PVE8.1 - SDN (problematic) experiences and and other fun with IPv6 configurations

hvisage

Renowned Member
May 21, 2013
278
26
93
  • Good day,

I have new set of clusters to be deployed in environments where I do have needs for SDN (vxlan-evpn) and loopback routes for CEPH while preparing for IPv6 only networks. Though I did got it going at one stage (IPv4 only), there are still missing pieces/processes that I'm stumbling on that either I misread/misunderstand the documentation, or simply aren't documented nor implemented yet

So the problems I currently experience that isn't documented, or that might be perhaps in 8.2 but haven't found yet myself so that is why I have to state I'm testing/FAFOing on PVE 8.1.10 at present

0. there are missing documentation especially w.r.t. what is happening in what part of the configuration processes, so yes, SDN is still HBD/caveat emptor for anything not simple easy ;)

  1. When having IPv6 endpoints, the BGP router-id (which is a IPv4 quad-octet) gets filled in with the IPv6 IP, and then FRR fails on that - difficult to see/find as I've not found a CLI why to run/debug other that systemctl restart frr ; systemctl status frr and/or vtysh -c "wr t" checking the configs of /etc/frr/frr.conf
  2. This brings me to /etc/frr/frr.conf.local- gleamed from forum posts, not documented, and still "buggy"/lacking w.r.t. what is/isn't loaded
    1. For one, I have some stuff I want added to router isis routernetname but having router isis routernetname in frr.conf.local, gives this error below, and having it without the routernetname, there aren't an error, but the generated frr.conf has that router isis stanza separately, and thus frr throws errors/doesn't properly load
      TASK ERROR: Not a HASH reference at /usr/share/perl5/PVE/Network/SDN/Controllers/EvpnPlugin.pm line 542.
    2. several IPv6 keywords/configs not yet "accepted" (yes, could add the code perhaps myself, but this post is to document for others to be aware of ;) ), like:
      ipv6 access-list
      Reason I'm "needing" this is that I wanted the spf prefix-priority critical ACL_LIST for reasons attempts to faster converge ISIS to not have othe errors during SDN Apply
  3. I'm missing hooks (perhaps they are there, couldn't yet gleam from the source code where/how) debug and/or add delays during the SDN apply process.
    • Specifically where/what is doing a /sbin/ip get route 2cff:ffff:feed:feed:1:0:5:3 - that fails during reloading, as that is a loopback on one of the nodes, that ISIS haven't yet converged with
    • yes, it is the EVPN/VTEP and BGP peer end point, but I've been unable to find the "culprit", as I need to add some delays before that, or see why FRR was restarted, instead of reloaded.
  4. There is a "Warning" that should've been an error that does a FRR restart, instead of reload, and doing that restart (using something like systemctl) it misses the errors generated by FRR for the config
  5. ISIS net id isn't properly parsed in GUI nor during config parsing and frr.conf generation. See above warning that should be error - only picked this up as I was rechecking frr.conf & vtysh's wr t output.
  6. THERE ARE NO Factory Reset for SDN, so difficult to go back to a "clean" state
    • there is also /etc/pve/sdn/.version, /etc/pve/sdn/.running_config and /etc/network/interfaces.d/sdn, as well as the removal (manual/reboot) of the interfaces/bridges to have a "clean" state
    • recreation of /etc/frr/frr.conf is somehow dependant on something else, but because I don't have a debug, nor had time to re-re-re-read the code, insights into the flow/process of the SDN Apply, I can't say what is or isn't done where that might be failing to also fix.
  7. ifreload -a not IPv6 only ready w.r.t. vxlan?
    vxlan_vRack1 : error: vxlan_vRack1: vxlan-remoteip: Expected 4 octets in '2cff:ffff:feed:feed:1:0:5:3'

    TASK ERROR: command 'ifreload -a' failed: exit code 1
 
Something I am missing, is a pre & post FRR config (perhaps templates that have values/numbers filled in from the GUI/SDN configuration like the ISIS process/router name, ASN numbers etc.). Loading those into/via vtysh/yang/etc., would ease custom and north-south configurations and can/would/could assist in fixing/forcing some values to have FRR reload, instead of needing restarts?
 
Hi,
Thanks for all your reports

could you open multiple separate bugs on bugzilla.proxmox.com ?

I'll help to track fixes

I never have tested evpn+vxlan in pure ipv6 network, only ipv4, because I known they was bugs 2years ago in frr ir kernel. I'll try to test it again.

About frr.conf.local, it's not documented, because it's not yet 100% ready ;) I add missing syntax support when users are requesting it (so I'll add your need soon :)
 
  • Like
Reactions: weehooey-bh
yeah, there are a coupld of those that only matches IPv4 (assumptions?) in stead of both IPv6/IPv4, but the "fun" is that (ie. OSPF/BGP IDs) are 32bit, and thus "assumed"/simplified as 4x octets, and then "typically" using the loopback/highest IP as the ID (assumptions) so ... yeah, IPv6 overlooked/missed if some PITA like me tests it ;)

I'll be (slowly) updating bug reports/etc. as I get time myself to test and deploy these.
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!