From: Stefan Hanreich <s.hanreich@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [PATCH pve-network 06/16] evpn controller: allow multiple evpn controllers in a cluster
Date: Tue, 14 Apr 2026 18:33:03 +0200 [thread overview]
Message-ID: <20260414163315.419384-7-s.hanreich@proxmox.com> (raw)
In-Reply-To: <20260414163315.419384-1-s.hanreich@proxmox.com>
Previously it was only possible to define one global EVPN controller
in a cluster, which represented a single peer-group - VTEP. This patch
allows defining multiple EVPN controllers in a cluster. One can think
of one EVPN controller as mapping to a single peer-group. This patch
series adds the possibility of defining multiple peer-groups.
In order to enable this change, introduce a new setting in the EVPN
controller 'peer-group-name'. Since it was only possible to create a
single EVPN controller in the entire cluster, the FRR config
generation generated a single peer group with a hard-coded name. To
allow defining multiple peer-groups and preserve
backwards-compatibility, a custom peer group name needs to be defined
explicitly for each additional controller. The setting is optional and
the peer group name defaults to 'VTEP' if unset, in order to avoid
breaking backwards-compatibility with custom FRR configurations.
Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
---
src/PVE/API2/Network/SDN/Controllers.pm | 5 ++
src/PVE/Network/SDN/Controllers/EvpnPlugin.pm | 68 +++++++++++++------
2 files changed, 52 insertions(+), 21 deletions(-)
diff --git a/src/PVE/API2/Network/SDN/Controllers.pm b/src/PVE/API2/Network/SDN/Controllers.pm
index 8633e45..49951a3 100644
--- a/src/PVE/API2/Network/SDN/Controllers.pm
+++ b/src/PVE/API2/Network/SDN/Controllers.pm
@@ -94,6 +94,11 @@ my $CONTROLLER_PROPERTIES = {
format => 'pve-sdn-isis-net',
},
nodes => get_standard_option('pve-node-list', { optional => 1 }),
+ 'peer-group-name' => {
+ description => "Name of the peer group for this EVPN controller",
+ type => 'string',
+ optional => 1,
+ },
};
__PACKAGE__->register_method({
diff --git a/src/PVE/Network/SDN/Controllers/EvpnPlugin.pm b/src/PVE/Network/SDN/Controllers/EvpnPlugin.pm
index c13d08b..a683dde 100644
--- a/src/PVE/Network/SDN/Controllers/EvpnPlugin.pm
+++ b/src/PVE/Network/SDN/Controllers/EvpnPlugin.pm
@@ -38,6 +38,12 @@ sub properties {
format => 'ip-list',
},
nodes => get_standard_option('pve-node-list', { optional => 1 }),
+ 'peer-group-name' => {
+ description => "Name of the peer group for this EVPN controller",
+ type => 'string',
+ optional => 1,
+ default => 'VTEP',
+ },
};
}
@@ -49,6 +55,7 @@ sub options {
'route-map-in' => { optional => 1 },
'route-map-out' => { optional => 1 },
'nodes' => { optional => 1 },
+ 'peer-group-name' => { optional => 1 },
};
}
@@ -147,11 +154,13 @@ sub generate_frr_config {
$bgp_router->{address_families} = {};
}
+ my $peer_group_name = $plugin_config->{'peer-group-name'} // 'VTEP';
+
# Build VTEP neighbor group
my @vtep_ips = grep { $_ ne $ifaceip } @peers;
my $neighbor_group = {
- name => "VTEP",
+ name => $peer_group_name,
bfd => 1,
remote_as => $ebgp ? "external" : $asn,
ips => \@vtep_ips,
@@ -164,28 +173,37 @@ sub generate_frr_config {
# Configure l2vpn evpn address family
$bgp_router->{address_families}->{l2vpn_evpn} //= {
- neighbors => [{
- name => "VTEP",
- route_map_in => 'MAP_VTEP_IN',
- route_map_out => 'MAP_VTEP_OUT',
- }],
+ neighbors => [],
advertise_all_vni => 1,
};
+ my $route_map_in = 'MAP_VTEP_IN';
+ $route_map_in .= "_$peer_group_name" if $plugin_config->{'peer-group-name'};
+
+ my $route_map_out = 'MAP_VTEP_OUT';
+ $route_map_out .= "_$peer_group_name" if $plugin_config->{'peer-group-name'};
+
+ push $bgp_router->{address_families}->{l2vpn_evpn}->{neighbors}->@*,
+ {
+ name => $peer_group_name,
+ route_map_in => $route_map_in,
+ route_map_out => $route_map_out,
+ };
+
$bgp_router->{address_families}->{l2vpn_evpn}->{autort_as} = $autortas if $autortas;
- if (!$config->{frr}->{routemaps}->{'MAP_VTEP_IN'}) {
+ if (!$config->{frr}->{routemaps}->{$route_map_in}) {
my $entry = { seq => 1, action => "permit" };
$entry->{call} = $plugin_config->{'route-map-in'} if $plugin_config->{'route-map-in'};
- push($config->{frr}->{routemaps}->{'MAP_VTEP_IN'}->@*, $entry);
+ push($config->{frr}->{routemaps}->{$route_map_in}->@*, $entry);
}
- if (!$config->{frr}->{routemaps}->{'MAP_VTEP_OUT'}) {
+ if (!$config->{frr}->{routemaps}->{$route_map_out}) {
my $entry = { seq => 1, action => "permit" };
$entry->{call} = $plugin_config->{'route-map-out'} if $plugin_config->{'route-map-out'};
- push($config->{frr}->{routemaps}->{'MAP_VTEP_OUT'}->@*, $entry);
+ push($config->{frr}->{routemaps}->{$route_map_out}->@*, $entry);
}
return $config;
@@ -343,6 +361,12 @@ sub generate_zone_frr_config {
{ seq => 1, action => 'permit', network => '::/0', is_ipv6 => 1 },
) if !defined($config->{frr}->{prefix_lists}->{only_default_v6});
+ my $route_map_in = 'MAP_VTEP_IN';
+ $route_map_in .= "_$controller->{'peer-group-name'}" if $controller->{'peer-group-name'};
+
+ my $route_map_out = 'MAP_VTEP_OUT';
+ $route_map_out .= "_$controller->{'peer-group-name'}" if $controller->{'peer-group-name'};
+
if (!$exitnodes_primary || $exitnodes_primary eq $local_node) {
# Filter default route coming from other exit nodes on primary node
my $routemap_config_v6 = {
@@ -351,7 +375,7 @@ sub generate_zone_frr_config {
};
my $routemap_v6 = { seq => 1, matches => [$routemap_config_v6], action => "deny" };
unshift(
- @{ $config->{frr}->{routemaps}->{'MAP_VTEP_IN'} }, $routemap_v6,
+ @{ $config->{frr}->{routemaps}->{$route_map_in} }, $routemap_v6,
);
my $routemap_config = {
@@ -359,7 +383,7 @@ sub generate_zone_frr_config {
value => 'only_default',
};
my $routemap = { seq => 1, matches => [$routemap_config], action => "deny" };
- unshift(@{ $config->{frr}->{routemaps}->{'MAP_VTEP_IN'} }, $routemap);
+ unshift(@{ $config->{frr}->{routemaps}->{$route_map_in} }, $routemap);
} elsif ($exitnodes_primary ne $local_node) {
my $routemap_config_v6 = {
@@ -373,7 +397,7 @@ sub generate_zone_frr_config {
action => "permit",
};
unshift(
- @{ $config->{frr}->{routemaps}->{'MAP_VTEP_OUT'} }, $routemap_v6,
+ @{ $config->{frr}->{routemaps}->{$route_map_out} }, $routemap_v6,
);
my $routemap_config = {
@@ -386,7 +410,7 @@ sub generate_zone_frr_config {
sets => [{ key => 'metric', value => 200 }],
action => "permit",
};
- unshift(@{ $config->{frr}->{routemaps}->{'MAP_VTEP_OUT'} }, $routemap);
+ unshift(@{ $config->{frr}->{routemaps}->{$route_map_out} }, $routemap);
}
if (!$exitnodes_local_routing) {
@@ -493,18 +517,20 @@ sub on_delete_hook {
sub on_update_hook {
my ($class, $controllerid, $controller_cfg) = @_;
- # we can only have 1 evpn controller / 1 asn by server
+ my $controller = $controller_cfg->{ids}->{$controllerid};
- my $controllernb = 0;
foreach my $id (keys %{ $controller_cfg->{ids} }) {
next if $id eq $controllerid;
- my $controller = $controller_cfg->{ids}->{$id};
- next if $controller->{type} ne "evpn";
- $controllernb++;
- die "only 1 global evpn controller can be defined" if $controllernb >= 1;
+ my $other_controller = $controller_cfg->{ids}->{$id};
+ next if $other_controller->{type} ne "evpn";
+
+ die "cannot have two controllers with no peer-group-name configured"
+ if !$controller->{'peer-group-name'} && !$other_controller->{'peer-group-name'};
+
+ die "cannot have two controllers with same peer-group-name configured"
+ if $controller->{'peer-group-name'} eq $other_controller->{'peer-group-name'};
}
- my $controller = $controller_cfg->{ids}->{$controllerid};
if ($controller->{type} eq 'evpn') {
die "must have exactly one of peers / fabric defined"
if ($controller->{peers} && $controller->{fabric})
--
2.47.3
next prev parent reply other threads:[~2026-04-14 16:34 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-14 16:32 [RFC docs/manager/network/proxmox-ve-rs 00/16] Extend EVPN controller functionality Stefan Hanreich
2026-04-14 16:32 ` [PATCH proxmox-ve-rs 01/16] frr: add local-as setting Stefan Hanreich
2026-04-14 16:32 ` [PATCH proxmox-ve-rs 02/16] frr: add support for extcommunity lists Stefan Hanreich
2026-04-14 16:33 ` [PATCH proxmox-ve-rs 03/16] frr-templates: render local-as setting Stefan Hanreich
2026-04-14 16:33 ` [PATCH proxmox-ve-rs 04/16] frr-templates: render community lists in templates Stefan Hanreich
2026-04-14 16:33 ` [PATCH pve-network 05/16] evpn controller: make nodes configurable Stefan Hanreich
2026-04-14 16:33 ` Stefan Hanreich [this message]
2026-04-14 16:33 ` [PATCH pve-network 07/16] evpn controller: add bgp-mode setting Stefan Hanreich
2026-04-14 16:33 ` [PATCH pve-network 08/16] evpn zone: add secondary-controllers and rt filtering Stefan Hanreich
2026-04-14 16:33 ` [PATCH pve-network 09/16] evpn controller: add ebgp-multihop setting Stefan Hanreich
2026-04-14 16:33 ` [PATCH pve-network 10/16] test: evpn: add test for ibgp + ebgp evpn controller Stefan Hanreich
2026-04-14 16:33 ` [PATCH pve-network 11/16] test: evpn: add legacy test Stefan Hanreich
2026-04-14 16:33 ` [PATCH pve-network 12/16] tests: evpn: force ibgp over ebgp bgp controller with ebgp wan session Stefan Hanreich
2026-04-14 16:33 ` [PATCH pve-network 13/16] tests: test route filtering mechanism with multiple zones/controllers Stefan Hanreich
2026-04-14 16:33 ` [PATCH pve-manager 14/16] sdn: evpn: zone: controller: add new advanced fields Stefan Hanreich
2026-04-14 16:33 ` [PATCH pve-docs 15/16] sdn: evpn: document new zone / controller options Stefan Hanreich
2026-04-14 16:33 ` [PATCH pve-docs 16/16] sdn: fix typo in bgp controller Stefan Hanreich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260414163315.419384-7-s.hanreich@proxmox.com \
--to=s.hanreich@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.