SDN - Bug multiple VRFs

R

rpcomaite

New Member
Mar 24, 2023
23
0
1
Hello everybody,

I noticed a bug when using multiple VRFs.
When using the same exit-nodes on different vrfs but the primary is different, there is a deny route-map that is added in the MAP_VTEP_IN route-map for type 5 routes.
So if vrf "red" has primary exit-node node 1 and vrf "blue" has primary exit-node node 2, node 1 will not receive the default route for vrf "blue".
Is this a bug or a voluntary configuration choice?

Thanks for your help
 
rpcomaite said:
Hello everybody,

I noticed a bug when using multiple VRFs.
When using the same exit-nodes on different vrfs but the primary is different, there is a deny route-map that is added in the MAP_VTEP_IN route-map for type 5 routes.
So if vrf "red" has primary exit-node node 1 and vrf "blue" has primary exit-node node 2, node 1 will not receive the default route for vrf "blue".
Is this a bug or a voluntary configuration choice?

Thanks for your help
Click to expand...
mmmm, seem to be a bug. you can share the generated /etc/frr/frr.conf ?
 
Here is the content of the conf file.

Code: 
!
frr version 8.2.2
frr defaults datacenter
hostname core501
log syslog informational
service integrated-vtysh-config
!
vrf vrf_client1
 vni 2
exit-vrf
!
vrf vrf_client2
 vni 4
exit-vrf
!
router bgp 65000
 bgp router-id 10.250.10.1
 no bgp default ipv4-unicast
 coalesce-time 1000
 neighbor VTEP peer-group
 neighbor VTEP remote-as 65000
 neighbor VTEP bfd
 neighbor 10.250.10.2 peer-group VTEP
 neighbor 10.250.10.3 peer-group VTEP
 !
 address-family ipv4 unicast
  import vrf vrf_client1
  import vrf vrf_client2
 exit-address-family
 !
 address-family ipv6 unicast
  import vrf vrf_client1
  import vrf vrf_client2
 exit-address-family
 !
 address-family l2vpn evpn
  neighbor VTEP activate
  neighbor VTEP route-map MAP_VTEP_IN in
  neighbor VTEP route-map MAP_VTEP_OUT out
  advertise-all-vni
 exit-address-family
exit
!
router bgp 65000 vrf vrf_client1
 bgp router-id 10.250.10.1
 !
 address-family ipv4 unicast
  redistribute connected
 exit-address-family
 !
 address-family ipv6 unicast
  redistribute connected
 exit-address-family
 !
 address-family l2vpn evpn
  default-originate ipv4
  default-originate ipv6
 exit-address-family
exit
!
router bgp 65000 vrf vrf_client2
 bgp router-id 10.250.10.1
 !
 address-family ipv4 unicast
  redistribute connected
 exit-address-family
 !
 address-family ipv6 unicast
  redistribute connected
 exit-address-family
 !
 address-family l2vpn evpn
  default-originate ipv4
  default-originate ipv6
 exit-address-family
exit
!
route-map MAP_VTEP_IN deny 1
 match evpn route-type prefix
exit
!
route-map MAP_VTEP_IN permit 2
exit
!
route-map MAP_VTEP_OUT permit 1
 match evpn route-type prefix
 match evpn vni 4
 set metric 200
exit
!
route-map MAP_VTEP_OUT permit 2
exit
!
end
 
node2:
Code: 
frr version 8.2.2
frr defaults datacenter
hostname core502
log syslog informational
service integrated-vtysh-config
!
vrf vrf_client1
 vni 2
exit-vrf
!
vrf vrf_client2
 vni 4
exit-vrf
!
router bgp 65000
 bgp router-id 10.250.10.2
 no bgp default ipv4-unicast
 coalesce-time 1000
 neighbor VTEP peer-group
 neighbor VTEP remote-as 65000
 neighbor VTEP bfd
 neighbor 10.250.10.1 peer-group VTEP
 neighbor 10.250.10.3 peer-group VTEP
 !
 address-family ipv4 unicast
  import vrf vrf_client1
 exit-address-family
 !
 address-family ipv6 unicast
  import vrf vrf_client1
 exit-address-family
 !
 address-family l2vpn evpn
  neighbor VTEP activate
  neighbor VTEP route-map MAP_VTEP_IN in
  neighbor VTEP route-map MAP_VTEP_OUT out
  advertise-all-vni
 exit-address-family
exit
!
router bgp 65000 vrf vrf_client1
 bgp router-id 10.250.10.2
 !
 address-family ipv4 unicast
  redistribute connected
 exit-address-family
 !
 address-family ipv6 unicast
  redistribute connected
 exit-address-family
 !
 address-family l2vpn evpn
  default-originate ipv4
  default-originate ipv6
 exit-address-family
exit
!
router bgp 65000 vrf vrf_client2
 bgp router-id 10.250.10.2
 !
 address-family ipv4 unicast
  redistribute connected
 exit-address-family
 !
 address-family ipv6 unicast
  redistribute connected
 exit-address-family
 !
 address-family l2vpn evpn
  advertise ipv4 unicast
  advertise ipv6 unicast
 exit-address-family
exit
!
route-map MAP_VTEP_IN deny 1
 match evpn route-type prefix
exit
!
route-map MAP_VTEP_IN permit 2
exit
!
route-map MAP_VTEP_OUT permit 1
 match evpn route-type prefix
 match evpn vni 2
 set metric 200
exit
!
route-map MAP_VTEP_OUT permit 2
exit
!
end
 
mmm, ok

the current code is (done for each zone/vrf)

Code: 
    if ($is_gateway) {

        if (!$exitnodes_primary || $exitnodes_primary eq $local_node) {
            #filter default type5 route coming from other exit nodes on primary node or both nodes if no primary is defined.
            my $routemap_config = ();
            push @{$routemap_config}, "match evpn route-type prefix";
            my $routemap = { rule => $routemap_config, action => "deny" };
            unshift(@{$config->{frr_routemap}->{'MAP_VTEP_IN'}}, $routemap);


This is to avoid, than an exit-node receive default routes from other exit-node, and forward the traffic in loop.

I need to do tests on my side, I'm not sure how it's works with differents vrf,
maybe adding a simple "match evpn vni X" could works ?

can you try to modifiy /etc/frr/frr/conf ?

Code: 
route-map MAP_VTEP_IN deny 1
 match evpn vni 2
 match evpn route-type prefix
exit

and do a "systemctl reload frr"

?

(and if it's working, it could be great to test with 3 zones)
 
rpcomaite said:
@spirit Why did you choose frr rather than OVN?
Click to expand...
Because I'm using evpn in my datacenter on physical hardware (arista && mellanox), and evpn implementation in frr and vxlan in kernel in mainly maintenaid by cumulus/mellanox/nvidia (so production ready). and I really like standard, without need to depend on a specific vendor implementation.


Note than technically, It's possible to add new kind of zones and controllers (ovn could be possible). But I really don't have time for this.
The plan is to add the possibility of external sdn module, like for storage, when sdn will be out of beta.
 
spirit said:
Because I'm using evpn in my datacenter on physical hardware (arista && mellanox), and evpn implementation in frr and vxlan in kernel in mainly maintenaid by cumulus/mellanox/nvidia (so production ready). and I really like standard, without need to depend on a specific vendor implementation.


Note than technically, It's possible to add new kind of zones and controllers (ovn could be possible). But I really don't have time for this.
The plan is to add the possibility of external sdn module, like for storage, when sdn will be out of beta.
Click to expand...
Ok I understand better the reason.
Anyway, thank you very much for the good work done on the SDN module!
 
spirit said:
mmm, ok

the current code is (done for each zone/vrf)

Code: 
    if ($is_gateway) {

        if (!$exitnodes_primary || $exitnodes_primary eq $local_node) {
            #filter default type5 route coming from other exit nodes on primary node or both nodes if no primary is defined.
            my $routemap_config = ();
            push @{$routemap_config}, "match evpn route-type prefix";
            my $routemap = { rule => $routemap_config, action => "deny" };
            unshift(@{$config->{frr_routemap}->{'MAP_VTEP_IN'}}, $routemap);


This is to avoid, than an exit-node receive default routes from other exit-node, and forward the traffic in loop.

I need to do tests on my side, I'm not sure how it's works with differents vrf,
maybe adding a simple "match evpn vni X" could works ?

can you try to modifiy /etc/frr/frr/conf ?

Code: 
route-map MAP_VTEP_IN deny 1
 match evpn vni 2
 match evpn route-type prefix
exit

and do a "systemctl reload frr"

?

(and if it's working, it could be great to test with 3 zones)
Click to expand...
@spirit OK, I checked again and it actually works!

NODE1:
Code: 
frr version 8.2.2
frr defaults datacenter
hostname core501
log syslog informational
service integrated-vtysh-config
!
!
vrf vrf_client2
 vni 4
exit-vrf
!
vrf vrf_client1
 vni 2
exit-vrf
!
router bgp 65000
 bgp router-id 10.250.10.1
 no bgp default ipv4-unicast
 coalesce-time 1000
 neighbor VTEP peer-group
 neighbor VTEP remote-as 65000
 neighbor VTEP bfd
 neighbor 10.250.10.2 peer-group VTEP
 neighbor 10.250.10.3 peer-group VTEP
 neighbor 10.250.10.250 peer-group VTEP
 !
 address-family ipv4 unicast
  import vrf vrf_client1
  import vrf vrf_client2
 exit-address-family
 !
 address-family ipv6 unicast
  import vrf vrf_client1
  import vrf vrf_client2
 exit-address-family
 !
 address-family l2vpn evpn
  neighbor VTEP route-map MAP_VTEP_IN in
  neighbor VTEP route-map MAP_VTEP_OUT out
  neighbor VTEP activate
  advertise-all-vni
 exit-address-family
exit
!
router bgp 65000 vrf vrf_client1
 bgp router-id 10.250.10.1
 !
 address-family ipv4 unicast
  redistribute connected
 exit-address-family
 !
 address-family ipv6 unicast
  redistribute connected
 exit-address-family
 !
 address-family l2vpn evpn
  default-originate ipv4
  default-originate ipv6
 exit-address-family
exit
!
router bgp 65000 vrf vrf_client2
 bgp router-id 10.250.10.1
 !
 address-family ipv4 unicast
  redistribute connected
 exit-address-family
 !
 address-family ipv6 unicast
  redistribute connected
 exit-address-family
 !
 address-family l2vpn evpn
  default-originate ipv4
  default-originate ipv6
 exit-address-family
exit
!
route-map MAP_VTEP_IN deny 1
 match evpn vni 2
 match evpn route-type prefix
exit
!
route-map MAP_VTEP_IN permit 2
exit
!
route-map MAP_VTEP_OUT permit 1
 match evpn vni 4
 match evpn route-type prefix
 set metric 200
exit
!
route-map MAP_VTEP_OUT permit 2
exit
!
line vty
!

NODE 2
Code: 
frr version 8.2.2
frr defaults datacenter
hostname core502
log syslog informational
service integrated-vtysh-config
!
!
vrf vrf_client2
 vni 4
exit-vrf
!
vrf vrf_client1
 vni 2
exit-vrf
!
router bgp 65000
 bgp router-id 10.250.10.2
 no bgp default ipv4-unicast
 coalesce-time 1000
 neighbor VTEP peer-group
 neighbor VTEP remote-as 65000
 neighbor VTEP bfd
 neighbor 10.250.10.1 peer-group VTEP
 neighbor 10.250.10.3 peer-group VTEP
 neighbor 10.250.10.250 peer-group VTEP
 !
 address-family ipv4 unicast
  import vrf vrf_client1
  import vrf vrf_client2
 exit-address-family
 !
 address-family ipv6 unicast
  import vrf vrf_client1
  import vrf vrf_client2
 exit-address-family
 !
 address-family l2vpn evpn
  neighbor VTEP route-map MAP_VTEP_IN in
  neighbor VTEP route-map MAP_VTEP_OUT out
  neighbor VTEP activate
  advertise-all-vni
 exit-address-family
exit
!
router bgp 65000 vrf vrf_client2
 bgp router-id 10.250.10.2
 !
 address-family ipv4 unicast
  redistribute connected
 exit-address-family
 !
 address-family ipv6 unicast
  redistribute connected
 exit-address-family
 !
 address-family l2vpn evpn
  default-originate ipv4
  default-originate ipv6
 exit-address-family
exit
!
router bgp 65000 vrf vrf_client1
 bgp router-id 10.250.10.2
 !
 address-family ipv4 unicast
  redistribute connected
 exit-address-family
 !
 address-family ipv6 unicast
  redistribute connected
 exit-address-family
 !
 address-family l2vpn evpn
  default-originate ipv4
  default-originate ipv6
 exit-address-family
exit
!
route-map MAP_VTEP_IN deny 1
 match evpn vni 4
 match evpn route-type prefix
exit
!
route-map MAP_VTEP_IN permit 2
exit
!
route-map MAP_VTEP_OUT permit 1
 match evpn vni 2
 match evpn route-type prefix
 set metric 200
exit
!
route-map MAP_VTEP_OUT permit 2
exit
!
line vty
!
 
@spirit Here is the change I made to the code in the EvpnPlugin.pm file:

Code: 
if (!$exitnodes_primary || $exitnodes_primary eq $local_node) {
     #filter default type5 route coming from other exit nodes on primary node or both >
      my $routemap_config = ();
      push @{$routemap_config}, "match evpn vni $vrfvxlan";
      push @{$routemap_config}, "match evpn route-type prefix";
      my $routemap = { rule => $routemap_config, action => "deny" };
      unshift(@{$config->{frr_routemap}->{'MAP_VTEP_IN'}}, $routemap);
} elsif ($exitnodes_primary ne $local_node) {
      my $routemap_config = ();
      push @{$routemap_config}, "match evpn vni $vrfvxlan";
      push @{$routemap_config}, "match evpn route-type prefix";
      push @{$routemap_config}, "set metric 200";
      my $routemap = { rule => $routemap_config, action => "permit" };
      unshift(@{$config->{frr_routemap}->{'MAP_VTEP_OUT'}}, $routemap);
}
 
Hi,

yes , I have done tests today on my lab, was able to reproduce.
and

push @{$routemap_config}, "match evpn vni $vrfvxlan";

in deny route-map , indeed fix it for me too.

I'll send a patch to the pve-devel mailing list.

Thanks for the report !
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back