SDN - L3 External Connectivity for VXLAN/EVPN

S

s.karaim

New Member
Jan 29, 2026
3
0
1
Cologne
I am trying to wrap my head around the zone types in Proxmox and how external connectivity works. I have a two-node test cluster in my lab connected to a VXLAN/EVPN fabric, and I would like to use Proxmox's SDN functionality to manage workloads and networking within the cluster and make these workloads available to the outside world via BGP. I want to peer with my fabric using BGP (IPv4 AF) and announce the subnets defined within the cluster.

Now, I am trying to understand the following: for communication within the cluster, I can use either a VXLAN or an EVPN zone. A VXLAN zone lets me define VXLANs without a control plane, so communication between nodes is probably based on flood-and-learn or ingress replication. An EVPN zone, on the other hand, brings an EVPN control plane into the picture, so unicast communication relies on EVPN-learned entries, and ingress replication or multicast is used for BUM traffic.

After setting up the zones, what is the proper way to peer a simple BGP IPv4 session with the external fabric to announce all the networks that exist in Proxmox? I thought I could define an EVPN zone (VRF), create VNETs with subnets, select exit nodes and configure a BGP controller to speak BGP to the outside world. However, the GUI immediately told me this is not possible because my controller is not of the EVPN type - though I don't want to use EVPN AF to connect to the outside world.
 
You need to use both an EVPN controller (for the zone) which would handle distributing routes via the L2VPN EVPN AF and handle east-west traffic between PVE nodes, and then the BGP controller for announcing the routes via IPv4 AF for north-south traffic.
 
Thank you for quick reply. How do I decide which BGP controller belongs to which EVPN Zone? Let us assume we have dedicated L3 exits per EVPN Zone.
 
The way it works currently is that you define your nodes as exit nodes in the EVPN zone and then all EVPN routes from those zones get leaked/imported to the default routing table, which you can then announce via the BGP controller in IPv4 AF.

Currently it's not possible to separate this on the host via VRFs, but we're looking into implementing that. If you need that functionality you will need a router that is able to utilize the L2VPN EVPN AF and handle it on the router itself.
 
Last edited:
You must log in or register to reply here.
Top Bottom
Back