From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pve-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
	by lore.proxmox.com (Postfix) with ESMTPS id B6A571FF146
	for <inbox@lore.proxmox.com>; Tue, 12 May 2026 17:51:12 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id C09A119C38;
	Tue, 12 May 2026 17:51:10 +0200 (CEST)
From: Hannes Laimer <h.laimer@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [PATCH pve-network] sdn: evpn: support eBGP VTEPs over BGP fabric
 underlays
Date: Tue, 12 May 2026 17:50:24 +0200
Message-ID: <20260512155024.311919-1-h.laimer@proxmox.com>
X-Mailer: git-send-email 2.47.3
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2
X-Bm-Transport-Timestamp: 1778600921448
X-SPAM-LEVEL: Spam detection results:  0
	AWL                    -0.920 Adjusted score from AWL reputation of From:
 address
	BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
	DMARC_MISSING             0.1 Missing DMARC policy
	KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with Strict
 Alignment
	KAM_MAILER                  2 Automated Mailer Tag Left in Email
	SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
	SPF_PASS               -0.001 SPF: sender matches SPF record
	URIBL_BLOCKED           0.001 ADMINISTRATOR NOTICE: The query to URIBL was
 blocked.  See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
 for more information. [evpnplugin.pm,proxmox.com]
Message-ID-Hash: VAVH7VDU6PDI2U5CL6W2SUYIH3W3BKCD
X-Message-ID-Hash: VAVH7VDU6PDI2U5CL6W2SUYIH3W3BKCD
X-MailFrom: h.laimer@proxmox.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; emergency; member-moderation; nonmember-moderation;
 administrivia; implicit-dest; max-recipients; max-size; news-moderation;
 no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Owner: <mailto:pve-devel-owner@lists.proxmox.com>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Subscribe: <mailto:pve-devel-join@lists.proxmox.com>
List-Unsubscribe: <mailto:pve-devel-leave@lists.proxmox.com>

When the EVPN underlay is a BGP fabric, every node already has a unique
per-node ASN for eBGP unnumbered peering. Reuse that ASN for the EVPN
overlay too when the user picks bgp-mode=external, so VTEP sessions
naturally form as eBGP between different ASNs without needing a separate
overlay-ASN scheme. The existing local-as plumbing handles the resulting
mismatch with the router's main ASN.

The EVPN controller's own ASN is still used for autoderived route-target
values, keeping route-targets consistent across the fabric even though
each VTEP advertises under its own per-node ASN.

Signed-off-by: Hannes Laimer <h.laimer@proxmox.com>
---
this should have been part of [1], but since I forgot to include it,
sending it as a follow-up. For this+the main bgp-fabric series
pre-built packages are available on sani. should make testing a little
easier :P

[1] https://lore.proxmox.com/pve-devel/20260512141305.199664-1-h.laimer@proxmox.com/T/#t

 src/PVE/Network/SDN/Controllers/EvpnPlugin.pm | 26 +++++++++++++++++--
 1 file changed, 24 insertions(+), 2 deletions(-)

diff --git a/src/PVE/Network/SDN/Controllers/EvpnPlugin.pm b/src/PVE/Network/SDN/Controllers/EvpnPlugin.pm
index 3264cf5..4c7fb46 100644
--- a/src/PVE/Network/SDN/Controllers/EvpnPlugin.pm
+++ b/src/PVE/Network/SDN/Controllers/EvpnPlugin.pm
@@ -114,6 +114,7 @@ sub generate_frr_config {
     my $ifaceip = undef;
     my $routerid = undef;
     my $bgp_mode = $plugin_config->{'bgp-mode'} // 'legacy';
+    my $use_per_node_asn = 0;
 
     my $bgp_controller = find_bgp_controller($local_node, $controller_cfg);
     my $isis_controller = find_isis_controller($local_node, $controller_cfg);
@@ -152,6 +153,21 @@ sub generate_frr_config {
         $ifaceip = $current_node->{ip};
         $routerid = $current_node->{ip};
 
+        if ($fabric->{protocol} eq 'bgp' && $bgp_mode eq 'external') {
+            if (!$current_node->{asn}) {
+                log_warn(
+                    "Node $local_node has no ASN in BGP fabric $fabric->{id};"
+                    . " cannot configure eBGP VTEPs for EVPN controller"
+                    . " $plugin_config->{id}"
+                );
+                return;
+            }
+            $asn = int($current_node->{asn});
+            $ebgp = 1;
+            $autortas = $plugin_config->{asn};
+            $use_per_node_asn = 1;
+        }
+
     } elsif ($plugin_config->{'peers'}) {
         @peers = PVE::Tools::split_list($plugin_config->{'peers'});
 
@@ -211,8 +227,14 @@ sub generate_frr_config {
     if ($bgp_mode eq 'legacy') {
         $neighbor_group->{ebgp_multihop} = 10 if $ebgp && $loopback;
     } elsif ($bgp_mode eq 'external') {
-        $neighbor_group->{ebgp_multihop} = int($plugin_config->{'ebgp-multihop'})
-            if $ebgp && $plugin_config->{'ebgp-multihop'};
+        if ($ebgp && $plugin_config->{'ebgp-multihop'}) {
+            $neighbor_group->{ebgp_multihop} = int($plugin_config->{'ebgp-multihop'});
+        } elsif ($use_per_node_asn) {
+            # eBGP VTEPs over a BGP fabric reach each peer via the per-node
+            # fabric loopback. The peers are not directly connected, so the
+            # session needs multihop to form.
+            $neighbor_group->{ebgp_multihop} = 10;
+        }
     }
 
     if ($asn != int($bgp_router->{asn})) {
-- 
2.47.3