Re: [pve-devel] [PATCH container 1/1] Signed-off-by: Maurice Klein <klein@aetherus.de>

[Stefan Hanreich <s.hanreich@proxmox.com>]

On 1/27/26 11:36 AM, Maurice Klein wrote:
> Hi,
> 
> I didn't even think about mac address, since arp does recover quickly
> but it would be a unwanted interruption.
> 
> I like the idea with using a bridge with l2 isolation.
> I'd like to implement the zone then, with the use of a l2 isolated bridge.
> 
> I'd propose the first step would be to get the zone working, to get the
> mechanism working to add host routes.
> I would use one VRF then per zone.

For a PoC we could just utilize the default routing table I think? VRF
support for SDN entities is something that is on the mid-term roadmap,
so if we want VRF support we'd need to be careful not to put any
barriers in that make implementing that feature harder. We'd also have
to make sure that VRFs stay unique across all entities that are using
them (currently only EVPN zone). If we generate the names analogous to
the EVPN zones we should be fine since all zones regardless of type
share the same ID space.

With multiple VRFs, you'd ideally want to have the option to announce
the routes per-VRF. Utilizing transit VLANs for zones would make sense
then and also being able to map each VNet in a zone to a VLAN. That'd
require creating VLAN subinterfaces inside a VRF as well via our stack
and adding them to a VNet (might be done automatically) / VRF. At that
point we're building essentially what is VRF-lite though, so that's a
bit more involved.

> A proposed name would be "Routed".
> Do you have better Ideas?
> 
> A roadmap I'd have in my head then would look the following way:
> 
> - implement zone "Routed"
>    ensuring that all routing between guests and host works and that
> default routes get put in the vrf as well

I'd not necessarily put in the default route unconditionally, either as
a config option, or - if we skip VRF support for now - we'd get this for
free via implementing the VRF feature afterwards.

> - implement possibility to export host routes of routed zones via BGP

see below

> - implement possibility to add static routes per Routed zone, like
> different default routes or others

we would get that via VRF support as well

> - implement dynamic routing updates into routed zones vrf tables
> 
> Where I'm still not sure is how to get routing in a cluster running
> between the same zone.
> It could be implemented via IBGP Sessions between the hosts, but i don't
> know if that is the preffered way and it needs to be clear to the user
> which path will be taken and how it works.

One option would be to utilize e.g. the fabrics where we plan to add
initial support for route redistribution soon. This should get
integrated with a future VRF feature as well. That would decouple the
zone from the redistribution / announcing itself and give users
flexibility in choosing their routing protocol. Users can create
fabrics, then select which VRFs to announce via them (and apply filters
via route-maps).