I'm working on the script for a video on migration and Ceph networks, and one on Proxmox SDN (which includes VM-traffic over a setup like this). So it's coming eventually.

Glad you enjoyed it!

Glad it was helpful!

Thanks a bunch!

The ULA range (fd00::/8) is supposed to be followed by 40 random bits, with the intent to avoid the issues with everyone using 10/8 and stepping on each other when networks merge or you VPN across them. In reality, for isolated networks, it's fine to do whatever you want.

I should have been more specific, it's only a feature when forwarding is enabled via sysctl (it's disabled by default, but enabled by FRR).

It's still a great protocol for many deployments of this scale

Those are all on my list, so I'll get to them eventually!

My background is with Linux and not Cisco, so the config-file option is most familiar to me

@@apalrdsadventures fair. But to use the cli you don't need any prior knowledge really. And to learn some of the cisco CLI is never bad for the job. Most switches copy the cisco style or just use frr. So it's never bad to get a bit familiar. Especially good for debugging. But still you did do an excellent job! ^^

Glad you enjoyed it!

@@apalrdsadventures Thanks for replying! This can also be used for ceph right? Or is this redundant?

Glad you liked it!

For the 3-node setup, spanning tree would disable one link, so all traffic would flow over only 2 out of 3 links, and traffic between those two nodes would have an extra hop / more load on the middle node to do packet forwarding / more packets on the links which stay up. In a larger setup, some number of links would be broken due to spanning tree, there is no guarantee that the routes are optimal, and packets could potentially take a much worse path through the system, but it depends on the physical topology and which links get disabled due to STP. So when you get to more complicated systems, going to L3 is really required so that loops can intentionally be created for redundancy and load balancing.

It's really just a single Proxmox system that I use to its fullest

​@@apalrdsadventures I thought so and maybe it's not that interesting, but if you ever plan on doing a guide on how to build such a virtual lab (for instance how you implemented having multiple virtual NICs), I'd personally find it very interesting. I'll definitely start looking for options once I got some proper hardware to run such a server. Currently I'm running my "production homelab" on 3 nodes with Ceph where I don't want to run such extensive experiments. I have to say Proxmox is running so smoothly (even upgrading to 8.0 was a breeze last week) and your videos have helped me tremendously so far. So thanks again and I hope you keep it up. Definitely one of the best Proxmox channels on KZbin!

Nothing special about thunderbolt networking vs normal Ethernet, packets still flow through netfilter in Linux. So it’s similar to a software router, it’s quite good at packet forwarding but it will use some cpu. It’s more a function of Gbit/s going through each node rather than then number of nodes.

You have to use the console version instead of the gui version, and type out a subnet that encapsulates all of the addresses (i.e. /64 instead of /128)

BGP-EVPN is a bit of a different use case. OSPF is used to route the cluster network at layer 3. If the cluster network is not a layer 2 domain, a routing protocol is required to route all of the lo addresses. With the routed cluster network, Proxmox itself can now use the lo addresses without anything else for all of its business (migration, Ceph, backups). This does not extend to user-plane VM traffic. VXLAN is used to pass user-plane data across any (routed or not) layer 3 network and create multiple layer 2 tunnel(s) for user traffic. Like a normal layer 2 network it works by flooding packets across the network to discover the MAC addresses at each port, but since VXLAN itself is unicast this can lead to packet multiplication across the network which limits scalability. VXLAN (alone, not with BGP) could easily be added to this setup to pass user plane traffic over the OSPF routed cluster network. BGP EVPN solves the scalability problem of regular VXLAN by adding routing to the VXLAN tunnel, using BGP's multiprotocol abilities to route MAC addresses within the tunnel and improve MAC learning. So it's forming MAC tunnels but routing MACs using BGP for efficiency, with the appearance of L2 for the benefit of the VMs using them to pass data. BGP still requires that every node can connect with every other node via its lo address, so we still need a protocol to route those, or they need to be on-link on the L2 domain. So this setup is to route the cluster traffic, not user plane traffic, and BGP-EVPN (and VXLAN) is for user plane traffic. They are not mutually exclusive.

Basically you just have to run `pveceph init` from the command line, and set the ceph network (public and private) to a /64 subnet which contains all of the /128 loopback addresses (fe69:beef:cafe::/64 in my example). Then you can install Ceph as you normally would. The local nodes will find their address which falls within the subnet, and will use the ring network. VM traffic is a bit more complex. But Ceph is easy.

On the 'host' hypervisor? I have a Linux bridge with no hardware assigned and assigned a different vlan id to each point to point bridge. In general you shouldn't need to use OVS networking with modern kernel features (bridges can now be vlan-aware, etc.)

You should be able to get a small unmanaged 2.5G switch for the cluster network, it doesn't need to connect to a router or anything

When you create the Proxmox cluster, choose the other interface and let it set itself up. Then, add a second 'ring' network manually in corosync.conf with the addresses of each node, so it will use either one for corosync pve.proxmox.com/wiki/Separate_Cluster_Network#Redundant_Ring_Protocol has a guide on this. You can use the fd69 IPs in ring1_addr. For Proxmox migration / replication, there's an option in /etc/pve/datacenter.cfg to force a specific subnet for migration - `migration: secure,network=fd69:beef:cafe::/64`. For Ceph, use `pveceph init` and specify the subnet there (instead of the Proxmox ceph configuration GUI).

In general, no, since the public network isn't participating in the route exchange. However, if you just need to handle traffic between the two nodes, that can be done via the direct link (including VXLAN tunneling for VM traffic). In your example, with two nodes (X and Y) connected via Thunderbolt using OSPF, if X loses its connection to the public network, a few issues will all happen at once which will cause routing to break: - X's IP is attached to a network interface which is down, so that address does not exist in the system (hence putting addresses on loopback for fully routed networks) -X can route to the public network via Y (assuming it has an address), and Y can use its routing table to send to the final destination (the default router or the on-link hosts via ARP / NDP), so packets can go in one direction -The public network has no knowledge of this arrangement, so it will be unable to find X on-link (via ARP / NDP) and won't be able to return packets to X Depending on what switches you have, another option is to bridge the networks and rely on spanning tree to disable one of the links, but this will leave one of the three links disabled at any given time (the dual 1G and the thunderbolt), and spanning tree isn't smart enough to do it based on an optimal routing algorithm as it's just designed to break loops into a tree.

There are some quirks and interactions between SDN (especially BGP EVPN) and the ring setup, since both will try to write / edit frr.conf and step on each other. Using regular unicast VXLAN shouldn't interfere with the frr config, but the Cumulus Networks ifupdown2 that Proxmox uses has problems with IPv6 peers due to an oversight in their input validation that they still haven't fixed because they don't exist as a company anymore to develop it well. So I'm working through all of those issues before making a video on VXLAN.

@@apalrdsadventures Thanks for the info! Can't wait for the video :)

Is the area assigned for ospf or ospf6?

Is FRR up and configured for the right interfaces? Individual interfaces up (even though no IPs are configured other than IPv6 link-locals)? Can you ping across the link-locals?

I also cannot ping the link-locals. Followed the instructions and replicated the environment, have the same nested 3 pve nodes in a cluster with the same three nics, even the names are the same. The only difference is the vmbr0 is an ipv4. I get root@pve-lab-01:~# ping fd69:beef:cafe::552 ping: connect: Network is unreachable Please someone help me!. I´m going crazy here! (Yes FRR up, right interfaces all up but no ping across the link-locals :(

Oh wow looks like ifupdown2 development ground to a halt when nvidia acquired Cumulus Networks (who developed ifupdown2), so that's why support is lacking. In addition to that issue, ifupdown2 removes the extra lo addresses that FRR added when reloading interfaces to apply SDN changes.

@@apalrdsadventures yeah I noticed that issue too, so i have to copy the frr.conf to notepad and paste it back every time I change the SDN module in proxmox and restart it so that I can have back the IP. I tried to follow the examples in SDN document but stuck at the step when they say add vNIC to the virtual machine. If I skip that and add directly the Vnet through proxmox GUI then the VM can't communicate with the VM on the other node.

Doing unicast VXLAN instead of BGP EVPN (VXLAN) means SDN shouldn't touch the FRR config, and VXLAN without BGP EVPN is scalable for small to medium sized networks. That means the frr.conf isn't touched at least.

It's a bit more work in v6 since you need to actually set addresses on all of the point to point links, all of which need to be matched to the same subnet for each end of the link. In v6, we use the link-locals which are automatic. But other than that, the process will work similarly (using ip ospf instead of ip6 ospf6)

The addresses are on two different subnets. The vmbr0 address is what we use for the web UI and to communicate outside of the cluster. The lo address is what is used across the ring net but is not accessible from anywhere else.

@@apalrdsadventures Hi! Thanks for your answer! If I can ask another one, how hard could it be to make ipv4 variant of the setup? Is there anything I should be aware of? Thanks 🙏

To use v4, you'd need to assign addresses out of a unique /30 subnet on each point-to-point pair (in v6 you can use the link-locals), other than that you the commands are fairly similar (ip ospf instead of ipv6 ospf6).

Yes. Equal cost is across the entire path to the destination , not just a single link.

You still need a switch on the 1G backup network, but not in the high bandwidth path

@@apalrdsadventures yes, that right, I meant if you have a hyperconverged cluster using ceph, the replication network can be the point to point one.

Yes, you can also use the ring net for ZFS replication and live migration traffic

There's a migration setting to force a subnet to use if it isn't picking the right one, in /etc/pve/datacenter.cfg: migration: secure,network=fd69:beef:cafe::/64

@@apalrdsadventures Thanks for the feedback, my gut feeling is issue with routing rather than overriding config, 10gbe link is up confirmed with iperf, but neither replication nor PBS go through it. This is all new to me. I have dug around and found 2 suspects My loop back has "noprefixroute", but not in your video. It's in loop back line "inet6 ::1/128 scope host noprefixroute", learned it mean no auto routing, but didn't find how to get rid of it. Then I have my Gbe on DHCP (all value blank on that NIC in PVE), vmbr0 manually set to the same ip, and this seems like the only way PVE GUI lets you config it. In my search I come across a post @Nov 2023 saying there's a bug if static IPv4 + dynamic IPv6. We have the opposite following your guide, not sure if this is related here

Adding a replication network is a perfectly normal thing to do. As for PBS, you can specify the IPv6 of the PBS server in the storage config and it will use it as well. In my case, I only setup IPv6 on the test system, so the only options were v6 over the public network or v6 over the ring network.

You can mix ipv4 and ipv6 subnets in Proxmox. Since the ptp links don’t have manually assigned IPs in this example (just fe80 link local), they can’t pass ipv4 traffic, but having an ipv4 public network and ipv6 cluster is fine as long as all of the software on the cluster network supports ipv6. In general that’s just Proxmox itself and ceph, so it’s fine unless you want to carry vm traffic.

As to the ipv4 way, you’d need addresses on all interfaces and a small subnet (/30) on each ptp link, all unique. Then use ospf2 instead of ospf3. So ip ospf instead of ipv6 ospf6 in frr.

I'll have to try this out. So on top of adding the node address to the loopback interface I'd have to assign a unique address to each of the ipv4 interfaces?

@@apalrdsadventures I would definitely want VM traffic to carry. A use case for that would be direct access to a NFS volume on a NAS in one node to another.

If the node itself is doing NFS, that shouldn't be a problem (the Proxmox nodes route across the cluster network). Since it's an L3 network instead of L2, we can't just bridge the VMs directly to it and expect them to route properly, but we can use vxlan to tunnel VM network traffic across our cluster network.

Loopback will take both. ::1 still exists, but the other one is also on the lo interface

​@@apalrdsadventureson vmbr0 inet6gateway same for all nodes? Your tutorial is good, but for persons like me, need some preparation video, how to setup ipv6 adresses for networks. Now I go to network and adding ipv6 to devices, linux bridge

It doesn't actually matter if you are using ipv6 on the 'public' network or not, since the ring is a separate subnet. You can continue to use your vmbr0 address (IPv4 or IPv6 or both) for the web UI and management, and the new IPv6 cluster address for migration, Ceph, storage, ... simultaneously. No need to move vmbr0 to IPv6.

It doesn't need to know about them, but you'll have to do a little config in /etc/network/interfaces on your own. Basically, just add an `auto yyy` and `iface yyy inet6 manual` line for each one, the interfaces will come up with an IPv6 link-local, and you can add them to the FRR config. OSPF will figure the topology out, you don't need to have specific ports in specific places (at least with IPv6). Proxmox itself just needs to know to use the loopback address, which it also won't be aware of in the GUI, so you'll need to set the replication / migration network and Ceph network through the command line as well, but once that's done it will use it for any gui commands that rely on the storage / datacenter / ceph configs.

trying the same thing as you. did you succeed?

1G and higher don't require it ever, so unless you're using 100M Fast Ethernet you're fine.

You're welcome!

I just copied it there to copy it to the other cluster nodes, since /etc/pve is synchronized across the cluster.

This will do equal-cost multipath automatically if the topology has paths which are equal cost (such as a 4-node cluster going left or right around the ring).

Answers: -All of this was tested in a virtual environment, so 16G is what the virtual links get without any limits. I did also run a setup like this on the mini cluster, although it's a lot harder to film. -You can use this for Corosync (although that should have redundant networks), Migration, ZFS replication, and Ceph as-is, and doing user-plane traffic is also possible with some more work using vxlan. -You can add PBS to the ring as well, or as a branch, or whatever your hardware allows, and OSPF will 'figure it out' when routing to the PBS server. -You can also add routers like RouterOS and maybe OPNSense to the ring also, and both of those can do vxlan for user plane traffic.

Thanks!