> >>What about other bridges in the system which does not use vxlan at all
> >>(firewall
> >>bridges)?
>
> mmm, good question. I think you can put it in the vrf or not.
> as they don't have any ip address, and it's only layer2, it's not a problem.
See: https://vincent.bernat.im/en/blog/2017-linu
ge with symetric routing, because they are the router
for the bridge,
and they need to have their routing table from the vrf.
- Mail original -
De: "dietmar"
À: "aderumier"
Cc: "pve-devel"
Envoyé: Dimanche 12 Août 2018 13:53:27
Objet: Re: [pve-devel] [PATC
> On August 12, 2018 at 1:28 PM Alexandre DERUMIER wrote:
>
>
> >>But I think we cannot simply turn off rp_filter, see
> >>
> >>https://vincent.bernat.im/en/blog/2017-linux-bridge-isolation
> >>
> >>Maybe we can use vrf (instead of rp_filter) to isolate our bridges??
>
> with symmetric routin
ilter=0 on all interfaces is maybe a little bit too large, I
think it could be done only on
specific interfaces, but I need to do tests again to very which interfaces
really need it)
- Mail original -
De: "dietmar"
À: "aderumier"
Cc: "pve-devel"
Envoyé:
> >>I wonder if it is necessary to use three nodes for your examples.
> >>Wouldn't it be enough to use two nodes? That would make configuration
> >>files smaller.
>
> This was mainly for l2 unicast mode and also frr, to show multiple peers
> configuration.
OK
___
> >>rp_filter is essential for security. Why do we
> >>need to turn this off?
>
> For example, I had problem with live migration, and symmetric model , timeout
> of 30-60s.
> https://github.com/FRRouting/frr/issues/2129
But I think we cannot simply turn off rp_filter, see
https://vincent.bernat
De: "dietmar"
À: "pve-devel" , "aderumier"
Envoyé: Samedi 11 Août 2018 10:08:28
Objet: Re: [pve-devel] [PATCH pve-docs 1/1] add vxlan l3 routing
I wonder if it is necessary to use three nodes for your examples.
Wouldn't it be enough to u
evel" , "aderumier"
Envoyé: Samedi 11 Août 2018 10:01:37
Objet: Re: [pve-devel] [PATCH pve-docs 1/1] add vxlan l3 routing
some questions about sysctl setup:
> +sysctl.conf tuning
> +
> +
> +#enable routing
> +net.ipv4.ip_forward=1
> +net.ipv6.conf.all.f
I wonder if it is necessary to use three nodes for your examples.
Wouldn't it be enough to use two nodes? That would make configuration
files smaller.
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/p
some questions about sysctl setup:
> +sysctl.conf tuning
> +
> +
> +#enable routing
> +net.ipv4.ip_forward=1
> +net.ipv6.conf.all.forwarding=1
> +#disable reverse path filtering
> +net.ipv4.conf.default.rp_filter=0
> +net.ipv4.conf.all.rp_filter=0
rp_filter is essential for security. Why do w
This add documentation for inter vxlan routing, with frr and anycast gateway.
---
vxlan-and-evpn.adoc | 604
1 file changed, 604 insertions(+)
diff --git a/vxlan-and-evpn.adoc b/vxlan-and-evpn.adoc
index 73ae4a6..703cd8b 100644
--- a/vxlan-and-
11 matches
Mail list logo
