Multihoming does not work on tagged interfaces

[albert-a]

FRR VERSION: 8.2.2-1+pve1
OPERATING SYSTEM VERSION: Debian 11 Bullseye (Proxmox 7.2)
KERNEL VERSION: 5.15.35-1-pve

Hello, my goal is to allow several VNIs to be accessible as VLANs to multihomed server.
Before attempting to do that I tried doing multihoming with single VLAN.
I use these config statements in frr.conf on the nodes:

interface mhbond2
 evpn mh es-df-pref 101
 evpn mh es-id 2
 evpn mh es-sys-mac aa:aa:39:00:00:02

es-df-pref is different between nodes.
I tried setting up multihoming and it works when it is configured on physical interface ens22:

auto mhbond2
iface mhbond2
        bond-slaves ens22
        bond-mode 802.3ad
        bond-min-links 1
        bond-lacp-rate 1
        es-sys-mac aa:aa:39:00:00:02

But as soon as I change ens22 to ens22.2 on the nodes and appropriate bond on the server, it does not work, although I can access server via this VLAN (when taking it out of the bond and assigning the IP)

/etc/frr/frr.conf (node 1)

log syslog informational
ip forwarding
ipv6 forwarding
frr defaults datacenter
service integrated-vtysh-config
hostname at1
!
vrf vrf1
 vni 4000
 exit-vrf
interface mhbond2
 evpn mh es-df-pref 101
 evpn mh es-id 2
 evpn mh es-sys-mac aa:aa:39:00:00:02
!
router bgp 65000
 bgp router-id 172.22.255.1
 no bgp default ipv4-unicast
 coalesce-time 1000
 neighbor VTEP peer-group
 neighbor VTEP remote-as 65000
 neighbor 172.22.255.2 peer-group VTEP
 neighbor 172.22.255.3 peer-group VTEP
 !
 address-family l2vpn evpn
  neighbor VTEP activate
  advertise-all-vni
 exit-address-family
!
router bgp 65000 vrf vrf1
!
 address-family ipv4 unicast
  redistribute connected
 exit-address-family
 !
 address-family l2vpn evpn
  default-originate ipv4
 exit-address-family
!
line vty
!

/etc/network/interfaces (node 1)

auto lo
iface lo inet loopback

auto ens18
iface ens18
       address 172.22.255.1/24

auto ens22
iface ens22

auto mhbond2
iface mhbond2
        bond-slaves ens22
        bond-mode 802.3ad
        bond-min-links 1
        bond-lacp-rate 1
        es-sys-mac aa:aa:39:00:00:02

auto vrf1
iface vrf1
    vrf-table auto

auto lan2
iface lan2
        link-type veth
        address 10.0.2.1/24
        veth-peer-name lan2_peer

auto lan2_peer
iface lan2_peer
        link-type veth
        veth-peer-name lan2

auto vxlan2
iface vxlan2 inet manual
        vxlan-id 2
        vxlan-local-tunnelip 172.22.255.1
        bridge-learning off
        bridge-arp-nd-suppress on
        mstpctl-portbpdufilter yes
        mstpctl-bpduguard yes

auto vmbr2
iface vmbr2 inet static
        bridge-ports vxlan2 lan2_peer mhbond2
        bridge-stp off
        bridge-fd 0
        address 10.0.2.254/24
        hwaddress 44:39:39:FF:20:94
        vrf vrf1
        ip-forward on
        ip6-forward on
        arp-accept on

auto vxlan4000
iface vxlan4000 inet manual
        vxlan-id 4000
        vxlan-local-tunnelip 172.22.255.1
        bridge-learning off
        bridge-arp-nd-suppress on
        bridge-unicast-flood off
        bridge-multicast-flood off

auto vmbr4000
iface vmbr4000 inet manual
        bridge-ports vxlan4000
        bridge-stp off
        bridge-fd 0
        vrf vrf1

The other nodes have similar configurations.

Steps To Reproduce

1. Set up working EVPN/VXLAN network on 3 nodes with multihomed server (You can use my configs). Make sure you can ping multihomed server from the nodes.
2. Then try to replace physical interfaces in multihoming bonds with the VLANs (ex. ens22 -> ens22.2) on the nodes and on the multihoming server.
3. Try to ping the address of the the server from the nodes, and see that the server is not accessible.

Expected behavior
I expect server to be accessible on step 3

Versions

# pveversion
pve-manager/7.2-4/ca9d43cc (running kernel: 5.15.35-1-pve)
# cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
# dpkg -l |grep frr
ii  frr                                  8.2.2-1+pve1                   amd64        FRRouting suite of internet protocols (BGP, OSPF, IS-IS, ...)
ii  frr-pythontools                      8.2.2-1+pve1                   all          FRRouting suite - Python tools

[taspelund]

Can you please share the "broken" config? I see references to moving from ens22 -> ens22.2, but it doesn't state explicitly where in the config that change is made.

[albert-a]

I change it in the bond definition on the nodes:

auto mhbond2
iface mhbond2
        bond-slaves ens22.2
        bond-mode 802.3ad
        bond-min-links 1
        bond-lacp-rate 1
        es-sys-mac aa:aa:39:00:00:02

so that the tagged interface gets enslaved to multihoming bond. (I also do in on the multihomed server)

vmbr2 -> mhbond2 ( ens22.2 enslaved ) -> ens22 ------> server

But unfortunately it does not work.

I also found out that if I create veth pair, put one end to mhbond0 the other end to a vlan aware bridge with pvid 2, and add the ens22 to that bridge - It works:

vmbr2 -> mhbond2 ( mhveth2 enslaved ) -> mhpeer2 bridged with pvid 2 -> mhbr2 -> ens22 ------> server

It's strange that it works with veth interface but does not with the vlan interface.

[taspelund]

Try leaving the bond config alone - just add a separate vlan subinterface and put that vlan in the bridge.
e.g.

auto ens22
iface ens22

auto mhbond2
iface mhbond2
        bond-slaves ens22
        bond-mode 802.3ad
        bond-min-links 1
        bond-lacp-rate 1
        es-sys-mac aa:aa:39:00:00:02

auto mhbond2.2
iface mhbond2.2
        vlan-id 2
        vlan-raw-device mhbond2

auto vmbr2
iface vmbr2 inet static
        bridge-ports vxlan2 lan2_peer mhbond2.2
        bridge-stp off
        bridge-fd 0
        address 10.0.2.254/24
        hwaddress 44:39:39:FF:20:94
        vrf vrf1
        ip-forward on
        ip6-forward on
        arp-accept on

[albert-a]

Thank you for the suggestion. I suppose I leave frr.conf as is.
It works, but I don't understand how to expose several segments in this case.
When I add mhbond2.3, mhbond2.4, ... to vmbr3 (VNI 3), vmbr4 (VNI 4), ... then will they be joined to one ethernet segment?
Is it ok?

[taspelund]

An Ethernet Segment represents an attachment circuit - in this case an LACP LAG. Multiple vlans can be carried over the same AC without needing a separate ES-ID.

To bring that back to the config, that means they'd all just be different vlans carried over the same bond interface. So you'd only need 1 ES-ID per MH bond regardless of how many vlans you configure on each MH bond.

[albert-a]

Thank you for the clarification!
I tested this. It (almost) works,

1. I can ping everything within EVPN network from within EVPN network,
2. I can ping everything outside EVPN network, from outside EVPN network (in all VLANs)
3. I can ping everything within one L2 domain (EVPN VNI and ES VLAN)
4. But when I ping

• any host outside EVPN network from the other L2 domain within EVPN network
• any host within EVPN network from the other L2 domain outside EVPN network
  Strange thing happen: I observe periodical blackouts (packet loss) with random duration from 1s to 20s or sometimes more.

[taspelund]

There's not enough info here to help isolate what's going on. Right now all we know about your network is that you've configured EVPN-MH.

At the very least you should provide a network diagram showing where the test hosts are, an idea of what you've deployed (e.g. EVPN Symmetric vs Centralized, who is the GW, what VRFs exist and whether/where they're being leaked, etc.) and specific details around working/non-working flows (SMAC/DMAC/SIP/DIP).

[albert-a]

Thanks for the response. I'm sorry that I missed it somehow. Sure. Here is the info.
In my testing environment I have:

• 3 hypervisors at1, at2, at3, which is directly connected to each other (underlay network)
• VXLAN/EVPN network on top of the underlay network with the Symmetric IRB and anycast MAC/IP gateway for each VNI (1001,1002)
• Several VM that is running on these hypervisors, each one is connected one of the VNI.
• A multihomed switch that has a bonding connection to the hypervisors. Each VLAN on this connection (1000,1002) has untagged port.
• Several hosts connected to untagged ports of the switch.

Here is the scheme:

Inter-subnet routing occurs in VRF 'vrflan', there is an anycast default gateway on each hypervisor:

• with the address 10.0.0.254/24 for VNI 1000 on the interface vmbr0.1000
• with the address 10.0.1.254/24 for VNI 1001 on the interface vmbr0.1001

Each of the hypervisors is connected to each VNI via veth pair. No leaking is configured.
I have also have set net.ipv4.conf.default.rp_filter and net.ipv4.conf.all.rp_filter to 0:

When more than one multihoming links connected I see random packet loss and TCP connection freezes/drops when accessing hosts/VMs across the multihoming bond from different VLAN/VNI. For example host0 <-> vm101

My current config:

at1:/etc/network/interfaces

# #
# #  UNDERLAY NETWORK (simple routing)
# #

auto lo
iface lo inet loopback
    address 172.22.211.1/32

auto int0
iface int0
    mtu 9710
    post-up ip route add 172.22.211.2/32 dev int0 src 172.22.211.1

auto int1
iface int1
    mtu 9710
    post-up ip route add 172.22.211.3/32 dev int1 src 172.22.211.1

# #
# #  MULTIHOMING
# #

auto ens21
iface ens21

auto mhbond0
iface mhbond0
        bond-slaves ens21
        bond-mode 802.3ad
        bond-min-links 1
        bond-lacp-rate 1
        bond-lacp-bypass-allow yes
        es-sys-mac aa:aa:39:00:00:01

auto mhbond0sub1000
iface mhbond0sub1000
        vlan-raw-device mhbond0
        vlan-id 1000
        bridge-access 1000

auto mhbond0sub1001
iface mhbond0sub1001
        vlan-raw-device mhbond0
        vlan-id 1001
        bridge-access 1001

# #
# #  OVERLAY NETWORK
# #

auto vrflan
iface vrflan
        vrf-table auto

auto lan1000
iface lan1000
        link-type veth
        veth-peer-name lanpeer1000
        address 10.0.0.1/24

auto lanpeer1000
iface lanpeer1000
        link-type veth
        veth-peer-name lan1000
        bridge-access 1000

auto lan1001
iface lan1001
        link-type veth
        veth-peer-name lanpeer1001
        address 10.0.1.1/24

auto lanpeer1001
iface lanpeer1001
        link-type veth
        veth-peer-name lan1001
        bridge-access 1001

auto vxlan1000
iface vxlan1000
        vxlan-id 1000
        vxlan-local-tunnelip 172.22.211.1
        bridge-learning off
        bridge-arp-nd-suppress on
        mstpctl-portbpdufilter yes
        mstpctl-bpduguard yes
        bridge-access 1000

auto vxlan1001
iface vxlan1001
        vxlan-id 1001
        vxlan-local-tunnelip 172.22.211.1
        bridge-learning off
        bridge-arp-nd-suppress on
        mstpctl-portbpdufilter yes
        mstpctl-bpduguard yes
        bridge-access 1001

auto vxlan4000
iface vxlan4000
        vxlan-id 4000
        vxlan-local-tunnelip 172.22.211.1
        bridge-learning off
        bridge-arp-nd-suppress on
        mstpctl-portbpdufilter yes
        mstpctl-bpduguard yes
        bridge-access 4000

auto vmbr0
iface vmbr0
        bridge-ports vxlan4000 glob vxlan1000-1001 glob mhbond0sub1000-1001 glob lanpeer1000-1001
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 4000 1000-1001

auto vmbr0.1000
iface vmbr0.1000
        hwaddress 44:39:39:EF:94:00
        address 10.0.0.254/24
        vrf vrflan
        ip-forward on
        ip6-forward on
        arp-accept on

auto vmbr0.1001
iface vmbr0.1001
        hwaddress 44:39:39:EF:94:01
        address 10.0.1.254/24
        vrf vrflan
        ip-forward on
        ip6-forward on
        arp-accept on

auto vmbr0.4000
iface vmbr0.4000
        vrf vrflan

at1:/etc/frr/frr.conf

log syslog informational
ip forwarding
ipv6 forwarding
frr defaults datacenter
service integrated-vtysh-config
hostname at1
!
vrf vrflan
 vni 4000
exit-vrf
!
interface mhbond0
 evpn mh es-df-pref 101
 evpn mh es-id 1
 evpn mh es-sys-mac aa:aa:39:00:00:01
!
router bgp 65000
 bgp router-id 172.22.211.1
 no bgp default ipv4-unicast
 coalesce-time 1000
 neighbor VTEP peer-group
 neighbor VTEP remote-as 65000
 neighbor 172.22.211.2 peer-group VTEP
 neighbor 172.22.211.3 peer-group VTEP
 !
 address-family l2vpn evpn
  neighbor VTEP activate
  advertise-all-vni
 exit-address-family
!
router bgp 65000 vrf vrflan
!
 address-family ipv4 unicast
  redistribute connected
 exit-address-family
 !
 address-family l2vpn evpn
  default-originate ipv4
 exit-address-family
line vty
!

The configuration on the other hypervisors (at2, at3) are identical (except IP addresses .1 -> .2, .3, etc)

switch:/etc/network/interfaces

auto lo
iface lo inet loopback

# MULTIHOMED BOND

auto eth1
iface eth1

auto eth2
iface eth2

auto eth3
iface eth3

auto bond0
iface bond0
        bond-slaves glob eth1-3
        bond-mode 802.3ad
        bond-min-links 1
        bond-lacp-rate 1
        bridge-vids 1000-1005

# UNTAGGED INTERFACES

auto eth4
iface eth4
    bridge-access 1000

auto eth5
iface eth5
    bridge-access 1001

auto br0
iface br0
        bridge-ports bond0 glob eth4-5
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 1000-1001

[albert-a]

Unfortunately this also does not work on the real hardware. I tried couple of switches: Mikrotik CRS326-24S+2Q+ (RouterOS 7.4) and Mikrotik CSS326-24G-2S+ (SwitchOS 2.3).
Result is the same:

• When only one of multihomed links connected, everything is OK.
• When more than one links of multihoming bond connected, I see random ICMP packet loss and TCP connection drops.

The situation even worse here. These drops occur within one VLAN/VNI unlike in testing environment when it was observed only across VNI/VLAN.

[albert-a]

UPDATE, I edited the previous post to note that the problem is still persist in the testing environment, though occurs little less frequently.

[taspelund]

I suspect the issue here is likely related to the SPH (split-horizon) filter on the ES...

I'm guessing that when the "random" loss happens, there is actually a BUM frame ingressing the MH bond, flooding over VXLAN to the ES-Peers, and not getting TX dropped towards the MH bond, and the Multihomed switch will actually observe the SMAC (from the BUM frame) flap towards the MH bond.

As I understand it, the SPH filters are applied as ingress TC rules to any interface configured in FRR with evpn mh uplink - which I don't see in this config. Can you please try adding these to any interface where you expect the VTEP to receive + decap VXLAN packets? (from the diagram this would appear to be int0 / int1)

[albert-a]

Thanks you very much for the answer! I had a chance to test it today and this really did the trick. Except for DHCP.

interface int0
 evpn mh uplink
!
interface int1
 evpn mh uplink
!

It seems it working now for IP protocol, but I found out that DHCP does not work. If there's only one multihoming link (no matter which one), DHCP woks as expected. But if there are more than one mh link - DHCP doesn't work. To be precise it partially working. I use dnsmasq as DHCP server on the one of the nodes, for example on at1, on the interface lan1000:

dhcp-range=10.0.0.128,10.0.0.191,255.255.255.0,24h
dhcp-option=option:router,10.0.0.254
dhcp-option=option:dns-server,10.0.0.1
dhcp-boot=tag:ltsp,ltsp/ltsp.ipxe,,10.0.0.100

Half of my diskless stations on this subnet doesn't boot, although there are records in the log file of the obtained addresses. The other half boots up to the stage of IP address configuration by DHCP, which fails. My laptop also fails to get the address by DHCP.

I set up 2 multihoming links to at1 and at2 for testing and tried running dhcrelay with different options on at2, while dnsmasq was running on at1. But it did not improve the situation.

[taspelund]

It would be good to understand functionally what is failing, that way we can try to understand why it's failing.

e.g.

When DHCP fails, is it due to missing packets or something else? When DHCP succeeds but the boot fails, is there a corresponding network failure?

The DHCP failure for your laptop seems like it would be easiest to diagnose (since you can get a packet capture + DHCP client logs), so I'd probably recommend starting from there first. If you can narrow down specifically what is causing the failure, we can help look at why those failures are occurring.

[albert-a]

Thank you for the suggestion, I'll try to debug it somehow, I will compare DHCP process with 1 mh link when it works with the process with 2 mh links when it does not. Probably I'll install some DHCP debugging or general packet capture software and write you back when I have some results.

[albert-a]

Logs via dhcpdump -i lan1000 shows that the request in both cases reaches the DHCP server, but response gets lost
Server logs: on the left - working, on the right not working (repetitive responses)
NOTE: addresses are different than on the scheme

  TIME: 2022-08-11 21:21:25.663                                                TIME: 2022-08-11 21:24:27.699
    IP: 0.0.0.0 (8:0:27:9b:e5:f3) > 255.255.255.255 (ff:ff:ff:ff:ff:ff)          IP: 0.0.0.0 (8:0:27:9b:e5:f3) > 255.255.255.255 (ff:ff:ff:ff:ff:ff)
    OP: 1 (BOOTPREQUEST)                                                         OP: 1 (BOOTPREQUEST)
 HTYPE: 1 (Ethernet)                                                          HTYPE: 1 (Ethernet)
  HLEN: 6                                                                      HLEN: 6
  HOPS: 0                                                                      HOPS: 0
   XID: b457d143                                                                XID: 1ddc5875
  SECS: 0                                                                      SECS: 0
 FLAGS: 0                                                                     FLAGS: 0
CIADDR: 0.0.0.0                                                              CIADDR: 0.0.0.0
YIADDR: 0.0.0.0                                                              YIADDR: 0.0.0.0
SIADDR: 0.0.0.0                                                              SIADDR: 0.0.0.0
GIADDR: 0.0.0.0                                                              GIADDR: 0.0.0.0
CHADDR: 08:00:27:9b:e5:f3:00:00:00:00:00:00:00:00:00:00                      CHADDR: 08:00:27:9b:e5:f3:00:00:00:00:00:00:00:00:00:00
 SNAME: .                                                                     SNAME: .
 FNAME: .                                                                     FNAME: .
OPTION:  53 (  1) DHCP message type         3 (DHCPREQUEST)                  OPTION:  53 (  1) DHCP message type         3 (DHCPREQUEST)
OPTION:  50 (  4) Request IP address        10.0.0.43                        OPTION:  50 (  4) Request IP address        10.0.0.43    
OPTION:  12 (  6) Host name                 debian                           OPTION:  12 (  6) Host name                 debian
OPTION:  55 ( 13) Parameter Request List      1 (Subnet mask)                OPTION:  55 ( 13) Parameter Request List      1 (Subnet mask)
                                             28 (Broadcast address)                                                       28 (Broadcast address)
                                              2 (Time offset)                                                              2 (Time offset)
                                              3 (Routers)                                                                  3 (Routers)
                                             15 (Domainname)                                                              15 (Domainname)
                                              6 (DNS server)                                                               6 (DNS server)
                                            119 (Domain Search)                                                          119 (Domain Search)
                                             12 (Host name)                                                               12 (Host name)
                                             44 (NetBIOS name server)                                                     44 (NetBIOS name server)
                                             47 (NetBIOS scope)                                                           47 (NetBIOS scope)
                                             26 (Interface MTU)                                                           26 (Interface MTU)
                                            121 (Classless Static Route)                                                 121 (Classless Static Route)
                                             42 (NTP servers)                                                             42 (NTP servers)
---------------------------------------------------------------------------  ---------------------------------------------------------------------------
  TIME: 2022-08-11 21:21:25.663                                                TIME: 2022-08-11 21:24:27.699
    IP: 10.0.0.1 (ce:9a:e5:81:4b:d2) > 10.0.0.43 (8:0:27:9b:e5:f3)               IP: 10.0.0.1 (ce:9a:e5:81:4b:d2) > 10.0.0.43 (8:0:27:9b:e5:f3)
    OP: 2 (BOOTPREPLY)                                                           OP: 2 (BOOTPREPLY)
 HTYPE: 1 (Ethernet)                                                          HTYPE: 1 (Ethernet)
  HLEN: 6                                                                      HLEN: 6
  HOPS: 0                                                                      HOPS: 0
   XID: b457d143                                                                XID: 1ddc5875
  SECS: 0                                                                      SECS: 0
 FLAGS: 0                                                                     FLAGS: 0
CIADDR: 0.0.0.0                                                              CIADDR: 0.0.0.0
YIADDR: 10.0.0.43                                                            YIADDR: 10.0.0.43    
SIADDR: 10.0.0.252                                                           SIADDR: 10.0.0.252   
GIADDR: 0.0.0.0                                                              GIADDR: 0.0.0.0
CHADDR: 08:00:27:9b:e5:f3:00:00:00:00:00:00:00:00:00:00                      CHADDR: 08:00:27:9b:e5:f3:00:00:00:00:00:00:00:00:00:00
 SNAME: .                                                                     SNAME: .
 FNAME: .                                                                     FNAME: .
OPTION:  53 (  1) DHCP message type         5 (DHCPACK)                      OPTION:  53 (  1) DHCP message type         5 (DHCPACK)
OPTION:  54 (  4) Server identifier         10.0.0.252                       OPTION:  54 (  4) Server identifier         10.0.0.252   
OPTION:  51 (  4) IP address leasetime      86400 (24h)                      OPTION:  51 (  4) IP address leasetime      86400 (24h)
OPTION:  58 (  4) T1                        43200 (12h)                      OPTION:  58 (  4) T1                        43200 (12h)
OPTION:  59 (  4) T2                        75600 (21h)                      OPTION:  59 (  4) T2                        75600 (21h)
OPTION:   1 (  4) Subnet mask               255.255.255.0                    OPTION:   1 (  4) Subnet mask               255.255.255.0
OPTION:  28 (  4) Broadcast address         10.0.0.255                       OPTION:  28 (  4) Broadcast address         10.0.0.255   
OPTION:  12 (  6) Host name                 debian                           OPTION:  12 (  6) Host name                 debian
OPTION:  42 (  4) NTP servers               10.0.0.253                       OPTION:  42 (  4) NTP servers               10.0.0.253   
OPTION: 119 ( 19) Domain Search             066578616d706c65 .example        OPTION: 119 ( 19) Domain Search             066578616d706c65 .example
                                            617269730567726f .mydom.c                                                    617269730567726f .mydom.c
                                            6f6d00           om.                                                         6f6d00           om.
OPTION:  15 ( 17) Domainname               .example.mydom.com.               OPTION:  15 ( 17) Domainname               .example.mydom.cup
OPTION:   6 (  4) DNS server                10.0.0.252                       OPTION:   6 (  4) DNS server                10.0.0.252   
OPTION:   3 (  4) Routers                   10.0.0.254                       OPTION:   3 (  4) Routers                   10.0.0.254  
---------------------------------------------------------------------------  ---------------------------------------------------------------------------
                                                                               TIME: 2022-08-11 21:24:31.575
                                                                                 IP: 0.0.0.0 (8:0:27:9b:e5:f3) > 255.255.255.255 (ff:ff:ff:ff:ff:ff)
                                                                                 OP: 1 (BOOTPREQUEST)
                                                                              HTYPE: 1 (Ethernet)
                                                                               HLEN: 6
                                                                               HOPS: 0
                                                                                XID: 1ddc5875
                                                                               SECS: 4
                                                                              FLAGS: 0
                                                                             CIADDR: 0.0.0.0
                                                                             YIADDR: 0.0.0.0
                                                                             SIADDR: 0.0.0.0
                                                                             GIADDR: 0.0.0.0
                                                                             CHADDR: 08:00:27:9b:e5:f3:00:00:00:00:00:00:00:00:00:00
                                                                              SNAME: .
                                                                              FNAME: .
                                                                             OPTION:  53 (  1) DHCP message type         3 (DHCPREQUEST)
                                                                             OPTION:  50 (  4) Request IP address        10.0.0.43    
                                                                             OPTION:  12 (  6) Host name                 debian
                                                                             OPTION:  55 ( 13) Parameter Request List      1 (Subnet mask)
                                                                                                                          28 (Broadcast address)
                                                                                                                           2 (Time offset)
                                                                                                                           3 (Routers)
                                                                                                                          15 (Domainname)
                                                                                                                           6 (DNS server)
                                                                                                                         119 (Domain Search)
                                                                                                                          12 (Host name)
                                                                                                                          44 (NetBIOS name server)
                                                                                                                          47 (NetBIOS scope)
                                                                                                                          26 (Interface MTU)
                                                                                                                         121 (Classless Static Route)
                                                                                                                          42 (NTP servers)
                                                                             ---------------------------------------------------------------------------
                                                                               TIME: 2022-08-11 21:24:31.575
                                                                                 IP: 10.0.0.1 (ce:9a:e5:81:4b:d2) > 10.0.0.43 (8:0:27:9b:e5:f3)
                                                                                 OP: 2 (BOOTPREPLY)
                                                                              HTYPE: 1 (Ethernet)
                                                                               HLEN: 6
                                                                               HOPS: 0
                                                                                XID: 1ddc5875
                                                                               SECS: 4
                                                                              FLAGS: 0
                                                                             CIADDR: 0.0.0.0
                                                                             YIADDR: 10.0.0.43    
                                                                             SIADDR: 10.0.0.252   
                                                                             GIADDR: 0.0.0.0
                                                                             CHADDR: 08:00:27:9b:e5:f3:00:00:00:00:00:00:00:00:00:00
                                                                              SNAME: .
                                                                              FNAME: .
                                                                             OPTION:  53 (  1) DHCP message type         5 (DHCPACK)
                                                                             OPTION:  54 (  4) Server identifier         10.0.0.252   
                                                                             OPTION:  51 (  4) IP address leasetime      86400 (24h)
                                                                             OPTION:  58 (  4) T1                        43200 (12h)
                                                                             OPTION:  59 (  4) T2                        75600 (21h)
                                                                             OPTION:   1 (  4) Subnet mask               255.255.255.0
                                                                             OPTION:  28 (  4) Broadcast address         10.0.0.255   
                                                                             OPTION:  12 (  6) Host name                 debian
                                                                             OPTION:  42 (  4) NTP servers               10.0.0.253   
                                                                             OPTION: 119 ( 19) Domain Search             066578616d706c65 .example
                                                                                                                         617269730567726f .mydom.c
                                                                                                                         6f6d00           om.
                                                                             OPTION:  15 ( 17) Domainname               .example.mydom.cup
                                                                             OPTION:   6 (  4) DNS server                10.0.0.252   
                                                                             OPTION:   3 (  4) Routers                   10.0.0.254  
                                                                             ---------------------------------------------------------------------------
                                                                             ...

Client logs via dhclient -v enp0s3
on the left - working, on the right not working (repetitive failure to receive response)

Internet Systems Consortium DHCP Client 4.4.1                       Internet Systems Consortium DHCP Client 4.4.1
Copyright 2004-2018 Internet Systems Consortium.                    Copyright 2004-2018 Internet Systems Consortium.
All rights reserved.                                                All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/           For info, please visit https://www.isc.org/software/dhcp/
Listening on LPF/enp0s3/08:00:27:9b:e5:f3                           Listening on LPF/enp0s3/08:00:27:9b:e5:f3
Sending on   LPF/enp0s3/08:00:27:9b:e5:f3                           Sending on   LPF/enp0s3/08:00:27:9b:e5:f3
Sending on   Socket/fallback                                        Sending on   Socket/fallback
DHCPREQUEST for 10.0.0.43 on enp0s3 to 255.255.255.255 port 67      DHCPREQUEST for 10.0.0.43 on enp0s3 to 255.255.255.255 port 67
DHCPACK of 10.0.0.43 from 10.0.0.1                                  DHCPREQUEST for 10.0.0.43 on enp0s3 to 255.255.255.255 port 67
bound to 10.0.0.43 -- renewal in 41084 seconds.                     DHCPREQUEST for 10.0.0.43 on enp0s3 to 255.255.255.255 port 67
                                                                    DHCPDISCOVER on enp0s3 to 255.255.255.255 port 67 interval 3
                                                                    DHCPDISCOVER on enp0s3 to 255.255.255.255 port 67 interval 8
                                                                    DHCPDISCOVER on enp0s3 to 255.255.255.255 port 67 interval 10
                                                                    DHCPDISCOVER on enp0s3 to 255.255.255.255 port 67 interval 17
                                                                    DHCPDISCOVER on enp0s3 to 255.255.255.255 port 67 interval 12
                                                                    DHCPDISCOVER on enp0s3 to 255.255.255.255 port 67 interval 11
                                                                    ^C

I also sniffed the packets on the switch and found out that in the good situation communication goes in both directions, and in bad situation I only see request packets from DHCP client. So it seems to me that DHCP responses get filtered out on the host where dnsmasq is running (i. e. on at1). There is no firewall configured. All I do is enable second multihoming link on the switch, which is enough to break DHCP.

[albert-a]

I installed DHCP server in my testing environment and found out that DHCP works there with any number of mh links. Probably there is some issue with the real hardware. In my testing environment switch is the debian VM, and in production environment switch is MikroTik CRS326 switch. Probably I should debug it a little further.

[taspelund]

Yeah, sounds like that might be good to debug further. I'll be interested to hear what you find out.

[zzachattack2]

Did you ever get past this? I have run into pretty much the exact same problem with dhcp on a MH setup.

From my tracing of the traffic, split horizon filters are not actually being applied on the tagged interfaces of the multi-homed bonds.

This is especially problematic with DHCP when the multi-homed bond comes from a switch...

1. Discover packet is broadcast from host, to switch, towards a PE, and then flooded to all other PEs
2. Without split horizon filters, discover packet at other PE is flooded back down the bond on the same segment.
3. On the switch, a MAC move is registered, with the host's MAC now pointing to the bond interface back towards the PE
4. Reply packet is sent from DHCP server, to PE, to the switch, and would either be discarded or bounce back, depending on how the switch functions.

[albert-a]

Unfortunately no, the company head decided to switch to a simpler setup. I was hoping to get back to this issue, but haven't done so yet. If I have any updates on this in the future, I'll post it here. Please let me know If you manage to resolve this issue.

[zzachattack2]

Thanks. I created issue #15400 regarding this, but I think it’s a dead end. Unless I missed something while digging through the code-base and commit history, I don’t believe this functionality was ever added natively in FRR.

It appears that in cumulus VX, SPH / non-DF filtering is implemented with TC filters handled by a separate cumulus daemon.

If this is indeed the case, the FRR documentation is definitely misleading regarding its EVPN-MH support. At a minimum I think a big asterisk belongs in a few places. Hopefully the maintainers can address or clear it up.

[albert-a]

Thanks for creating the issue, hopefully the maintainers will clear this up.