SDN announce VXLAN networks on external edge bgp router : how to ?

[rustine22]

Hi,
i hav successfully setup VXLAN network and evpn on nodes. Now i would like to announce this VXLAN network on several external BGP routers directly connected to nodes.

I hav tried create a "BGP controler" on proxmox and established a BGP session between administrative network IP of node and external BGP router, but VXLAN network isn't announced. Is it the right way to do ?

Thanks

 

[shanreich]

BGP controller is for IPv4/6 unicast - so for exchanging routes of the nodes. If you want to exchange EVPN routes, you need to create an EVPN controller.

 

[rustine22]

Thanks for reply. External BGP routers, in default configuration, only deals with ipv4 unicast. Is it possible to say EVPN controller on exit proxmox nodes to announce IPv4 prefixes to external BGP routers instead of evpn prefixes ?

 

[shanreich]

You have to use both controllers at the same time to achieve that.

 

[rustine22]

It's OK thanks

Now last thing, how to tell Proxmox FRR to create a BGP neighbor on the vrf in PVE for VLXAN prefix (in my case vrf_HEB2), and not in global routing table ?

Because i want my external BGP neighbor to announce default route in vrf vrf_HEB2, not in the global table of the PVE node..

Here the autogenerated FRR PVE SDN configuration :

vrf vrf_HEB2
 vni 102
exit-vrf
!
router bgp 65000
 bgp router-id 192.168.1.253
 no bgp default ipv4-unicast
 coalesce-time 1000
 neighbor BGP peer-group
 neighbor BGP remote-as 65000
 neighbor BGP bfd
 neighbor VTEP peer-group
 neighbor VTEP remote-as 65000
 neighbor VTEP bfd
 neighbor 192.168.1.163 peer-group BGP
 !
 address-family ipv4 unicast
  neighbor BGP activate
  neighbor BGP soft-reconfiguration inbound
  import vrf vrf_HEB2
 exit-address-family
 !
 address-family ipv6 unicast
  import vrf vrf_HEB2
 exit-address-family
 !
 address-family l2vpn evpn
  neighbor VTEP activate
  neighbor VTEP route-map MAP_VTEP_IN in
  neighbor VTEP route-map MAP_VTEP_OUT out
  advertise-all-vni
 exit-address-family
exit
!
router bgp 65000 vrf vrf_HEB2
 bgp router-id 192.168.1.253
 no bgp hard-administrative-reset
 no bgp graceful-restart notification
 !
 address-family ipv4 unicast
  redistribute connected
 exit-address-family
 !
 address-family ipv6 unicast
  redistribute connected
 exit-address-family
 !
 address-family l2vpn evpn
  default-originate ipv4
  default-originate ipv6
 exit-address-family
exit

 

[shanreich]

Is .163 the external device? You want to announce a default route in the overlay network, do I understand correctly?

You should be already able to do this by announcing a EVPN type 5 route for 0.0.0.0/0

 

[rustine22]

yes you understand well.

.163 is the external BGP router : this external BGP device basically only deals with ipv4 unicast so evpn type 5 announce by this external equipment is not possible. So i tried to announce 0.0.0.0/0 from .163 to pve node but route was installed directly in FIB of pve without vrf (very dangerous !)

vrf config for external BGP neighbor is also important on the following case : 2 pve vxlan subnet of 2 differents customers would have the same ip subnet exemple 192.168.100.0/24 for the 2 customers.

 

[shanreich]

this external BGP device basically only deals with ipv4 unicast so evpn type 5 announce by this external equipment is not possible.

I'd have to look close if this can be achieved, I think there is a way. But if you just announce a normal ipv4-unicast route then this is distinct from a type 5 route of course, so this behavior is expected.

vrf config for external BGP neighbor is also important on the following case : 2 pve vxlan subnet of 2 differents customers would have the same ip subnet exemple 192.168.100.0/24 for the 2 customers.

Currently, each EVPN zone represents a single VRF, so in order to use multiple VRFs (iow. multi-tenant EVPN), you need create separate EVPN zones.

 

[rustine22]

Currently, each EVPN zone represents a single VRF, so in order to use multiple VRFs (iow. multi-tenant EVPN), you need create separate EVPN zones.

OK but if bgp controller was correctly implemented, an external ipv4 unicast neighbor for each EVPN Zone should announce routes in the associated vrf on pve, not in the global routing table of pve ?

That is the problem currently..

Thanks

 

[shanreich]

I think you are mixing ipv4-unicast with l2vpn evpn address families, ipv4-unicast is for the underlay network (which should land in the default VRF), l2vpn evpn for the overlay network (which should land in the respective VRF of the EVPN zone).

I think you might be able to import IPv4-unicast learned routes into the evpn VRF, but I'd have to check how to this exactly (and there might also be some implications since you're mixing two distinct networks).

 

[rustine22]

OK thanks. so BGP Controller on pve isn't VRF aware for the moment and that's the normal behavior.

I'm going to search on CISCO Bgp external device how to enable evpn peer but it seems complicated. Another solution would be to install a FRR VM on exit Node to do the translation EVPN <-> IPv4 unicast, but this VM will be charged with all the througput of the entire pve ...

 

[shanreich]

I'm going to search on CISCO Bgp external device how to enable evpn peer but it seems complicated. Another solution would be to install a FRR VM on exit Node to do the translation EVPN <-> IPv4 unicast, but this VM will be charged with all the througput of the entire pve ...

You can just use it as a route reflector doing iBGP and fudging the routes via route-maps while still routing traffic through the external router. The easiest case would be to have a router that is able to talk BGP with family l2vpn evpn. Maybe @spirit has another, better idea.