From: Hannes Laimer <h.laimer@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [PATCH pve-network 2/2] sdn: evpn: support eBGP EVPN over BGP fabric underlay
Date: Fri, 27 Mar 2026 16:10:30 +0100 [thread overview]
Message-ID: <20260327151031.149360-6-h.laimer@proxmox.com> (raw)
In-Reply-To: <20260327151031.149360-1-h.laimer@proxmox.com>
When the EVPN controller references a BGP fabric, configure the EVPN
sessions as eBGP. Each node's fabric ASN becomes the router process ASN,
and VTEP peers use 'remote-as external' with 'ebgp-multihop' for
loopback-based peering across the fabric.
EVPN sessions run as eBGP with per-node fabric ASNs rather than using
'local-as' to present a shared overlay ASN for iBGP peering. While iBGP
would be simpler (no autort override needed), peers created as eBGP
retain a hop limit of 1 even after local-as reclassifies them as iBGP,
and 'ebgp-multihop' - used to raise the hop limit for eBGP peers - is
silently ignored for iBGP peers. With other fabric types all nodes share
one ASN, so peers are created as iBGP from the start with hop limit 255.
Signed-off-by: Hannes Laimer <h.laimer@proxmox.com>
---
src/PVE/Network/SDN/Controllers/EvpnPlugin.pm | 40 ++++++++-
.../bgp_fabric/expected_controller_config | 73 ++++++++++++++++
.../evpn/bgp_fabric/expected_sdn_interfaces | 56 ++++++++++++
src/test/zones/evpn/bgp_fabric/interfaces | 6 ++
src/test/zones/evpn/bgp_fabric/sdn_config | 85 +++++++++++++++++++
5 files changed, 258 insertions(+), 2 deletions(-)
create mode 100644 src/test/zones/evpn/bgp_fabric/expected_controller_config
create mode 100644 src/test/zones/evpn/bgp_fabric/expected_sdn_interfaces
create mode 100644 src/test/zones/evpn/bgp_fabric/interfaces
create mode 100644 src/test/zones/evpn/bgp_fabric/sdn_config
diff --git a/src/PVE/Network/SDN/Controllers/EvpnPlugin.pm b/src/PVE/Network/SDN/Controllers/EvpnPlugin.pm
index d2825f57..186b4c39 100644
--- a/src/PVE/Network/SDN/Controllers/EvpnPlugin.pm
+++ b/src/PVE/Network/SDN/Controllers/EvpnPlugin.pm
@@ -65,6 +65,9 @@ sub generate_frr_config {
my $bgp_controller = find_bgp_controller($local_node, $controller_cfg);
my $isis_controller = find_isis_controller($local_node, $controller_cfg);
+ my $fabric_is_bgp = 0;
+ my $fabric_asn = undef;
+
if ($plugin_config->{'fabric'}) {
my $config = PVE::Network::SDN::Fabrics::config(1);
@@ -99,6 +102,12 @@ sub generate_frr_config {
$ifaceip = $current_node->{ip};
$routerid = $current_node->{ip};
+ # Detect BGP fabric underlay - needs special ASN handling
+ if ($fabric->{protocol} eq 'bgp') {
+ $fabric_is_bgp = 1;
+ $fabric_asn = int($current_node->{asn});
+ }
+
} elsif ($plugin_config->{'peers'}) {
@peers = PVE::Tools::split_list($plugin_config->{'peers'});
@@ -116,7 +125,14 @@ sub generate_frr_config {
return;
}
- if ($bgp_controller) {
+ if ($fabric_is_bgp && $fabric_asn) {
+ # BGP fabric underlay: EVPN sessions are eBGP between per-node ASNs.
+ # The router runs under the fabric node ASN; VTEP peers are external.
+ $ebgp = 1;
+ $asn = $fabric_asn;
+ $autortas = $plugin_config->{asn}
+ if int($plugin_config->{asn}) != $fabric_asn;
+ } elsif ($bgp_controller) {
$ebgp = 1 if $plugin_config->{'asn'} ne $bgp_controller->{asn};
$asn = int($bgp_controller->{asn}) if $bgp_controller->{asn};
$autortas = $plugin_config->{'asn'} if $ebgp;
@@ -138,6 +154,12 @@ sub generate_frr_config {
$bgp_router->{address_families} = {};
}
+ # eBGP EVPN over BGP fabric needs multipath-relax for ECMP
+ if ($fabric_is_bgp) {
+ $bgp_router->{bestpath_as_path_multipath_relax} = 1;
+ $bgp_router->{disable_ebgp_connected_route_check} = 1;
+ }
+
# Build VTEP neighbor group
my @vtep_ips = grep { $_ ne $ifaceip } @peers;
@@ -148,6 +170,7 @@ sub generate_frr_config {
ips => \@vtep_ips,
interfaces => [],
};
+
$neighbor_group->{ebgp_multihop} = 10 if $ebgp && $loopback;
$neighbor_group->{update_source} = $loopback if $loopback;
@@ -201,6 +224,9 @@ sub generate_zone_frr_config {
my $bgprouter = find_bgp_controller($local_node, $controller_cfg);
my $isisrouter = find_isis_controller($local_node, $controller_cfg);
+ my $fabric_is_bgp = 0;
+ my $fabric_asn = undef;
+
if ($controller->{fabric}) {
my $config = PVE::Network::SDN::Fabrics::config(1);
@@ -234,6 +260,11 @@ sub generate_zone_frr_config {
$ifaceip = $current_node->{ip};
$routerid = $current_node->{ip};
+ if ($fabric->{protocol} eq 'bgp') {
+ $fabric_is_bgp = 1;
+ $fabric_asn = int($current_node->{asn});
+ }
+
} elsif ($controller->{peers}) {
@peers = PVE::Tools::split_list($controller->{'peers'}) if $controller->{'peers'};
@@ -252,7 +283,12 @@ sub generate_zone_frr_config {
return;
}
- if ($bgprouter) {
+ if ($fabric_is_bgp && $fabric_asn) {
+ $ebgp = 1;
+ $asn = $fabric_asn;
+ $autortas = $controller->{asn}
+ if int($controller->{asn}) != $fabric_asn;
+ } elsif ($bgprouter) {
$ebgp = 1 if $controller->{'asn'} ne $bgprouter->{asn};
$asn = $bgprouter->{asn} if $bgprouter->{asn};
$autortas = $controller->{'asn'} if $ebgp;
diff --git a/src/test/zones/evpn/bgp_fabric/expected_controller_config b/src/test/zones/evpn/bgp_fabric/expected_controller_config
new file mode 100644
index 00000000..56d35e02
--- /dev/null
+++ b/src/test/zones/evpn/bgp_fabric/expected_controller_config
@@ -0,0 +1,73 @@
+frr version 10.4.1
+frr defaults datacenter
+hostname localhost
+log syslog informational
+service integrated-vtysh-config
+!
+vrf vrf_evpn
+ vni 100
+exit-vrf
+!
+router bgp 65100
+ bgp router-id 10.10.10.1
+ no bgp hard-administrative-reset
+ no bgp default ipv4-unicast
+ coalesce-time 1000
+ no bgp graceful-restart notification
+ bgp disable-ebgp-connected-route-check
+ bgp bestpath as-path multipath-relax
+ neighbor VTEP peer-group
+ neighbor VTEP remote-as external
+ neighbor VTEP bfd
+ neighbor VTEP ebgp-multihop 10
+ neighbor VTEP update-source dummy_test
+ neighbor 10.10.10.2 peer-group VTEP
+ neighbor 10.10.10.3 peer-group VTEP
+ neighbor test peer-group
+ neighbor test remote-as external
+ neighbor ens18 interface peer-group test
+ neighbor ens19 interface peer-group test
+ !
+ address-family ipv4 unicast
+ network 10.10.10.1/32
+ neighbor test activate
+ neighbor test soft-reconfiguration inbound
+ exit-address-family
+ !
+ address-family l2vpn evpn
+ neighbor VTEP activate
+ neighbor VTEP route-map MAP_VTEP_IN in
+ neighbor VTEP route-map MAP_VTEP_OUT out
+ advertise-all-vni
+ autort as 65000
+ exit-address-family
+exit
+!
+router bgp 65100 vrf vrf_evpn
+ bgp router-id 10.10.10.1
+ no bgp hard-administrative-reset
+ no bgp graceful-restart notification
+ !
+ address-family l2vpn evpn
+ route-target import 65000:100
+ route-target export 65000:100
+ exit-address-family
+exit
+!
+access-list pve_bgp_test_ips permit 10.10.10.0/24
+!
+route-map MAP_VTEP_IN permit 1
+exit
+!
+route-map MAP_VTEP_OUT permit 1
+exit
+!
+route-map pve_bgp permit 100
+ match ip address pve_bgp_test_ips
+ set src 10.10.10.1
+exit
+!
+ip protocol bgp route-map pve_bgp
+!
+line vty
+!
diff --git a/src/test/zones/evpn/bgp_fabric/expected_sdn_interfaces b/src/test/zones/evpn/bgp_fabric/expected_sdn_interfaces
new file mode 100644
index 00000000..fd1429d8
--- /dev/null
+++ b/src/test/zones/evpn/bgp_fabric/expected_sdn_interfaces
@@ -0,0 +1,56 @@
+#version:1
+
+auto vnet0
+iface vnet0
+ address 10.123.123.1/24
+ hwaddress BC:24:11:3B:39:34
+ bridge_ports vxlan_vnet0
+ bridge_stp off
+ bridge_fd 0
+ mtu 1450
+ ip-forward on
+ arp-accept on
+ vrf vrf_evpn
+
+auto vrf_evpn
+iface vrf_evpn
+ vrf-table auto
+ post-up ip route add vrf vrf_evpn unreachable default metric 4278198272
+
+auto vrfbr_evpn
+iface vrfbr_evpn
+ bridge-ports vrfvx_evpn
+ bridge_stp off
+ bridge_fd 0
+ mtu 1450
+ vrf vrf_evpn
+
+auto vrfvx_evpn
+iface vrfvx_evpn
+ vxlan-id 100
+ vxlan-local-tunnelip 10.10.10.1
+ bridge-learning off
+ bridge-arp-nd-suppress on
+ mtu 1450
+
+auto vxlan_vnet0
+iface vxlan_vnet0
+ vxlan-id 123456
+ vxlan-local-tunnelip 10.10.10.1
+ bridge-learning off
+ bridge-arp-nd-suppress on
+ mtu 1450
+
+auto dummy_test
+iface dummy_test inet static
+ address 10.10.10.1/32
+ link-type dummy
+ ip-forward 1
+
+auto ens18
+iface ens18 inet manual
+ ip-forward 1
+
+auto ens19
+iface ens19 inet manual
+ ip-forward 1
diff --git a/src/test/zones/evpn/bgp_fabric/interfaces b/src/test/zones/evpn/bgp_fabric/interfaces
new file mode 100644
index 00000000..08874137
--- /dev/null
+++ b/src/test/zones/evpn/bgp_fabric/interfaces
@@ -0,0 +1,6 @@
+auto vmbr0
+iface vmbr0 inet static
+ address 10.10.10.1/32
+ bridge-ports eth0
+ bridge-stp off
+ bridge-fd 0
diff --git a/src/test/zones/evpn/bgp_fabric/sdn_config b/src/test/zones/evpn/bgp_fabric/sdn_config
new file mode 100644
index 00000000..080f1e98
--- /dev/null
+++ b/src/test/zones/evpn/bgp_fabric/sdn_config
@@ -0,0 +1,85 @@
+{
+ 'zones' => {
+ 'ids' => {
+ 'evpn' => {
+ 'type' => 'evpn',
+ 'ipam' => 'pve',
+ 'mac' => 'BC:24:11:3B:39:34',
+ 'controller' => 'ctrl',
+ 'vrf-vxlan' => 100
+ }
+ }
+ },
+ 'vnets' => {
+ 'ids' => {
+ 'vnet0' => {
+ 'zone' => 'evpn',
+ 'type' => 'vnet',
+ 'tag' => 123456
+ }
+ }
+ },
+ 'version' => 1,
+ 'subnets' => {
+ 'ids' => {
+ 'evpn-10.123.123.0-24' => {
+ 'vnet' => 'vnet0',
+ 'type' => 'subnet',
+ 'gateway' => '10.123.123.1'
+ }
+ }
+ },
+ 'controllers' => {
+ 'ids' => {
+ 'ctrl' => {
+ 'fabric' => 'test',
+ 'asn' => 65000,
+ 'type' => 'evpn'
+ }
+ }
+ },
+ 'fabrics' => {
+ 'ids' => {
+ 'test' => {
+ 'type' => 'bgp_fabric',
+ 'id' => 'test',
+ 'bfd' => 0,
+ 'ip_prefix' => '10.10.10.0/24',
+ },
+ 'test_localhost' => {
+ 'asn' => 65100,
+ 'interfaces' => [
+ 'name=ens18',
+ 'name=ens19'
+ ],
+ 'id' => 'test_localhost',
+ 'type' => 'bgp_node',
+ 'ip' => '10.10.10.1',
+ 'role' => 'internal',
+ },
+ 'test_pathfinder' => {
+ 'asn' => 65101,
+ 'id' => 'test_pathfinder',
+ 'interfaces' => [
+ 'name=ens18',
+ 'name=ens19'
+ ],
+ 'ip' => '10.10.10.2',
+ 'type' => 'bgp_node',
+ 'role' => 'internal',
+ },
+ 'test_raider' => {
+ 'asn' => 65102,
+ 'ip' => '10.10.10.3',
+ 'type' => 'bgp_node',
+ 'interfaces' => [
+ 'name=ens18',
+ 'name=ens19'
+ ],
+ 'id' => 'test_raider',
+ 'role' => 'internal',
+ }
+ }
+ }
+ };
+
--
2.47.3
next prev parent reply other threads:[~2026-03-27 15:10 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-27 15:10 [PATCH manager/network/proxmox{-ve-rs,-perl-rs} 0/6] sdn: add BGP fabric Hannes Laimer
2026-03-27 15:10 ` [PATCH proxmox-ve-rs 1/1] sdn: fabric: add BGP protocol support Hannes Laimer
2026-03-27 15:10 ` [PATCH proxmox-perl-rs 1/2] sdn: fabrics: add BGP config generation Hannes Laimer
2026-03-27 15:10 ` [PATCH proxmox-perl-rs 2/2] sdn: fabrics: add BGP status endpoints Hannes Laimer
2026-03-27 15:10 ` [PATCH pve-network 1/2] sdn: fabrics: register bgp as a fabric protocol type Hannes Laimer
2026-03-27 15:10 ` Hannes Laimer [this message]
2026-03-27 15:10 ` [PATCH pve-manager 1/1] ui: sdn: add BGP fabric support Hannes Laimer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260327151031.149360-6-h.laimer@proxmox.com \
--to=h.laimer@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.