SDN evpn: zone setup

[pascald]

Hello,

I'm trying to understand the whole SDN concept and started with setting up a test environment.
Currently I have 2 nodes in a cluster and was able to setup a SDN evpn network.
I have the following:

evpn: ctrl1
        asn 65000
        peers 10.40.0.11,10.40.0.12

subnet: zone1-10.1.1.0-24
        vnet vnet1
        gateway 10.1.1.1
        snat 1

subnet: zone1-10.1.2.0-24
        vnet vnet2
        gateway 10.1.2.1

subnet: zone2-10.2.1.0-24
        vnet vnet3
        gateway 10.2.1.1
        snat 1

vnet: vnet1
        zone zone1
        tag 11000

vnet: vnet2
        zone zone1
        tag 12000

vnet: vnet3
        zone zone2
        tag 21000

evpn: zone1
        controller ctrl1
        vrf-vxlan 10000
        exitnodes pvel1
        ipam pve
        mac AE:4C:6D:ED:C9:2E

evpn: zone2
        controller ctrl1
        vrf-vxlan 20000
        exitnodes pvel1
        ipam pve
        mac 9E:AB:81:76:EF:74

What is puzzling me :

I believe that Zones are used to isolate networks.
Communication between vnets in the same zone is possible, but not between vnets in different zones.
Zones can have a exitnode configured to route traffic from the vnets running in that zone.

Zone isolation works in my setup as long as the zone don't share the same exitnode.
If multiple zone are configured with the same exitnode, then traffic is getting routed between those zones.

Is it possible to isolate the zones from each other but still share the same exitnode?


Sorry for the noob questions, but your help is much appreciated.

 

[spirit]

Hi.
Yes, a zone is a domain of isolation.
if case of evpn, a zone is a VRF , which create different routing tables, and allow only subnets in the same zone/vrf to be routed between them.

When you an exit-node, the traffic is routed between the zone vrf and the default vrf of the exit node (the real network).

The main vrf import routes from the the vrf.

I didn't known that traffic was able to be routed between zones through the exit node. Thanks for the report. (It should be filtered by default)
I'll try to look at this next week, it shouldn't be too complicated to implement.

 

[pascald]

Hi.
Yes, a zone is a domain of isolation.
if case of evpn, a zone is a VRF , which create different routing tables, and allow only subnets in the same zone/vrf to be routed between them.

When you an exit-node, the traffic is routed between the zone vrf and the default vrf of the exit node (the real network).

The main vrf import routes from the the vrf.

I didn't known that traffic was able to be routed between zones through the exit node. Thanks for the report. (It should be filtered by default)
I'll try to look at this next week, it shouldn't be too complicated to implement.

Thank you for your support.
It would be nice if you could have the choise.

 

[pascald]

Hi.
Yes, a zone is a domain of isolation.
if case of evpn, a zone is a VRF , which create different routing tables, and allow only subnets in the same zone/vrf to be routed between them.

When you an exit-node, the traffic is routed between the zone vrf and the default vrf of the exit node (the real network).

The main vrf import routes from the the vrf.

I didn't known that traffic was able to be routed between zones through the exit node. Thanks for the report. (It should be filtered by default)
I'll try to look at this next week, it shouldn't be too complicated to implement.

Hi,

I noticed that version 6.3 has been released.
Does this version include a fix for this issue?

 

[spirit]

Hi,

I noticed that version 6.3 has been released.
Does this version include a fix for this issue?

no, not yet sorry. I was very busy at work theses last month. (can you make a request to bugzilla.proxmox.com ? Like this, I'll not forgot it).

 

[pascald]

Submitted: https://bugzilla.proxmox.com/show_bug.cgi?id=4389