From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 2C3E71FF18C for ; Tue, 14 Apr 2026 18:34:20 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 697301F3B0; Tue, 14 Apr 2026 18:34:00 +0200 (CEST) From: Stefan Hanreich To: pve-devel@lists.proxmox.com Subject: [PATCH pve-network 06/16] evpn controller: allow multiple evpn controllers in a cluster Date: Tue, 14 Apr 2026 18:33:03 +0200 Message-ID: <20260414163315.419384-7-s.hanreich@proxmox.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260414163315.419384-1-s.hanreich@proxmox.com> References: <20260414163315.419384-1-s.hanreich@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1776184326518 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.694 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Message-ID-Hash: MD4WBC242KDWIYSX5LNFFDKUCFZT5DSZ X-Message-ID-Hash: MD4WBC242KDWIYSX5LNFFDKUCFZT5DSZ X-MailFrom: s.hanreich@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox VE development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Previously it was only possible to define one global EVPN controller in a cluster, which represented a single peer-group - VTEP. This patch allows defining multiple EVPN controllers in a cluster. One can think of one EVPN controller as mapping to a single peer-group. This patch series adds the possibility of defining multiple peer-groups. In order to enable this change, introduce a new setting in the EVPN controller 'peer-group-name'. Since it was only possible to create a single EVPN controller in the entire cluster, the FRR config generation generated a single peer group with a hard-coded name. To allow defining multiple peer-groups and preserve backwards-compatibility, a custom peer group name needs to be defined explicitly for each additional controller. The setting is optional and the peer group name defaults to 'VTEP' if unset, in order to avoid breaking backwards-compatibility with custom FRR configurations. Signed-off-by: Stefan Hanreich --- src/PVE/API2/Network/SDN/Controllers.pm | 5 ++ src/PVE/Network/SDN/Controllers/EvpnPlugin.pm | 68 +++++++++++++------ 2 files changed, 52 insertions(+), 21 deletions(-) diff --git a/src/PVE/API2/Network/SDN/Controllers.pm b/src/PVE/API2/Network/SDN/Controllers.pm index 8633e45..49951a3 100644 --- a/src/PVE/API2/Network/SDN/Controllers.pm +++ b/src/PVE/API2/Network/SDN/Controllers.pm @@ -94,6 +94,11 @@ my $CONTROLLER_PROPERTIES = { format => 'pve-sdn-isis-net', }, nodes => get_standard_option('pve-node-list', { optional => 1 }), + 'peer-group-name' => { + description => "Name of the peer group for this EVPN controller", + type => 'string', + optional => 1, + }, }; __PACKAGE__->register_method({ diff --git a/src/PVE/Network/SDN/Controllers/EvpnPlugin.pm b/src/PVE/Network/SDN/Controllers/EvpnPlugin.pm index c13d08b..a683dde 100644 --- a/src/PVE/Network/SDN/Controllers/EvpnPlugin.pm +++ b/src/PVE/Network/SDN/Controllers/EvpnPlugin.pm @@ -38,6 +38,12 @@ sub properties { format => 'ip-list', }, nodes => get_standard_option('pve-node-list', { optional => 1 }), + 'peer-group-name' => { + description => "Name of the peer group for this EVPN controller", + type => 'string', + optional => 1, + default => 'VTEP', + }, }; } @@ -49,6 +55,7 @@ sub options { 'route-map-in' => { optional => 1 }, 'route-map-out' => { optional => 1 }, 'nodes' => { optional => 1 }, + 'peer-group-name' => { optional => 1 }, }; } @@ -147,11 +154,13 @@ sub generate_frr_config { $bgp_router->{address_families} = {}; } + my $peer_group_name = $plugin_config->{'peer-group-name'} // 'VTEP'; + # Build VTEP neighbor group my @vtep_ips = grep { $_ ne $ifaceip } @peers; my $neighbor_group = { - name => "VTEP", + name => $peer_group_name, bfd => 1, remote_as => $ebgp ? "external" : $asn, ips => \@vtep_ips, @@ -164,28 +173,37 @@ sub generate_frr_config { # Configure l2vpn evpn address family $bgp_router->{address_families}->{l2vpn_evpn} //= { - neighbors => [{ - name => "VTEP", - route_map_in => 'MAP_VTEP_IN', - route_map_out => 'MAP_VTEP_OUT', - }], + neighbors => [], advertise_all_vni => 1, }; + my $route_map_in = 'MAP_VTEP_IN'; + $route_map_in .= "_$peer_group_name" if $plugin_config->{'peer-group-name'}; + + my $route_map_out = 'MAP_VTEP_OUT'; + $route_map_out .= "_$peer_group_name" if $plugin_config->{'peer-group-name'}; + + push $bgp_router->{address_families}->{l2vpn_evpn}->{neighbors}->@*, + { + name => $peer_group_name, + route_map_in => $route_map_in, + route_map_out => $route_map_out, + }; + $bgp_router->{address_families}->{l2vpn_evpn}->{autort_as} = $autortas if $autortas; - if (!$config->{frr}->{routemaps}->{'MAP_VTEP_IN'}) { + if (!$config->{frr}->{routemaps}->{$route_map_in}) { my $entry = { seq => 1, action => "permit" }; $entry->{call} = $plugin_config->{'route-map-in'} if $plugin_config->{'route-map-in'}; - push($config->{frr}->{routemaps}->{'MAP_VTEP_IN'}->@*, $entry); + push($config->{frr}->{routemaps}->{$route_map_in}->@*, $entry); } - if (!$config->{frr}->{routemaps}->{'MAP_VTEP_OUT'}) { + if (!$config->{frr}->{routemaps}->{$route_map_out}) { my $entry = { seq => 1, action => "permit" }; $entry->{call} = $plugin_config->{'route-map-out'} if $plugin_config->{'route-map-out'}; - push($config->{frr}->{routemaps}->{'MAP_VTEP_OUT'}->@*, $entry); + push($config->{frr}->{routemaps}->{$route_map_out}->@*, $entry); } return $config; @@ -343,6 +361,12 @@ sub generate_zone_frr_config { { seq => 1, action => 'permit', network => '::/0', is_ipv6 => 1 }, ) if !defined($config->{frr}->{prefix_lists}->{only_default_v6}); + my $route_map_in = 'MAP_VTEP_IN'; + $route_map_in .= "_$controller->{'peer-group-name'}" if $controller->{'peer-group-name'}; + + my $route_map_out = 'MAP_VTEP_OUT'; + $route_map_out .= "_$controller->{'peer-group-name'}" if $controller->{'peer-group-name'}; + if (!$exitnodes_primary || $exitnodes_primary eq $local_node) { # Filter default route coming from other exit nodes on primary node my $routemap_config_v6 = { @@ -351,7 +375,7 @@ sub generate_zone_frr_config { }; my $routemap_v6 = { seq => 1, matches => [$routemap_config_v6], action => "deny" }; unshift( - @{ $config->{frr}->{routemaps}->{'MAP_VTEP_IN'} }, $routemap_v6, + @{ $config->{frr}->{routemaps}->{$route_map_in} }, $routemap_v6, ); my $routemap_config = { @@ -359,7 +383,7 @@ sub generate_zone_frr_config { value => 'only_default', }; my $routemap = { seq => 1, matches => [$routemap_config], action => "deny" }; - unshift(@{ $config->{frr}->{routemaps}->{'MAP_VTEP_IN'} }, $routemap); + unshift(@{ $config->{frr}->{routemaps}->{$route_map_in} }, $routemap); } elsif ($exitnodes_primary ne $local_node) { my $routemap_config_v6 = { @@ -373,7 +397,7 @@ sub generate_zone_frr_config { action => "permit", }; unshift( - @{ $config->{frr}->{routemaps}->{'MAP_VTEP_OUT'} }, $routemap_v6, + @{ $config->{frr}->{routemaps}->{$route_map_out} }, $routemap_v6, ); my $routemap_config = { @@ -386,7 +410,7 @@ sub generate_zone_frr_config { sets => [{ key => 'metric', value => 200 }], action => "permit", }; - unshift(@{ $config->{frr}->{routemaps}->{'MAP_VTEP_OUT'} }, $routemap); + unshift(@{ $config->{frr}->{routemaps}->{$route_map_out} }, $routemap); } if (!$exitnodes_local_routing) { @@ -493,18 +517,20 @@ sub on_delete_hook { sub on_update_hook { my ($class, $controllerid, $controller_cfg) = @_; - # we can only have 1 evpn controller / 1 asn by server + my $controller = $controller_cfg->{ids}->{$controllerid}; - my $controllernb = 0; foreach my $id (keys %{ $controller_cfg->{ids} }) { next if $id eq $controllerid; - my $controller = $controller_cfg->{ids}->{$id}; - next if $controller->{type} ne "evpn"; - $controllernb++; - die "only 1 global evpn controller can be defined" if $controllernb >= 1; + my $other_controller = $controller_cfg->{ids}->{$id}; + next if $other_controller->{type} ne "evpn"; + + die "cannot have two controllers with no peer-group-name configured" + if !$controller->{'peer-group-name'} && !$other_controller->{'peer-group-name'}; + + die "cannot have two controllers with same peer-group-name configured" + if $controller->{'peer-group-name'} eq $other_controller->{'peer-group-name'}; } - my $controller = $controller_cfg->{ids}->{$controllerid}; if ($controller->{type} eq 'evpn') { die "must have exactly one of peers / fabric defined" if ($controller->{peers} && $controller->{fabric}) -- 2.47.3