4 This is currently not included, because
5 - it requires ifupdown2
6 - routing needs more documentation
11 VXLAN layer2 with vlan unware linux bridges
12 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
14 VXLAN is an overlay network to carry Ethernet traffic over an existing IP network
15 while accommodating a very large number of tenants. It is defined in RFC 7348.
16 Each overlay network is known as a VXLAN Segment and identified by a unique
17 24-bit segment ID called a VXLAN Network Identifier (VNI).
19 VXLAN encapsulation add 50bytes overhead, so you need to increase mtu on your host
20 physical interfaces to 1550 at minimum. (or decrease mtu inside your vms to 1450)
22 For BUM traffic (broadcast / unknown unicast traffic, multicast),
23 we have 3 differents vxlan setup modes : multicast, unicast, bgp-evpn
25 image::images/vxlan-l2-vlanunaware.svg["vxlan l2 bridge vlan unaware",align="center"]
30 This scenario relies in head end replication, meaning that end host in case
31 of not having any entry for the destination MAC address will send out an ARP
32 to other devices / VTEPs in the VXLAN network.
33 This is done by sending the request to the VXLAN multicast group,
34 remote VTEPs will get the packet and answer accordingly direct to the originating VTEP.
41 iface eno1 inet manual
45 iface vmbr0 inet static
53 iface vxlan2 inet manual
55 vxlan-svcnodeip 225.20.1.1
59 iface vmbr2 inet manual
65 iface vxlan3 inet manual
67 vxlan-svcnodeip 225.20.1.1
71 iface vmbr3 inet manual
82 iface eno1 inet manual
86 iface vmbr0 inet static
94 iface vxlan2 inet manual
96 vxlan-svcnodeip 225.20.1.1
100 iface vmbr2 inet manual
107 iface vxlan3 inet manual
109 vxlan-svcnodeip 225.20.1.1
113 iface vmbr3 inet manual
124 iface eno1 inet manual
128 iface vmbr0 inet static
130 netmask 255.255.255.0
136 iface vxlan2 inet manual
138 vxlan-svcnodeip 225.20.1.1
142 iface vmbr2 inet manual
149 iface vxlan3 inet manual
151 vxlan-svcnodeip 225.20.1.1
155 iface vmbr3 inet manual
165 We can replace multicast by head-end replication of BUM frames to a statically configured lists of remote VTEPs.
166 The VXLAN is defined without a remote multicast group.
167 Instead, all the remote VTEPs are associated with the all-zero address:
168 a BUM frame will be duplicated to all these destinations.
169 The VXLAN device will still learn remote addresses automatically using source-address learning.
175 iface eno1 inet manual
179 iface vmbr0 inet static
181 netmask 255.255.255.0
188 iface vxlan2 inet manual
190 vxlan_remoteip 192.168.0.2
191 vxlan_remoteip 192.168.0.3
195 iface vmbr2 inet manual
202 iface vxlan2 inet manual
204 vxlan_remoteip 192.168.0.2
205 vxlan_remoteip 192.168.0.3
209 iface vmbr3 inet manual
220 iface eno1 inet manual
224 iface vmbr0 inet static
226 netmask 255.255.255.0
232 iface vxlan2 inet manual
234 vxlan_remoteip 192.168.0.1
235 vxlan_remoteip 192.168.0.3
240 iface vmbr2 inet manual
246 iface vxlan2 inet manual
248 vxlan_remoteip 192.168.0.1
249 vxlan_remoteip 192.168.0.3
253 iface vmbr3 inet manual
264 iface eno1 inet manual
268 iface vmbr0 inet static
270 netmask 255.255.255.0
276 iface vxlan2 inet manual
278 vxlan_remoteip 192.168.0.2
279 vxlan_remoteip 192.168.0.3
284 iface vmbr2 inet manual
290 iface vxlan2 inet manual
292 vxlan_remoteip 192.168.0.2
293 vxlan_remoteip 192.168.0.3
297 iface vmbr3 inet manual
307 VTEPs use control plane learning/distribution via BGP for remote MAC addresses instead of data plane learning.
308 VTEPs have the ability to suppress ARP flooding over VXLAN tunnels.
310 The control plane used here is FRR, a bgp routing software.
311 Each node in the proxmox cluster peer with each others nodes.
312 For bigger networks, or multiple proxmox clusters,
313 it's possible to use external bgp route reflector servers.
319 iface eno1 inet manual
323 iface vmbr0 inet static
325 netmask 255.255.255.0
331 iface vxlan2 inet manual
333 vxlan-local-tunnelip 192.168.0.1
335 bridge-arp-nd-suppress on
336 bridge-unicast-flood off
337 bridge-multicast-flood off
341 iface vmbr2 inet manual
348 iface vxlan3 inet manual
350 vxlan-local-tunnelip 192.168.0.1
352 bridge-arp-nd-suppress on
353 bridge-unicast-flood off
354 bridge-multicast-flood off
358 iface vmbr3 inet manual
369 no bgp default ipv4-unicast
371 neighbor 192.168.0.2 remote-as 1234
372 neighbor 192.168.0.3 remote-as 1234
374 address-family l2vpn evpn
375 neighbor 192.168.0.2 activate
376 neighbor 192.168.0.3 activate
389 iface eno1 inet manual
393 iface vmbr0 inet static
395 netmask 255.255.255.0
401 iface vxlan2 inet manual
403 vxlan-local-tunnelip 192.168.0.2
405 bridge-arp-nd-suppress on
406 bridge-unicast-flood off
407 bridge-multicast-flood off
411 iface vmbr2 inet manual
417 iface vxlan3 inet manual
419 vxlan-local-tunnelip 192.168.0.2
421 bridge-arp-nd-suppress on
422 bridge-unicast-flood off
423 bridge-multicast-flood off
427 iface vmbr3 inet manual
438 no bgp default ipv4-unicast
440 neighbor 192.168.0.1 remote-as 1234
441 neighbor 192.168.0.3 remote-as 1234
443 address-family l2vpn evpn
444 neighbor 192.168.0.1 activate
445 neighbor 192.168.0.3 activate
458 iface eno1 inet manual
462 iface vmbr0 inet static
464 netmask 255.255.255.0
470 iface vxlan2 inet manual
472 vxlan-local-tunnelip 192.168.0.3
474 bridge-arp-nd-suppress on
475 bridge-unicast-flood off
476 bridge-multicast-flood off
480 iface vmbr2 inet manual
486 iface vxlan3 inet manual
488 vxlan-local-tunnelip 192.168.0.3
490 bridge-arp-nd-suppress on
491 bridge-unicast-flood off
492 bridge-multicast-flood off
496 iface vmbr3 inet manual
508 no bgp default ipv4-unicast
510 neighbor 192.168.0.1 remote-as 1234
511 neighbor 192.168.0.2 remote-as 1234
513 address-family l2vpn evpn
514 neighbor 192.168.0.1 activate
515 neighbor 192.168.0.2 activate
523 VXLAN layer3 routing with anycast gateway
524 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
526 With this need, each vmbr bridge will be the gateway for the vm.
527 Same vmbr on different node, will have same ip address and same mac address,
528 to have working vm live migration and no network disruption.
530 VXLAN layer3 routing only work with FRR and non-aware bridge.
531 (vlan aware bridge support is buggy currently).
536 This is the simplest mode. To get it work, all vxlan need to be defined on all nodes.
538 The asymmetric model allows routing and bridging on the VXLAN tunnel ingress,
539 but only bridging on the egress.
540 This results in bi-directional VXLAN traffic traveling on different VNIs
541 in each direction (always the destination VNI) across the routed infrastructure.
543 image::images/vxlan-l3-asymmetric.svg["vxlan l3 asymmetric",align="center"]
550 net.ipv4.ip_forward=1
551 net.ipv6.conf.all.forwarding=1
558 iface eno1 inet manual
562 iface vmbr0 inet static
564 netmask 255.255.255.0
570 iface vxlan2 inet manual
572 vxlan-local-tunnelip 192.168.0.1
574 bridge-arp-nd-suppress on
575 bridge-unicast-flood off
576 bridge-multicast-flood off
580 iface vmbr2 inet static
582 netmask 255.255.255.0
583 hwaddress 44:39:39:FF:40:94
590 iface vxlan3 inet manual
592 vxlan-local-tunnelip 192.168.0.1
594 bridge-arp-nd-suppress on
595 bridge-unicast-flood off
596 bridge-multicast-flood off
600 iface vmbr3 inet static
602 netmask 255.255.255.0
603 hwaddress 44:39:39:FF:40:94
614 bgp router-id 192.168.0.1
615 no bgp default ipv4-unicast
617 neighbor 192.168.0.2 remote-as 1234
618 neighbor 192.168.0.3 remote-as 1234
620 address-family l2vpn evpn
621 neighbor 192.168.0.2 activate
622 neighbor 192.168.0.3 activate
635 iface eno1 inet manual
639 iface vmbr0 inet static
641 netmask 255.255.255.0
647 iface vxlan2 inet manual
649 vxlan-local-tunnelip 192.168.0.2
651 bridge-arp-nd-suppress on
652 bridge-unicast-flood off
653 bridge-multicast-flood off
657 iface vmbr2 inet static
659 netmask 255.255.255.0
660 hwaddress 44:39:39:FF:40:94
667 iface vxlan3 inet manual
669 vxlan-local-tunnelip 192.168.0.2
671 bridge-arp-nd-suppress on
672 bridge-unicast-flood off
673 bridge-multicast-flood off
677 iface vmbr3 inet static
679 netmask 255.255.255.0
680 hwaddress 44:39:39:FF:40:94
691 bgp router-id 192.168.0.2
692 no bgp default ipv4-unicast
694 neighbor 192.168.0.1 remote-as 1234
695 neighbor 192.168.0.3 remote-as 1234
697 address-family l2vpn evpn
698 neighbor 192.168.0.1 activate
699 neighbor 192.168.0.3 activate
712 iface eno1 inet manual
716 iface vmbr0 inet static
718 netmask 255.255.255.0
724 iface vxlan2 inet manual
726 vxlan-local-tunnelip 192.168.0.3
728 bridge-arp-nd-suppress on
729 bridge-unicast-flood off
730 bridge-multicast-flood off
734 iface vmbr2 inet static
736 netmask 255.255.255.0
737 hwaddress 44:39:39:FF:40:94
744 iface vxlan3 inet manual
746 vxlan-local-tunnelip 192.168.0.3
748 bridge-arp-nd-suppress on
749 bridge-unicast-flood off
750 bridge-multicast-flood off
754 iface vmbr3 inet static
756 netmask 255.255.255.0
757 hwaddress 44:39:39:FF:40:94
768 bgp router-id 192.168.0.3
769 no bgp default ipv4-unicast
771 neighbor 192.168.0.1 remote-as 1234
772 neighbor 192.168.0.2 remote-as 1234
774 address-family l2vpn evpn
775 neighbor 192.168.0.1 activate
776 neighbor 192.168.0.2 activate
788 With this model, you don't need to have all vxlan on all nodes.
789 This model will also be needed to route traffic to an external router.
791 The symmetric model routes and bridges on both the ingress and the egress leafs.
792 This results in bi-directional traffic being able to travel on the same VNI, hence the symmetric name.
793 However, a new specialty transit VNI is used for all routed VXLAN traffic, called the L3VNI.
794 All traffic that needs to be routed will be routed onto the L3VNI, tunneled across the layer 3 Infrastructure,
795 routed off the L3VNI to the appropriate VLAN and ultimately bridged to the destination.
797 A vrf is needed for the L3VNI, so all vmbr bridge need to be in the vrf if they want to be able to reach each others.
799 image::images/vxlan-l3-symmetric.svg["vxlan l3 symmetric",align="center"]
805 net.ipv4.ip_forward=1
806 net.ipv6.conf.all.forwarding=1
817 iface eno1 inet manual
821 iface vmbr0 inet static
823 netmask 255.255.255.0
829 iface vxlan2 inet manual
831 vxlan-local-tunnelip 192.168.0.1
833 bridge-arp-nd-suppress on
834 bridge-unicast-flood off
835 bridge-multicast-flood off
838 iface vmbr2 inet static
843 netmask 255.255.255.0
844 hwaddress 44:39:39:FF:40:94 #must be same on each node vmbr2
848 iface vxlan3 inet manual
850 vxlan-local-tunnelip 192.168.0.1
852 bridge-arp-nd-suppress on
853 bridge-unicast-flood off
854 bridge-multicast-flood off
857 iface vmbr3 inet static
862 netmask 255.255.255.0
863 hwaddress 44:39:39:FF:40:94 #must be same on each node vmbr3
866 #interconnect vxlan-vfr l3vni
868 iface vxlan4000 inet manual
870 vxlan-local-tunnelip 192.168.0.1
872 bridge-arp-nd-suppress on
873 bridge-unicast-flood off
874 bridge-multicast-flood off
878 iface vmbr4000 inet manual
879 bridge_ports vxlan4000
882 hwaddress 44:39:39:FF:40:90 #must be different on each node
893 bgp router-id 192.168.0.1
894 no bgp default ipv4-unicast
896 neighbor 192.168.0.2 remote-as 1234
897 neighbor 192.168.0.3 remote-as 1234
899 address-family l2vpn evpn
900 neighbor 192.168.0.2 activate
901 neighbor 192.168.0.3 activate
905 router bgp 1234 vrf vrf1
907 bgp router-id 192.168.0.1
909 address-family ipv4 unicast
910 redistribute connected
913 address-family l2vpn evpn
914 advertise ipv4 unicast
930 iface eno1 inet manual
934 iface vmbr0 inet static
936 netmask 255.255.255.0
942 iface vxlan2 inet manual
944 vxlan-local-tunnelip 192.168.0.2
946 bridge-arp-nd-suppress on
947 bridge-unicast-flood off
948 bridge-multicast-flood off
951 iface vmbr2 inet static
956 netmask 255.255.255.0
957 hwaddress 44:39:39:FF:40:94 #must be same on each node vmbr2
961 iface vxlan3 inet manual
963 vxlan-local-tunnelip 192.168.0.2
965 bridge-arp-nd-suppress on
966 bridge-unicast-flood off
967 bridge-multicast-flood off
970 iface vmbr3 inet static
975 netmask 255.255.255.0
976 hwaddress 44:39:39:FF:40:94 #must be same on each node vmbr3
979 #interconnect vxlan-vfr l3vni
981 iface vxlan4000 inet manual
983 vxlan-local-tunnelip 192.168.0.2
985 bridge-arp-nd-suppress on
986 bridge-unicast-flood off
987 bridge-multicast-flood off
991 iface vmbr4000 inet manual
992 bridge_ports vxlan4000
995 hwaddress 44:39:39:FF:40:91 #must be different on each node
1007 bgp router-id 192.168.0.2
1008 no bgp default ipv4-unicast
1010 neighbor 192.168.0.1 remote-as 1234
1011 neighbor 192.168.0.3 remote-as 1234
1013 address-family l2vpn evpn
1014 neighbor 192.168.0.1 activate
1015 neighbor 192.168.0.3 activate
1019 router bgp 1234 vrf vrf1
1021 bgp router-id 192.168.0.2
1023 address-family ipv4 unicast
1024 redistribute connected
1027 address-family l2vpn evpn
1028 advertise ipv4 unicast
1044 iface eno1 inet manual
1048 iface vmbr0 inet static
1050 netmask 255.255.255.0
1056 iface vxlan2 inet manual
1058 vxlan-local-tunnelip 192.168.0.3
1060 bridge-arp-nd-suppress on
1061 bridge-unicast-flood off
1062 bridge-multicast-flood off
1065 iface vmbr2 inet static
1070 netmask 255.255.255.0
1071 hwaddress 44:39:39:FF:40:94 #must be same on each node vmbr2
1075 iface vxlan3 inet manual
1077 vxlan-local-tunnelip 192.168.0.3
1079 bridge-arp-nd-suppress on
1080 bridge-unicast-flood off
1081 bridge-multicast-flood off
1084 iface vmbr3 inet static
1089 netmask 255.255.255.0
1090 hwaddress 44:39:39:FF:40:94 #must be same on each node vmbr3
1093 #interconnect vxlan-vfr l3vni
1095 iface vxlan4000 inet manual
1097 vxlan-local-tunnelip 192.168.0.3
1099 bridge-arp-nd-suppress on
1100 bridge-unicast-flood off
1101 bridge-multicast-flood off
1105 iface vmbr4000 inet manual
1106 bridge_ports vxlan4000
1109 hwaddress 44:39:39:FF:40:92 #must be different on each node
1121 bgp router-id 192.168.0.3
1122 no bgp default ipv4-unicast
1124 neighbor 192.168.0.1 remote-as 1234
1125 neighbor 192.168.0.2 remote-as 1234
1127 address-family l2vpn evpn
1128 neighbor 192.168.0.1 activate
1129 neighbor 192.168.0.2 activate
1133 router bgp 1234 vrf vrf1
1135 bgp router-id 192.168.0.3
1137 address-family ipv4 unicast
1138 redistribute connected
1141 address-family l2vpn evpn
1142 advertise ipv4 unicast
1149 VXLAN layer3 routing with anycast gateway + routing to outside with external router
1150 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1151 Routing to outside need the symmetric model.
1155 In this example, we'll use only 1 proxmox node as exit gateway. (node1)
1156 This node have a simple default gw in the vrf to the external router (no bgp between router and node1)
1157 and announce this default gw to other proxmox nodes.
1168 iface eno1 inet manual
1172 iface vmbr0 inet static
1174 netmask 255.255.255.0
1182 netmask 255.255.255.0
1184 post-up ip route add default via 172.16.0.254 dev eno2 vrf vrf1
1185 #if you have multiple external routers, you can use ecmp balancing
1186 #post-up route add default nexthop via 172.16.0.253 dev eno2 vrf vrf1 nexthop via 172.16.0.254 dev eno2 vrf vrf1
1189 iface vxlan2 inet manual
1191 vxlan-local-tunnelip 192.168.0.1
1193 bridge-arp-nd-suppress on
1194 bridge-unicast-flood off
1195 bridge-multicast-flood off
1198 iface vmbr2 inet static
1203 netmask 255.255.255.0
1204 hwaddress 44:39:39:FF:40:94 #must be same on each node vmbr2
1208 iface vxlan3 inet manual
1210 vxlan-local-tunnelip 192.168.0.1
1212 bridge-arp-nd-suppress on
1213 bridge-unicast-flood off
1214 bridge-multicast-flood off
1217 iface vmbr3 inet static
1222 netmask 255.255.255.0
1223 hwaddress 44:39:39:FF:40:94 #must be same on each node vmbr3
1226 #interconnect vxlan-vfr l3vni
1228 iface vxlan4000 inet manual
1230 vxlan-local-tunnelip 192.168.0.1
1232 bridge-arp-nd-suppress on
1233 bridge-unicast-flood off
1234 bridge-multicast-flood off
1237 iface vmbr4000 inet manual
1238 bridge_ports vxlan4000
1241 hwaddress 44:39:39:FF:40:90 #must be different on each node
1253 bgp router-id 192.168.0.1
1254 no bgp default ipv4-unicast
1256 neighbor 192.168.0.2 remote-as 1234
1257 neighbor 192.168.0.3 remote-as 1234
1259 address-family l2vpn evpn
1260 neighbor 192.168.0.2 activate
1261 neighbor 192.168.0.3 activate
1265 router bgp 1234 vrf vrf1
1267 bgp router-id 172.16.0.1
1269 address-family ipv4 unicast
1270 redistribute connected
1271 redistribute kernel !announce your default gw to all nodes
1274 address-family l2vpn evpn
1275 advertise ipv4 unicast
1291 iface eno1 inet manual
1295 iface vmbr0 inet static
1297 netmask 255.255.255.0
1303 iface vxlan2 inet manual
1305 vxlan-local-tunnelip 192.168.0.2
1307 bridge-arp-nd-suppress on
1308 bridge-unicast-flood off
1309 bridge-multicast-flood off
1312 iface vmbr2 inet static
1317 netmask 255.255.255.0
1318 hwaddress 44:39:39:FF:40:94 #must be same on each node vmbr2
1322 iface vxlan3 inet manual
1324 vxlan-local-tunnelip 192.168.0.2
1326 bridge-arp-nd-suppress on
1327 bridge-unicast-flood off
1328 bridge-multicast-flood off
1331 iface vmbr3 inet static
1336 netmask 255.255.255.0
1337 hwaddress 44:39:39:FF:40:94 #must be same on each node vmbr3
1340 #interconnect vxlan-vfr l3vni
1342 iface vxlan4000 inet manual
1344 vxlan-local-tunnelip 192.168.0.2
1346 bridge-arp-nd-suppress on
1347 bridge-unicast-flood off
1348 bridge-multicast-flood off
1352 iface vmbr4000 inet manual
1353 bridge_ports vxlan4000
1356 hwaddress 44:39:39:FF:40:91 #must be different on each node
1368 bgp router-id 192.168.0.2
1369 no bgp default ipv4-unicast
1371 neighbor 192.168.0.1 remote-as 1234
1372 neighbor 192.168.0.3 remote-as 1234
1374 address-family l2vpn evpn
1375 neighbor 192.168.0.1 activate
1376 neighbor 192.168.0.3 activate
1380 router bgp 1234 vrf vrf1
1382 bgp router-id 192.168.0.2
1384 address-family ipv4 unicast
1385 redistribute connected
1388 address-family l2vpn evpn
1389 advertise ipv4 unicast
1405 iface eno1 inet manual
1409 iface vmbr0 inet static
1411 netmask 255.255.255.0
1417 iface vxlan2 inet manual
1419 vxlan-local-tunnelip 192.168.0.3
1421 bridge-arp-nd-suppress on
1422 bridge-unicast-flood off
1423 bridge-multicast-flood off
1426 iface vmbr2 inet static
1431 netmask 255.255.255.0
1432 hwaddress 44:39:39:FF:40:94 #must be same on each node vmbr2
1436 iface vxlan3 inet manual
1438 vxlan-local-tunnelip 192.168.0.3
1440 bridge-arp-nd-suppress on
1441 bridge-unicast-flood off
1442 bridge-multicast-flood off
1445 iface vmbr3 inet static
1450 netmask 255.255.255.0
1451 hwaddress 44:39:39:FF:40:94 #must be same on each node vmbr3
1454 #interconnect vxlan-vfr l3vni
1456 iface vxlan4000 inet manual
1458 vxlan-local-tunnelip 192.168.0.3
1460 bridge-arp-nd-suppress on
1461 bridge-unicast-flood off
1462 bridge-multicast-flood off
1466 iface vmbr4000 inet manual
1467 bridge_ports vxlan4000
1470 hwaddress 44:39:39:FF:40:92 #must be different on each node
1482 bgp router-id 192.168.0.3
1483 no bgp default ipv4-unicast
1485 neighbor 192.168.0.1 remote-as 1234
1486 neighbor 192.168.0.2 remote-as 1234
1488 address-family l2vpn evpn
1489 neighbor 192.168.0.1 activate
1490 neighbor 192.168.0.2 activate
1494 router bgp 1234 vrf vrf1
1496 bgp router-id 192.168.0.3
1498 address-family ipv4 unicast
1499 redistribute connected
1502 address-family l2vpn evpn
1503 advertise ipv4 unicast
1510 multiple gateway nodes
1511 ^^^^^^^^^^^^^^^^^^^^^^
1512 In this example, all nodes will be used as exit gateway. (But you can use only 2 nodes if you want)
1513 All nodes have a simple default gw in the vrf to the external router (no bgp between router and node1)
1514 and announce this default gw.
1515 The external router have ecmp routes to all proxmox nodes.(balancing).
1516 If the router send the packet to a wrong node (vm is not on this node), this node will route through
1517 vxlan the packet to final destination.
1527 iface eno1 inet manual
1531 iface vmbr0 inet static
1533 netmask 255.255.255.0
1541 netmask 255.255.255.0
1544 post-up ip route add default via 172.16.0.254 dev eno2 vrf vrf1
1545 #if you have multiple external routers, you can use ecmp balancing
1546 #post-up route add default nexthop via 172.16.0.253 dev eno2 vrf vrf1 nexthop via 172.16.0.254 dev eno2 vrf vrf1
1549 iface vxlan2 inet manual
1551 vxlan-local-tunnelip 192.168.0.1
1553 bridge-arp-nd-suppress on
1554 bridge-unicast-flood off
1555 bridge-multicast-flood off
1558 iface vmbr2 inet static
1563 netmask 255.255.255.0
1564 hwaddress 44:39:39:FF:40:94 #must be same on each node vmbr2
1568 iface vxlan3 inet manual
1570 vxlan-local-tunnelip 192.168.0.1
1572 bridge-arp-nd-suppress on
1573 bridge-unicast-flood off
1574 bridge-multicast-flood off
1577 iface vmbr3 inet static
1582 netmask 255.255.255.0
1583 hwaddress 44:39:39:FF:40:94 #must be same on each node vmbr3
1586 #interconnect vxlan-vfr l3vni
1588 iface vxlan4000 inet manual
1590 vxlan-local-tunnelip 192.168.0.1
1592 bridge-arp-nd-suppress on
1593 bridge-unicast-flood off
1594 bridge-multicast-flood off
1597 iface vmbr4000 inet manual
1598 bridge_ports vxlan4000
1601 hwaddress 44:39:39:FF:40:90 #must be different on each node
1613 bgp router-id 192.168.0.1
1614 no bgp default ipv4-unicast
1616 neighbor 192.168.0.2 remote-as 1234
1617 neighbor 192.168.0.3 remote-as 1234
1619 address-family l2vpn evpn
1620 neighbor 192.168.0.2 activate
1621 neighbor 192.168.0.3 activate
1625 router bgp 1234 vrf vrf1
1627 bgp router-id 172.16.0.1
1629 address-family ipv4 unicast
1630 redistribute connected
1631 redistribute kernel !announce your default gw to all nodes
1634 address-family l2vpn evpn
1635 advertise ipv4 unicast
1651 iface eno1 inet manual
1655 iface vmbr0 inet static
1657 netmask 255.255.255.0
1665 netmask 255.255.255.0
1668 post-up ip route add default via 172.16.0.254 dev eno2 vrf vrf1
1669 #if you have multiple external routers, you can use ecmp balancing
1670 #post-up route add default nexthop via 172.16.0.253 dev eno2 vrf vrf1 nexthop via 172.16.0.254 dev eno2 vrf vrf1
1673 iface vxlan2 inet manual
1675 vxlan-local-tunnelip 192.168.0.2
1677 bridge-arp-nd-suppress on
1678 bridge-unicast-flood off
1679 bridge-multicast-flood off
1682 iface vmbr2 inet static
1687 netmask 255.255.255.0
1688 hwaddress 44:39:39:FF:40:94 #must be same on each node vmbr2
1692 iface vxlan3 inet manual
1694 vxlan-local-tunnelip 192.168.0.2
1696 bridge-arp-nd-suppress on
1697 bridge-unicast-flood off
1698 bridge-multicast-flood off
1701 iface vmbr3 inet static
1706 netmask 255.255.255.0
1707 hwaddress 44:39:39:FF:40:94 #must be same on each node vmbr3
1710 #interconnect vxlan-vfr l3vni
1712 iface vxlan4000 inet manual
1714 vxlan-local-tunnelip 192.168.0.2
1716 bridge-arp-nd-suppress on
1717 bridge-unicast-flood off
1718 bridge-multicast-flood off
1722 iface vmbr4000 inet manual
1723 bridge_ports vxlan4000
1726 hwaddress 44:39:39:FF:40:91 #must be different on each node
1738 bgp router-id 192.168.0.2
1739 no bgp default ipv4-unicast
1741 neighbor 192.168.0.1 remote-as 1234
1742 neighbor 192.168.0.3 remote-as 1234
1744 address-family l2vpn evpn
1745 neighbor 192.168.0.1 activate
1746 neighbor 192.168.0.3 activate
1750 router bgp 1234 vrf vrf1
1752 bgp router-id 172.16.0.2
1754 address-family ipv4 unicast
1755 redistribute connected
1756 redistribute kernel !announce your default gw to all nodes
1759 address-family l2vpn evpn
1760 advertise ipv4 unicast
1776 iface eno1 inet manual
1780 iface vmbr0 inet static
1782 netmask 255.255.255.0
1790 netmask 255.255.255.0
1793 post-up ip route add default via 172.16.0.254 dev eno2 vrf vrf1
1794 #if you have multiple external routers, you can use ecmp balancing
1795 #post-up route add default nexthop via 172.16.0.253 dev eno2 vrf vrf1 nexthop via 172.16.0.254 dev eno2 vrf vrf1
1798 iface vxlan2 inet manual
1800 vxlan-local-tunnelip 192.168.0.3
1802 bridge-arp-nd-suppress on
1803 bridge-unicast-flood off
1804 bridge-multicast-flood off
1807 iface vmbr2 inet static
1812 netmask 255.255.255.0
1813 hwaddress 44:39:39:FF:40:94 #must be same on each node vmbr2
1817 iface vxlan3 inet manual
1819 vxlan-local-tunnelip 192.168.0.3
1821 bridge-arp-nd-suppress on
1822 bridge-unicast-flood off
1823 bridge-multicast-flood off
1826 iface vmbr3 inet static
1831 netmask 255.255.255.0
1832 hwaddress 44:39:39:FF:40:94 #must be same on each node vmbr3
1835 #interconnect vxlan-vfr l3vni
1837 iface vxlan4000 inet manual
1839 vxlan-local-tunnelip 192.168.0.3
1841 bridge-arp-nd-suppress on
1842 bridge-unicast-flood off
1843 bridge-multicast-flood off
1847 iface vmbr4000 inet manual
1848 bridge_ports vxlan4000
1851 hwaddress 44:39:39:FF:40:92 #must be different on each node
1863 bgp router-id 192.168.0.3
1864 no bgp default ipv4-unicast
1866 neighbor 192.168.0.1 remote-as 1234
1867 neighbor 192.168.0.2 remote-as 1234
1869 address-family l2vpn evpn
1870 neighbor 192.168.0.1 activate
1871 neighbor 192.168.0.2 activate
1875 router bgp 1234 vrf vrf1
1877 bgp router-id 172.16.0.3
1879 address-family ipv4 unicast
1880 redistribute connected
1881 redistribute kernel !announce your default gw to all nodes
1884 address-family l2vpn evpn
1885 advertise ipv4 unicast
1895 If your external router don't support ecmp to reach multiple proxmox nodes,
1896 you can setup an HA floating vip on proxmox nodes with vrrp
1898 I this example, we will setup an floating 172.16.0.10 ip on node1 and node2.
1899 Node1 is the primary and failover to node2 in case of failure.
1908 netmask 255.255.255.0
1911 post-up ip route add default via 172.16.0.254 dev eno2 vrf vrf1
1914 vrrp-virtual-ip 172.16.0.10
1923 netmask 255.255.255.0
1926 post-up ip route add default via 172.16.0.254 dev eno2 vrf vrf1
1929 vrrp-virtual-ip 172.16.0.10