configure your mikrotik to announce an evpn type5 route 0.0.0.0/0 + an l3vni vxlan interface.

I wonder how should those peers in even controller set. With comma or something? Could be parsed into documentation because when adding like that



I should see in /etc/network/interfaces.d/sdn ?

Strange because non of settings with EVPN only (Without BGP controller) doesn't work or I don't understand how to set up l3vni on MikroTik as you discussed here

> configure your mikrotik to announce an evpn type5 route 0.0.0.0/0 + an l3vni vxlan interface.

I know how to set l3vni VXLAN interface if thats what you mean https://help.mikrotik.com/docs/display/ROS/VXLAN
But how to announce that I don't have clue. Only settings with BGP works. And exit node in Zone HAS to be SET otherwise it doesn't work with BGP and without I don't have a clue.

 

[spirit]

I wonder how should those peers in even controller set. With comma or something? Could be parsed into documentation because when adding like that

View attachment 62512

10.0.1.1,10.0.1.30

I should see in /etc/network/interfaces.d/sdn ?

you should see all remote peer ip on this list (excluding the local host ip) on the vxlan interfaces

Strange because non of settings with EVPN only (Without BGP controller) doesn't work or I don't understand how to set up l3vni on MikroTik as you discussed here

> configure your mikrotik to announce an evpn type5 route 0.0.0.0/0 + an l3vni vxlan interface.

I know how to set l3vni VXLAN interface if thats what you mean https://help.mikrotik.com/docs/display/ROS/VXLAN
But how to announce that I don't have clue. Only settings with BGP works. And exit node in Zone HAS to be SET otherwise it doesn't work with BGP and without I don't have a clue.

I don't have mikrotik hardware to test, sorry

you need to find some doc in mikrotik about symetric evpn setup + type-5 route announcement (for 0.0.0.0)


(Personally, i never have seen any doc about evpn support in routeros)

 

[spirit]

And I'm confused each time @spirit when you mention this:
in evpn zone, don't configure exit-node. (as it'll be your vyos). but that's impossible !

It always force the Primary Exit Node, take a look on screenshot.

View attachment 62511

this is a bug in the gui, I need to fix it. But it's not used, if you don't define any "exit-nodes" in the other filed.

 

[eset]

this is a bug in the gui, I need to fix it. But it's not used, if you don't define any "exit-nodes" in the other filed.

I mean it's possible through /etc/pve/sdn/zone.cfg to remove the exit node.

you should see all remote peer ip on this list (excluding the local host ip) on the vxlan interfaces

That's strange because for controller even if I setup 10.0.1.30,10.0.1.1 like this I only see there, in controller.cfg 10.0.1.1 IP without 10.0.1.30.
Only the previous setup works with BGP announcment, exit nodes defined.

RouterOS7 has VXLAN support that's for sure.
Ok I did my investigation and NO, RouterOS v7 doesn't have control plane for EVPN yet. Only data plane which is the VXLAN here only.

 

[Afox]

Is there any real life example for a possible structure utilizing SDN? Ideally with a drawing to better comprehend

 

[spirit]

I mean it's possible through /etc/pve/sdn/zone.cfg to remove the exit node.

it's really a bug in the gui ^_^

That's strange because for controller even if I setup 10.0.1.30,10.0.1.1 like this I only see there, in controller.cfg 10.0.1.1 IP without 10.0.1.30.

I don't see how it's possible...if you see "10.0.1.30,10.0.1.1" in the gui, it read the value from controller.cfg

Only the previous setup works with BGP announcment, exit nodes defined.

RouterOS7 has VXLAN support that's for sure.
Ok I did my investigation and NO, RouterOS v7 doesn't have control plane for EVPN yet. Only data plane which is the VXLAN here only.

ok thanks for the report. (even bsd,pfsense don't support yet evpn)

 

[eset]

it's really a bug in the gui ^_^


I don't see how it's possible...if you see "10.0.1.30,10.0.1.1" in the gui, it read the value from controller.cfg


ok thanks for the report. (even bsd,pfsense don't support yet evpn)

I really had that. GUI applied those two addresses and config under CLI when checking the file had only one IP. Yes, I did `Apply` in GUI.
Fuck it. The setup works inn BGP so no need to investigate any further. I can confirm MikroTik and SDN with EVPN controller and additional BGP.

 

[eset]

Is there any real life example for a possible structure utilizing SDN? Ideally with a drawing to better comprehend

You can check previous posts a made some charts how I use that with Mikrotik , my Lan network and SDN on Proxmox with VMs