4 This is currently not included, because
5 - it requires ifupdown2
6 - routing needs more documentation
11 VXLAN layer2 with vlan unware linux bridges
12 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
14 VXLAN is an overlay network to carry Ethernet traffic over an existing IP network
15 while accommodating a very large number of tenants. It is defined in RFC 7348.
16 Each overlay network is known as a VXLAN Segment and identified by a unique
17 24-bit segment ID called a VXLAN Network Identifier (VNI).
19 VXLAN encapsulation add 50bytes overhead, so you need to increase mtu on your host
20 physical interfaces to 1550 at minimum. (or decrease mtu inside your vms to 1450)
22 For BUM traffic (broadcast / unknown unicast traffic, multicast),
23 we have 3 differents vxlan setup modes : multicast, unicast, bgp-evpn
25 image::images/vxlan-l2-vlanunaware.svg["vxlan l2 bridge vlan unaware",align="center"]
30 This scenario relies in head end replication, meaning that end host in case
31 of not having any entry for the destination MAC address will send out an ARP
32 to other devices / VTEPs in the VXLAN network.
33 This is done by sending the request to the VXLAN multicast group,
34 remote VTEPs will get the packet and answer accordingly direct to the originating VTEP.
41 iface eno1 inet manual
45 iface vmbr0 inet static
53 iface vxlan2 inet manual
55 vxlan-svcnodeip 225.20.1.1
59 iface vmbr2 inet manual
65 iface vxlan3 inet manual
67 vxlan-svcnodeip 225.20.1.1
71 iface vmbr3 inet manual
82 iface eno1 inet manual
86 iface vmbr0 inet static
94 iface vxlan2 inet manual
96 vxlan-svcnodeip 225.20.1.1
100 iface vmbr2 inet manual
107 iface vxlan3 inet manual
109 vxlan-svcnodeip 225.20.1.1
113 iface vmbr3 inet manual
124 iface eno1 inet manual
128 iface vmbr0 inet static
130 netmask 255.255.255.0
136 iface vxlan2 inet manual
138 vxlan-svcnodeip 225.20.1.1
142 iface vmbr2 inet manual
149 iface vxlan3 inet manual
151 vxlan-svcnodeip 225.20.1.1
155 iface vmbr3 inet manual
165 We can replace multicast by head-end replication of BUM frames to a statically configured lists of remote VTEPs.
166 The VXLAN is defined without a remote multicast group.
167 Instead, all the remote VTEPs are associated with the all-zero address:
168 a BUM frame will be duplicated to all these destinations.
169 The VXLAN device will still learn remote addresses automatically using source-address learning.
175 iface eno1 inet manual
179 iface vmbr0 inet static
181 netmask 255.255.255.0
188 iface vxlan2 inet manual
190 vxlan_remoteip 192.168.0.2
191 vxlan_remoteip 192.168.0.3
195 iface vmbr2 inet manual
202 iface vxlan2 inet manual
204 vxlan_remoteip 192.168.0.2
205 vxlan_remoteip 192.168.0.3
209 iface vmbr3 inet manual
220 iface eno1 inet manual
224 iface vmbr0 inet static
226 netmask 255.255.255.0
232 iface vxlan2 inet manual
234 vxlan_remoteip 192.168.0.1
235 vxlan_remoteip 192.168.0.3
240 iface vmbr2 inet manual
246 iface vxlan2 inet manual
248 vxlan_remoteip 192.168.0.1
249 vxlan_remoteip 192.168.0.3
253 iface vmbr3 inet manual
264 iface eno1 inet manual
268 iface vmbr0 inet static
270 netmask 255.255.255.0
276 iface vxlan2 inet manual
278 vxlan_remoteip 192.168.0.2
279 vxlan_remoteip 192.168.0.3
284 iface vmbr2 inet manual
290 iface vxlan2 inet manual
292 vxlan_remoteip 192.168.0.2
293 vxlan_remoteip 192.168.0.3
297 iface vmbr3 inet manual
307 VTEPs use control plane learning/distribution via BGP for remote MAC addresses instead of data plane learning.
308 VTEPs have the ability to suppress ARP flooding over VXLAN tunnels.
310 The control plane used here is FRR, a bgp routing software.
311 Each node in the proxmox cluster peer with each others nodes.
312 For bigger networks, or multiple proxmox clusters,
313 it's possible to use external bgp route reflector servers.
319 iface eno1 inet manual
323 iface vmbr0 inet static
325 netmask 255.255.255.0
331 iface vxlan2 inet manual
333 vxlan-local-tunnelip 192.168.0.1
335 bridge-arp-nd-suppress on
336 bridge-unicast-flood off
337 bridge-multicast-flood off
341 iface vmbr2 inet manual
348 iface vxlan3 inet manual
350 vxlan-local-tunnelip 192.168.0.1
352 bridge-arp-nd-suppress on
353 bridge-unicast-flood off
354 bridge-multicast-flood off
358 iface vmbr3 inet manual
369 no bgp default ipv4-unicast
371 neighbor 192.168.0.2 remote-as 1234
372 neighbor 192.168.0.3 remote-as 1234
374 address-family l2vpn evpn
375 neighbor 192.168.0.2 activate
376 neighbor 192.168.0.3 activate
389 iface eno1 inet manual
393 iface vmbr0 inet static
395 netmask 255.255.255.0
401 iface vxlan2 inet manual
403 vxlan-local-tunnelip 192.168.0.2
405 bridge-arp-nd-suppress on
406 bridge-unicast-flood off
407 bridge-multicast-flood off
411 iface vmbr2 inet manual
417 iface vxlan3 inet manual
419 vxlan-local-tunnelip 192.168.0.2
421 bridge-arp-nd-suppress on
422 bridge-unicast-flood off
423 bridge-multicast-flood off
427 iface vmbr3 inet manual
438 no bgp default ipv4-unicast
440 neighbor 192.168.0.1 remote-as 1234
441 neighbor 192.168.0.3 remote-as 1234
443 address-family l2vpn evpn
444 neighbor 192.168.0.1 activate
445 neighbor 192.168.0.3 activate
458 iface eno1 inet manual
462 iface vmbr0 inet static
464 netmask 255.255.255.0
470 iface vxlan2 inet manual
472 vxlan-local-tunnelip 192.168.0.3
474 bridge-arp-nd-suppress on
475 bridge-unicast-flood off
476 bridge-multicast-flood off
480 iface vmbr2 inet manual
486 iface vxlan3 inet manual
488 vxlan-local-tunnelip 192.168.0.3
490 bridge-arp-nd-suppress on
491 bridge-unicast-flood off
492 bridge-multicast-flood off
496 iface vmbr3 inet manual
508 no bgp default ipv4-unicast
510 neighbor 192.168.0.1 remote-as 1234
511 neighbor 192.168.0.2 remote-as 1234
513 address-family l2vpn evpn
514 neighbor 192.168.0.1 activate
515 neighbor 192.168.0.2 activate
523 VXLAN layer3 routing with anycast gateway
524 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
526 With this need, each vmbr bridge will be the gateway for the vm.
527 Same vmbr on different node, will have same ip address and same mac address,
528 to have working vm live migration and no network disruption.
530 VXLAN layer3 routing only work with FRR and non-aware bridge.
531 (vlan aware bridge support is buggy currently).
536 This is the simplest mode. To get it work, all vxlan need to be defined on all nodes.
538 The asymmetric model allows routing and bridging on the VXLAN tunnel ingress,
539 but only bridging on the egress.
540 This results in bi-directional VXLAN traffic traveling on different VNIs
541 in each direction (always the destination VNI) across the routed infrastructure.
543 image::images/vxlan-l3-asymmetric.svg["vxlan l3 asymmetric",align="center"]
549 iface eno1 inet manual
553 iface vmbr0 inet static
555 netmask 255.255.255.0
561 iface vxlan2 inet manual
563 vxlan-local-tunnelip 192.168.0.1
565 bridge-arp-nd-suppress on
566 bridge-unicast-flood off
567 bridge-multicast-flood off
571 iface vmbr2 inet static
573 netmask 255.255.255.0
574 hwaddress 44:39:39:FF:40:94
583 iface vxlan3 inet manual
585 vxlan-local-tunnelip 192.168.0.1
587 bridge-arp-nd-suppress on
588 bridge-unicast-flood off
589 bridge-multicast-flood off
593 iface vmbr3 inet static
595 netmask 255.255.255.0
596 hwaddress 44:39:39:FF:40:94
610 bgp router-id 192.168.0.1
611 no bgp default ipv4-unicast
613 neighbor 192.168.0.2 remote-as 1234
614 neighbor 192.168.0.3 remote-as 1234
616 address-family l2vpn evpn
617 neighbor 192.168.0.2 activate
618 neighbor 192.168.0.3 activate
631 iface eno1 inet manual
635 iface vmbr0 inet static
637 netmask 255.255.255.0
643 iface vxlan2 inet manual
645 vxlan-local-tunnelip 192.168.0.2
647 bridge-arp-nd-suppress on
648 bridge-unicast-flood off
649 bridge-multicast-flood off
653 iface vmbr2 inet static
655 netmask 255.255.255.0
656 hwaddress 44:39:39:FF:40:94
666 iface vxlan3 inet manual
668 vxlan-local-tunnelip 192.168.0.2
670 bridge-arp-nd-suppress on
671 bridge-unicast-flood off
672 bridge-multicast-flood off
676 iface vmbr3 inet static
678 netmask 255.255.255.0
679 hwaddress 44:39:39:FF:40:94
693 bgp router-id 192.168.0.2
694 no bgp default ipv4-unicast
696 neighbor 192.168.0.1 remote-as 1234
697 neighbor 192.168.0.3 remote-as 1234
699 address-family l2vpn evpn
700 neighbor 192.168.0.1 activate
701 neighbor 192.168.0.3 activate
714 iface eno1 inet manual
718 iface vmbr0 inet static
720 netmask 255.255.255.0
726 iface vxlan2 inet manual
728 vxlan-local-tunnelip 192.168.0.3
730 bridge-arp-nd-suppress on
731 bridge-unicast-flood off
732 bridge-multicast-flood off
736 iface vmbr2 inet static
738 netmask 255.255.255.0
739 hwaddress 44:39:39:FF:40:94
748 iface vxlan3 inet manual
750 vxlan-local-tunnelip 192.168.0.3
752 bridge-arp-nd-suppress on
753 bridge-unicast-flood off
754 bridge-multicast-flood off
757 iface vmbr3 inet static
759 netmask 255.255.255.0
760 hwaddress 44:39:39:FF:40:94
774 bgp router-id 192.168.0.3
775 no bgp default ipv4-unicast
777 neighbor 192.168.0.1 remote-as 1234
778 neighbor 192.168.0.2 remote-as 1234
780 address-family l2vpn evpn
781 neighbor 192.168.0.1 activate
782 neighbor 192.168.0.2 activate
794 With this model, you don't need to have all vxlan on all nodes.
795 This model will also be needed to route traffic to an external router.
797 The symmetric model routes and bridges on both the ingress and the egress leafs.
798 This results in bi-directional traffic being able to travel on the same VNI, hence the symmetric name.
799 However, a new specialty transit VNI is used for all routed VXLAN traffic, called the L3VNI.
800 All traffic that needs to be routed will be routed onto the L3VNI, tunneled across the layer 3 Infrastructure,
801 routed off the L3VNI to the appropriate VLAN and ultimately bridged to the destination.
803 A vrf is needed for the L3VNI, so all vmbr bridge need to be in the vrf if they want to be able to reach each others.
805 image::images/vxlan-l3-symmetric.svg["vxlan l3 symmetric",align="center"]
815 iface eno1 inet manual
819 iface vmbr0 inet static
821 netmask 255.255.255.0
827 iface vxlan2 inet manual
829 vxlan-local-tunnelip 192.168.0.1
831 bridge-arp-nd-suppress on
832 bridge-unicast-flood off
833 bridge-multicast-flood off
836 iface vmbr2 inet static
841 netmask 255.255.255.0
842 hwaddress 44:39:39:FF:40:94 #must be same on each node vmbr2
849 iface vxlan3 inet manual
851 vxlan-local-tunnelip 192.168.0.1
853 bridge-arp-nd-suppress on
854 bridge-unicast-flood off
855 bridge-multicast-flood off
858 iface vmbr3 inet static
863 netmask 255.255.255.0
864 hwaddress 44:39:39:FF:40:94 #must be same on each node vmbr3
870 #interconnect vxlan-vfr l3vni
872 iface vxlan4000 inet manual
874 vxlan-local-tunnelip 192.168.0.1
876 bridge-arp-nd-suppress on
877 bridge-unicast-flood off
878 bridge-multicast-flood off
882 iface vmbr4000 inet manual
883 bridge_ports vxlan4000
897 bgp router-id 192.168.0.1
898 no bgp default ipv4-unicast
900 neighbor 192.168.0.2 remote-as 1234
901 neighbor 192.168.0.3 remote-as 1234
903 address-family l2vpn evpn
904 neighbor 192.168.0.2 activate
905 neighbor 192.168.0.3 activate
922 iface eno1 inet manual
926 iface vmbr0 inet static
928 netmask 255.255.255.0
934 iface vxlan2 inet manual
936 vxlan-local-tunnelip 192.168.0.2
938 bridge-arp-nd-suppress on
939 bridge-unicast-flood off
940 bridge-multicast-flood off
943 iface vmbr2 inet static
948 netmask 255.255.255.0
949 hwaddress 44:39:39:FF:40:94 #must be same on each node vmbr2
956 iface vxlan3 inet manual
958 vxlan-local-tunnelip 192.168.0.2
960 bridge-arp-nd-suppress on
961 bridge-unicast-flood off
962 bridge-multicast-flood off
965 iface vmbr3 inet static
970 netmask 255.255.255.0
971 hwaddress 44:39:39:FF:40:94 #must be same on each node vmbr3
977 #interconnect vxlan-vfr l3vni
979 iface vxlan4000 inet manual
981 vxlan-local-tunnelip 192.168.0.2
983 bridge-arp-nd-suppress on
984 bridge-unicast-flood off
985 bridge-multicast-flood off
989 iface vmbr4000 inet manual
990 bridge_ports vxlan4000
1005 bgp router-id 192.168.0.2
1006 no bgp default ipv4-unicast
1008 neighbor 192.168.0.1 remote-as 1234
1009 neighbor 192.168.0.3 remote-as 1234
1011 address-family l2vpn evpn
1012 neighbor 192.168.0.1 activate
1013 neighbor 192.168.0.3 activate
1030 iface eno1 inet manual
1034 iface vmbr0 inet static
1036 netmask 255.255.255.0
1042 iface vxlan2 inet manual
1044 vxlan-local-tunnelip 192.168.0.3
1046 bridge-arp-nd-suppress on
1047 bridge-unicast-flood off
1048 bridge-multicast-flood off
1051 iface vmbr2 inet static
1056 netmask 255.255.255.0
1057 hwaddress 44:39:39:FF:40:94 #must be same on each node vmbr2
1064 iface vxlan3 inet manual
1066 vxlan-local-tunnelip 192.168.0.3
1068 bridge-arp-nd-suppress on
1069 bridge-unicast-flood off
1070 bridge-multicast-flood off
1073 iface vmbr3 inet static
1078 netmask 255.255.255.0
1079 hwaddress 44:39:39:FF:40:94 #must be same on each node vmbr3
1085 #interconnect vxlan-vfr l3vni
1087 iface vxlan4000 inet manual
1089 vxlan-local-tunnelip 192.168.0.3
1091 bridge-arp-nd-suppress on
1092 bridge-unicast-flood off
1093 bridge-multicast-flood off
1097 iface vmbr4000 inet manual
1098 bridge_ports vxlan4000
1113 bgp router-id 192.168.0.3
1114 no bgp default ipv4-unicast
1116 neighbor 192.168.0.1 remote-as 1234
1117 neighbor 192.168.0.2 remote-as 1234
1119 address-family l2vpn evpn
1120 neighbor 192.168.0.1 activate
1121 neighbor 192.168.0.2 activate
1129 VXLAN layer3 routing with anycast gateway + routing to outside with external router
1130 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1131 Routing to outside need the symmetric model.
1135 In this example, we'll use only 1 proxmox node as exit gateway. (node1)
1136 This node announce the default gw in vrf1 (default originate) and forward to his own default gateway (192.168.0.254) (no bgp between router and node1)
1147 iface eno1 inet manual
1151 iface vmbr0 inet static
1153 netmask 255.255.255.0
1154 gateway 192.168.0.254
1162 iface vxlan2 inet manual
1164 vxlan-local-tunnelip 192.168.0.1
1166 bridge-arp-nd-suppress on
1167 bridge-unicast-flood off
1168 bridge-multicast-flood off
1171 iface vmbr2 inet static
1176 netmask 255.255.255.0
1177 hwaddress 44:39:39:FF:40:94 #must be same on each node vmbr2
1184 iface vxlan3 inet manual
1186 vxlan-local-tunnelip 192.168.0.1
1188 bridge-arp-nd-suppress on
1189 bridge-unicast-flood off
1190 bridge-multicast-flood off
1193 iface vmbr3 inet static
1198 netmask 255.255.255.0
1199 hwaddress 44:39:39:FF:40:94 #must be same on each node vmbr3
1205 #interconnect vxlan-vfr l3vni
1207 iface vxlan4000 inet manual
1209 vxlan-local-tunnelip 192.168.0.1
1211 bridge-arp-nd-suppress on
1212 bridge-unicast-flood off
1213 bridge-multicast-flood off
1216 iface vmbr4000 inet manual
1217 bridge_ports vxlan4000
1227 ip prefix-list deny seq 10 deny any
1234 bgp router-id 192.168.0.1
1235 no bgp default ipv4-unicast
1237 neighbor 192.168.0.2 remote-as 1234
1238 neighbor 192.168.0.3 remote-as 1234
1240 address-family ipv4 unicast
1242 neighbor 192.168.0.2 prefix-list deny out
1243 neighbor 192.168.0.3 prefix-list deny out
1246 address-family l2vpn evpn
1247 neighbor 192.168.0.2 activate
1248 neighbor 192.168.0.3 activate
1252 router bgp 1234 vrf vrf1
1254 address-family ipv4 unicast
1255 redistribute connected
1258 address-family l2vpn evpn
1259 default-originate ipv4
1275 iface eno1 inet manual
1279 iface vmbr0 inet static
1281 netmask 255.255.255.0
1287 iface vxlan2 inet manual
1289 vxlan-local-tunnelip 192.168.0.2
1291 bridge-arp-nd-suppress on
1292 bridge-unicast-flood off
1293 bridge-multicast-flood off
1296 iface vmbr2 inet static
1301 netmask 255.255.255.0
1302 hwaddress 44:39:39:FF:40:94 #must be same on each node vmbr2
1309 iface vxlan3 inet manual
1311 vxlan-local-tunnelip 192.168.0.2
1313 bridge-arp-nd-suppress on
1314 bridge-unicast-flood off
1315 bridge-multicast-flood off
1318 iface vmbr3 inet static
1323 netmask 255.255.255.0
1324 hwaddress 44:39:39:FF:40:94 #must be same on each node vmbr3
1330 #interconnect vxlan-vfr l3vni
1332 iface vxlan4000 inet manual
1334 vxlan-local-tunnelip 192.168.0.2
1336 bridge-arp-nd-suppress on
1337 bridge-unicast-flood off
1338 bridge-multicast-flood off
1342 iface vmbr4000 inet manual
1343 bridge_ports vxlan4000
1358 bgp router-id 192.168.0.2
1359 no bgp default ipv4-unicast
1361 neighbor 192.168.0.1 remote-as 1234
1362 neighbor 192.168.0.3 remote-as 1234
1364 address-family l2vpn evpn
1365 neighbor 192.168.0.1 activate
1366 neighbor 192.168.0.3 activate
1383 iface eno1 inet manual
1387 iface vmbr0 inet static
1389 netmask 255.255.255.0
1395 iface vxlan2 inet manual
1397 vxlan-local-tunnelip 192.168.0.3
1399 bridge-arp-nd-suppress on
1400 bridge-unicast-flood off
1401 bridge-multicast-flood off
1404 iface vmbr2 inet static
1409 netmask 255.255.255.0
1410 hwaddress 44:39:39:FF:40:94 #must be same on each node vmbr2
1417 iface vxlan3 inet manual
1419 vxlan-local-tunnelip 192.168.0.3
1421 bridge-arp-nd-suppress on
1422 bridge-unicast-flood off
1423 bridge-multicast-flood off
1426 iface vmbr3 inet static
1431 netmask 255.255.255.0
1432 hwaddress 44:39:39:FF:40:94 #must be same on each node vmbr3
1438 #interconnect vxlan-vfr l3vni
1440 iface vxlan4000 inet manual
1442 vxlan-local-tunnelip 192.168.0.3
1444 bridge-arp-nd-suppress on
1445 bridge-unicast-flood off
1446 bridge-multicast-flood off
1450 iface vmbr4000 inet manual
1451 bridge_ports vxlan4000
1466 bgp router-id 192.168.0.3
1467 no bgp default ipv4-unicast
1469 neighbor 192.168.0.1 remote-as 1234
1470 neighbor 192.168.0.2 remote-as 1234
1472 address-family l2vpn evpn
1473 neighbor 192.168.0.1 activate
1474 neighbor 192.168.0.2 activate
1482 multiple gateway nodes
1483 ^^^^^^^^^^^^^^^^^^^^^^
1484 In this example, all nodes will be used as exit gateway. (But you can use only 2 nodes if you want)
1485 All nodes have a a default gw to the external router (192.168.0.254) (no bgp between router and node1)
1486 and announce this default gw in the vrf (default originate)
1487 The external router have ecmp routes to all proxmox nodes.(balancing).
1488 If the router send the packet to a wrong node (vm is not on this node), this node will route through
1489 vxlan the packet to final destination.
1499 iface eno1 inet manual
1503 iface vmbr0 inet static
1505 netmask 255.255.255.0
1506 gateway 192.168.0.254
1514 iface vxlan2 inet manual
1516 vxlan-local-tunnelip 192.168.0.1
1518 bridge-arp-nd-suppress on
1519 bridge-unicast-flood off
1520 bridge-multicast-flood off
1523 iface vmbr2 inet static
1528 netmask 255.255.255.0
1529 hwaddress 44:39:39:FF:40:94 #must be same on each node vmbr2
1536 iface vxlan3 inet manual
1538 vxlan-local-tunnelip 192.168.0.1
1540 bridge-arp-nd-suppress on
1541 bridge-unicast-flood off
1542 bridge-multicast-flood off
1545 iface vmbr3 inet static
1550 netmask 255.255.255.0
1551 hwaddress 44:39:39:FF:40:94 #must be same on each node vmbr3
1557 #interconnect vxlan-vfr l3vni
1559 iface vxlan4000 inet manual
1561 vxlan-local-tunnelip 192.168.0.1
1563 bridge-arp-nd-suppress on
1564 bridge-unicast-flood off
1565 bridge-multicast-flood off
1568 iface vmbr4000 inet manual
1569 bridge_ports vxlan4000
1579 ip prefix-list deny seq 10 deny any
1586 bgp router-id 192.168.0.1
1587 no bgp default ipv4-unicast
1589 neighbor 192.168.0.2 remote-as 1234
1590 neighbor 192.168.0.3 remote-as 1234
1592 address-family ipv4 unicast
1594 neighbor 192.168.0.2 prefix-list deny out
1595 neighbor 192.168.0.3 prefix-list deny out
1598 address-family l2vpn evpn
1599 neighbor 192.168.0.2 activate
1600 neighbor 192.168.0.3 activate
1604 router bgp 1234 vrf vrf1
1606 address-family ipv4 unicast
1607 redistribute connected
1610 address-family l2vpn evpn
1611 default-originate ipv4
1627 iface eno1 inet manual
1631 iface vmbr0 inet static
1633 netmask 255.255.255.0
1634 gateway 192.168.0.254
1642 iface vxlan2 inet manual
1644 vxlan-local-tunnelip 192.168.0.2
1646 bridge-arp-nd-suppress on
1647 bridge-unicast-flood off
1648 bridge-multicast-flood off
1651 iface vmbr2 inet static
1656 netmask 255.255.255.0
1657 hwaddress 44:39:39:FF:40:94 #must be same on each node vmbr2
1664 iface vxlan3 inet manual
1666 vxlan-local-tunnelip 192.168.0.2
1668 bridge-arp-nd-suppress on
1669 bridge-unicast-flood off
1670 bridge-multicast-flood off
1673 iface vmbr3 inet static
1678 netmask 255.255.255.0
1679 hwaddress 44:39:39:FF:40:94 #must be same on each node vmbr3
1685 #interconnect vxlan-vfr l3vni
1687 iface vxlan4000 inet manual
1689 vxlan-local-tunnelip 192.168.0.2
1691 bridge-arp-nd-suppress on
1692 bridge-unicast-flood off
1693 bridge-multicast-flood off
1697 iface vmbr4000 inet manual
1698 bridge_ports vxlan4000
1708 ip prefix-list deny seq 10 deny any
1715 bgp router-id 192.168.0.2
1716 no bgp default ipv4-unicast
1718 neighbor 192.168.0.1 remote-as 1234
1719 neighbor 192.168.0.3 remote-as 1234
1721 address-family ipv4 unicast
1723 neighbor 192.168.0.1 prefix-list deny out
1724 neighbor 192.168.0.3 prefix-list deny out
1727 address-family l2vpn evpn
1728 neighbor 192.168.0.1 activate
1729 neighbor 192.168.0.3 activate
1733 address-family ipv4 unicast
1734 redistribute connected
1737 address-family l2vpn evpn
1738 default-originate ipv4
1754 iface eno1 inet manual
1758 iface vmbr0 inet static
1760 netmask 255.255.255.0
1761 gateway 192.168.0.254
1769 iface vxlan2 inet manual
1771 vxlan-local-tunnelip 192.168.0.3
1773 bridge-arp-nd-suppress on
1774 bridge-unicast-flood off
1775 bridge-multicast-flood off
1778 iface vmbr2 inet static
1783 netmask 255.255.255.0
1784 hwaddress 44:39:39:FF:40:94 #must be same on each node vmbr2
1791 iface vxlan3 inet manual
1793 vxlan-local-tunnelip 192.168.0.3
1795 bridge-arp-nd-suppress on
1796 bridge-unicast-flood off
1797 bridge-multicast-flood off
1800 iface vmbr3 inet static
1805 netmask 255.255.255.0
1806 hwaddress 44:39:39:FF:40:94 #must be same on each node vmbr3
1812 #interconnect vxlan-vfr l3vni
1814 iface vxlan4000 inet manual
1816 vxlan-local-tunnelip 192.168.0.3
1818 bridge-arp-nd-suppress on
1819 bridge-unicast-flood off
1820 bridge-multicast-flood off
1824 iface vmbr4000 inet manual
1825 bridge_ports vxlan4000
1835 ip prefix-list deny seq 10 deny any
1842 bgp router-id 192.168.0.3
1843 no bgp default ipv4-unicast
1845 neighbor 192.168.0.1 remote-as 1234
1846 neighbor 192.168.0.2 remote-as 1234
1848 address-family ipv4 unicast
1850 neighbor 192.168.0.1 prefix-list deny out
1851 neighbor 192.168.0.2 prefix-list deny out
1854 address-family l2vpn evpn
1855 neighbor 192.168.0.1 activate
1856 neighbor 192.168.0.2 activate
1860 router bgp 1234 vrf vrf1
1862 address-family ipv4 unicast
1863 redistribute connected
1866 address-family l2vpn evpn
1867 default-originate ipv4
1877 If your external router doesn't support 'ECMP static routes' to reach multiple
1878 {pve} nodes, you can setup an HA floating vip on proxmox nodes by using the
1879 Virtual Router Redundancy Protocol (VRRP).
1881 In this example, we will setup an floating 192.168.0.10 IP on node1 and node2.
1882 Node1 is the primary with failover to node2 in case of outage.
1884 This setup currently needs 'vrrpd' package (`apt install vrrpd`).
1885 #TODO : It should be possible to do it with frr directly with last version.
1891 iface vmbr0 inet static
1893 netmask 255.255.255.0
1894 gateway 192.168.0.254
1900 vrrp-virtual-ip 192.168.0.10
1907 iface vmbr0 inet static
1909 netmask 255.255.255.0
1910 gateway 192.168.0.254
1916 vrrp-virtual-ip 192.168.0.10
1922 If you have a lot of proxmox nodes, or multiple proxmox clusters, you may want
1923 to avoid that all node peers with each others nodes.
1924 For this, you can create dedicated route reflectors (RR) servers. As a RR is a
1925 single point of failure, a minimum of two servers acting as an RR is highly
1926 recommended for redundancy.
1928 Below is an example of configuration with 'frr', with `rrserver1
1929 (192.168.0.200)' and `rrserver2 (192.168.0.201)`.
1934 bgp router-id 192.168.0.200
1935 bgp cluster-id 1.1.1.1 #cluster-id must be the same on each route reflector
1936 bgp log-neighbor-changes
1937 no bgp default ipv4-unicast
1938 neighbor fabric peer-group
1939 neighbor fabric remote-as 1234
1940 neighbor fabric capability extended-nexthop
1941 neighbor fabric update-source 192.168.0.200
1942 bgp listen range 192.168.0.0/24 peer-group fabric #allow any proxmoxnode client in the network range
1944 address-family l2vpn evpn
1945 neighbor fabric activate
1946 neighbor fabric route-reflector-client
1947 neighbor fabric allowas-in
1957 bgp router-id 192.168.0.201
1958 bgp cluster-id 1.1.1.1
1959 bgp log-neighbor-changes
1960 no bgp default ipv4-unicast
1961 neighbor fabric peer-group
1962 neighbor fabric remote-as 1234
1963 neighbor fabric capability extended-nexthop
1964 neighbor fabric update-source 192.168.0.201
1965 bgp listen range 192.168.0.0/24 peer-group fabric
1967 address-family l2vpn evpn
1968 neighbor fabric activate
1969 neighbor fabric route-reflector-client
1970 neighbor fabric allowas-in
1980 bgp router-id 192.168.0.x
1981 no bgp default ipv4-unicast
1983 neighbor 192.168.0.200 remote-as 1234
1984 neighbor 192.168.0.201 remote-as 1234
1986 address-family l2vpn evpn
1987 neighbor 192.168.0.200 activate
1988 neighbor 192.168.0.201 activate
1994 #TODO : Documentation with bgp upstream router.
projects / pve-docs.git / blob