From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 35DCB1FF136 for ; Mon, 04 May 2026 18:25:57 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id E068E99E3; Mon, 4 May 2026 18:25:33 +0200 (CEST) From: Stefan Hanreich To: pve-devel@lists.proxmox.com Subject: [PATCH pve-network v2 06/18] evpn controller: allow multiple evpn controllers in a cluster Date: Mon, 4 May 2026 18:24:45 +0200 Message-ID: <20260504162501.425135-7-s.hanreich@proxmox.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260504162501.425135-1-s.hanreich@proxmox.com> References: <20260504162501.425135-1-s.hanreich@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1777911803035 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.660 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Message-ID-Hash: JTX673BLVYP6TEWLIDEEX7NQV4O77B5N X-Message-ID-Hash: JTX673BLVYP6TEWLIDEEX7NQV4O77B5N X-MailFrom: s.hanreich@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox VE development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Previously it was only possible to define one global EVPN controller in a cluster, which represented a single peer-group - VTEP. This patch allows defining multiple EVPN controllers in a cluster. One can think of one EVPN controller as mapping to a single peer-group. This patch series adds the possibility of defining multiple peer-groups. In order to enable this change, introduce a new setting in the EVPN controller 'peer-group-name'. Since it was only possible to create a single EVPN controller in the entire cluster, the FRR config generation generated a single peer group with a hard-coded name. To allow defining multiple peer-groups and preserve backwards-compatibility, a custom peer group name needs to be defined explicitly for each additional controller. The setting is optional and the peer group name defaults to 'VTEP' if unset, in order to avoid breaking backwards-compatibility with custom FRR configurations. Signed-off-by: Stefan Hanreich Reviewed-by: Hannes Laimer --- src/PVE/API2/Network/SDN/Controllers.pm | 5 ++ src/PVE/Network/SDN/Controllers/EvpnPlugin.pm | 68 +++++++++++++------ 2 files changed, 52 insertions(+), 21 deletions(-) diff --git a/src/PVE/API2/Network/SDN/Controllers.pm b/src/PVE/API2/Network/SDN/Controllers.pm index 8633e45..49951a3 100644 --- a/src/PVE/API2/Network/SDN/Controllers.pm +++ b/src/PVE/API2/Network/SDN/Controllers.pm @@ -94,6 +94,11 @@ my $CONTROLLER_PROPERTIES = { format => 'pve-sdn-isis-net', }, nodes => get_standard_option('pve-node-list', { optional => 1 }), + 'peer-group-name' => { + description => "Name of the peer group for this EVPN controller", + type => 'string', + optional => 1, + }, }; __PACKAGE__->register_method({ diff --git a/src/PVE/Network/SDN/Controllers/EvpnPlugin.pm b/src/PVE/Network/SDN/Controllers/EvpnPlugin.pm index 4c2891c..67046da 100644 --- a/src/PVE/Network/SDN/Controllers/EvpnPlugin.pm +++ b/src/PVE/Network/SDN/Controllers/EvpnPlugin.pm @@ -38,6 +38,12 @@ sub properties { format => 'ip-list', }, nodes => get_standard_option('pve-node-list', { optional => 1 }), + 'peer-group-name' => { + description => "Name of the peer group for this EVPN controller", + type => 'string', + optional => 1, + default => 'VTEP', + }, }; } @@ -49,6 +55,7 @@ sub options { 'route-map-in' => { optional => 1 }, 'route-map-out' => { optional => 1 }, 'nodes' => { optional => 1 }, + 'peer-group-name' => { optional => 1 }, }; } @@ -147,11 +154,13 @@ sub generate_frr_config { $bgp_router->{address_families} = {}; } + my $peer_group_name = $plugin_config->{'peer-group-name'} // 'VTEP'; + # Build VTEP neighbor group my @vtep_ips = grep { $_ ne $ifaceip } @peers; my $neighbor_group = { - name => "VTEP", + name => $peer_group_name, bfd => 1, remote_as => $ebgp ? "external" : $asn, ips => \@vtep_ips, @@ -164,28 +173,37 @@ sub generate_frr_config { # Configure l2vpn evpn address family $bgp_router->{address_families}->{l2vpn_evpn} //= { - neighbors => [{ - name => "VTEP", - route_map_in => 'MAP_VTEP_IN', - route_map_out => 'MAP_VTEP_OUT', - }], + neighbors => [], advertise_all_vni => 1, }; + my $route_map_in = 'MAP_VTEP_IN'; + $route_map_in .= "_$peer_group_name" if $plugin_config->{'peer-group-name'}; + + my $route_map_out = 'MAP_VTEP_OUT'; + $route_map_out .= "_$peer_group_name" if $plugin_config->{'peer-group-name'}; + + push $bgp_router->{address_families}->{l2vpn_evpn}->{neighbors}->@*, + { + name => $peer_group_name, + route_map_in => $route_map_in, + route_map_out => $route_map_out, + }; + $bgp_router->{address_families}->{l2vpn_evpn}->{autort_as} = $autortas if $autortas; - if (!$config->{frr}->{routemaps}->{'MAP_VTEP_IN'}) { + if (!$config->{frr}->{routemaps}->{$route_map_in}) { my $entry = { seq => 1, action => "permit" }; $entry->{call} = $plugin_config->{'route-map-in'} if $plugin_config->{'route-map-in'}; - push($config->{frr}->{routemaps}->{'MAP_VTEP_IN'}->@*, $entry); + push($config->{frr}->{routemaps}->{$route_map_in}->@*, $entry); } - if (!$config->{frr}->{routemaps}->{'MAP_VTEP_OUT'}) { + if (!$config->{frr}->{routemaps}->{$route_map_out}) { my $entry = { seq => 1, action => "permit" }; $entry->{call} = $plugin_config->{'route-map-out'} if $plugin_config->{'route-map-out'}; - push($config->{frr}->{routemaps}->{'MAP_VTEP_OUT'}->@*, $entry); + push($config->{frr}->{routemaps}->{$route_map_out}->@*, $entry); } return $config; @@ -343,6 +361,12 @@ sub generate_zone_frr_config { { seq => 1, action => 'permit', network => '::/0', is_ipv6 => 1 }, ) if !defined($config->{frr}->{prefix_lists}->{only_default_v6}); + my $route_map_in = 'MAP_VTEP_IN'; + $route_map_in .= "_$controller->{'peer-group-name'}" if $controller->{'peer-group-name'}; + + my $route_map_out = 'MAP_VTEP_OUT'; + $route_map_out .= "_$controller->{'peer-group-name'}" if $controller->{'peer-group-name'}; + if (!$exitnodes_primary || $exitnodes_primary eq $local_node) { # Filter default route coming from other exit nodes on primary node my $routemap_config_v6 = { @@ -351,7 +375,7 @@ sub generate_zone_frr_config { }; my $routemap_v6 = { seq => 1, matches => [$routemap_config_v6], action => "deny" }; unshift( - @{ $config->{frr}->{routemaps}->{'MAP_VTEP_IN'} }, $routemap_v6, + @{ $config->{frr}->{routemaps}->{$route_map_in} }, $routemap_v6, ); my $routemap_config = { @@ -359,7 +383,7 @@ sub generate_zone_frr_config { value => 'only_default', }; my $routemap = { seq => 1, matches => [$routemap_config], action => "deny" }; - unshift(@{ $config->{frr}->{routemaps}->{'MAP_VTEP_IN'} }, $routemap); + unshift(@{ $config->{frr}->{routemaps}->{$route_map_in} }, $routemap); } elsif ($exitnodes_primary ne $local_node) { my $routemap_config_v6 = { @@ -373,7 +397,7 @@ sub generate_zone_frr_config { action => "permit", }; unshift( - @{ $config->{frr}->{routemaps}->{'MAP_VTEP_OUT'} }, $routemap_v6, + @{ $config->{frr}->{routemaps}->{$route_map_out} }, $routemap_v6, ); my $routemap_config = { @@ -386,7 +410,7 @@ sub generate_zone_frr_config { sets => [{ key => 'metric', value => "200" }], action => "permit", }; - unshift(@{ $config->{frr}->{routemaps}->{'MAP_VTEP_OUT'} }, $routemap); + unshift(@{ $config->{frr}->{routemaps}->{$route_map_out} }, $routemap); } if (!$exitnodes_local_routing) { @@ -493,18 +517,20 @@ sub on_delete_hook { sub on_update_hook { my ($class, $controllerid, $controller_cfg) = @_; - # we can only have 1 evpn controller / 1 asn by server + my $controller = $controller_cfg->{ids}->{$controllerid}; - my $controllernb = 0; foreach my $id (keys %{ $controller_cfg->{ids} }) { next if $id eq $controllerid; - my $controller = $controller_cfg->{ids}->{$id}; - next if $controller->{type} ne "evpn"; - $controllernb++; - die "only 1 global evpn controller can be defined" if $controllernb >= 1; + my $other_controller = $controller_cfg->{ids}->{$id}; + next if $other_controller->{type} ne "evpn"; + + my $peer_group_name_self = $controller->{'peer-group-name'} // 'VTEP'; + my $peer_group_name_other = $other_controller->{'peer-group-name'} // 'VTEP'; + + die "cannot have two controllers with same peer-group-name configured ($peer_group_name_self)" + if $peer_group_name_self eq $peer_group_name_other; } - my $controller = $controller_cfg->{ids}->{$controllerid}; my $route_map_config = PVE::Network::SDN::RouteMaps::config(0); if ($controller->{'route-map-in'}) { -- 2.47.3