Dynamic Routing Configuration Examples

Introduction

This document provides configuration examples for OVN’s dynamic routing feature. For the underlying architecture, data flow, and full description of each option, see Dynamic Routing Integration and ovn-nb(5).

Configuration Examples

The following examples demonstrate complete configurations for common deployment scenarios.

Example: Gateway Router with BGP

A centralized gateway router pinned to a specific chassis, peering with an external BGP speaker to advertise connected and static routes.

External BGP Peer
          |
          | BGP peering
          |
+---------+---------+
| LS-Fabric         |
| 192.168.1.0/24    |
+---------+---------+
          |
+---------+---------+
| Gateway Router    |  (lr-gw, pinned to chassis-1)
| 10.0.0.1/24       |  dynamic-routing = true
+---------+---------+
          |
+---------+---------+
| Logical Switch    |  (ls-internal)
| 10.0.0.0/24       |
+---------+---------+
          |
    VM1  VM2  VM3

Create the logical topology.

$ ovn-nbctl lr-add lr-gw
$ ovn-nbctl ls-add ls-internal
$ ovn-nbctl ls-add ls-fabric

# Router port toward the internal network.
$ ovn-nbctl lrp-add lr-gw lrp-internal \
    00:00:00:00:00:01 10.0.0.1/24
$ ovn-nbctl lsp-add-router-port ls-internal \
    lsp-internal-to-gw lrp-internal

# Router port toward the fabric.
$ ovn-nbctl lrp-add lr-gw lrp-fabric \
    00:00:00:00:00:02 192.168.1.1/24
$ ovn-nbctl lsp-add-router-port ls-fabric \
    lsp-fabric-to-gw lrp-fabric

# Localnet port for physical connectivity.
$ ovn-nbctl lsp-add-localnet-port ls-fabric \
    lsp-fabric-ln physnet-fabric

Pin the router to a chassis and enable dynamic routing.

Enable IP route exchange on this logical router with dynamic-routing=true. The dynamic-routing-redistribute option controls which route types are advertised to external peers — connected advertises the subnet prefixes of the router’s ports and static advertises all configured static routes. Set an explicit dynamic-routing-vrf-id so the VRF table ID is predictable in FRR configuration.

$ ovn-nbctl set Logical_Router lr-gw \
    options:chassis=chassis-1 \
    options:dynamic-routing=true \
    options:dynamic-routing-redistribute=connected,static \
    options:dynamic-routing-vrf-id=100

Configure VRF management and routing protocol redirect.

Setting dynamic-routing-maintain-vrf=true on the fabric-facing port lets ovn-controller create and delete the VRF automatically when the port is bound or unbound.

A dedicated logical switch port (lsp-bgp) is added for the BGP daemon. The routing-protocols and routing-protocol-redirect options on the router port tell OVN to forward BGP (TCP 179) and BFD (UDP 3784) control plane traffic to that switch port, so FRR can peer using the router port’s IP addresses.

Periodic IPv6 Router Advertisements are enabled to support BGP unnumbered (RFC 5549), where the link-local nexthop is discovered automatically.

# Let ovn-controller create/delete the VRF automatically.
$ ovn-nbctl set Logical_Router_Port lrp-fabric \
    options:dynamic-routing-maintain-vrf=true

# Add a logical switch port for the BGP daemon.
$ ovn-nbctl lsp-add ls-fabric lsp-bgp
$ ovn-nbctl lsp-set-addresses lsp-bgp unknown

# Redirect BGP and BFD control plane traffic to lsp-bgp.
$ ovn-nbctl set Logical_Router_Port lrp-fabric \
    options:routing-protocols=BGP,BFD \
    options:routing-protocol-redirect=lsp-bgp

# Enable periodic RAs for BGP unnumbered peer discovery.
$ ovn-nbctl set Logical_Router_Port lrp-fabric \
    ipv6_ra_configs:send_periodic=true \
    ipv6_ra_configs:address_mode=slaac \
    ipv6_ra_configs:max_interval=10 \
    ipv6_ra_configs:min_interval=5

Bind the BGP interface on the chassis.

# Create an OVS internal port bound to the BGP LSP.
$ ovs-vsctl add-port br-int ext0-bgp -- \
    set Interface ext0-bgp type=internal \
    external-ids:iface-id=lsp-bgp

# Place the interface into the VRF.
$ ip link set dev ext0-bgp master ovnvrf100
$ ip link set dev ext0-bgp up

Configure FRR on the chassis.

configure terminal

vrf ovnvrf100
exit-vrf

router bgp 65000 vrf ovnvrf100
  bgp router-id 192.168.1.1
  neighbor ext0-bgp interface remote-as external
  address-family ipv4 unicast
    redistribute kernel
  exit-address-family
  address-family ipv6 unicast
    redistribute kernel
    neighbor ext0-bgp activate
  exit-address-family

Example: Distributed Router with Gateway Ports

A distributed logical router with a distributed gateway port, advertising connected, NAT, and load balancer routes. The local-only option ensures host routes are announced only from the chassis hosting the workload.

        External BGP Peer
              |
              | BGP peering
              |
    +---------+---------+
    | LS-Fabric         |
    | 172.16.0.0/24     |
    +---------+---------+
              |
+-------------+-------------------+
|   Distributed LR                |
|   (lr-dist)                     |
|   dynamic-routing = true        |
|   NAT: 172.16.0.10 -> 10.0.1.10 |
|   LB VIP: 172.16.0.100          |
+--------+----------+-------------+
         |          |
   +-----+------+ +-+---------+
   | LS-A       | | LS-B      |
   | 10.0.1/24  | | 10.0.2/24 |
   +-----+------+ +-----+-----+
         |               |
       VM-A1           VM-B1
    (chassis-1)     (chassis-2)

Create the distributed router with a gateway port.

$ ovn-nbctl lr-add lr-dist
$ ovn-nbctl ls-add ls-a
$ ovn-nbctl ls-add ls-b
$ ovn-nbctl ls-add ls-fabric

# Internal ports.
$ ovn-nbctl lrp-add lr-dist lrp-a \
    00:00:00:00:01:01 10.0.1.1/24
$ ovn-nbctl lsp-add-router-port ls-a lsp-a-to-lr lrp-a

$ ovn-nbctl lrp-add lr-dist lrp-b \
    00:00:00:00:01:02 10.0.2.1/24
$ ovn-nbctl lsp-add-router-port ls-b lsp-b-to-lr lrp-b

# Distributed gateway port.
$ ovn-nbctl lrp-add lr-dist lrp-gw \
    00:00:00:00:02:01 172.16.0.1/24
$ ovn-nbctl lsp-add-router-port ls-fabric \
    lsp-fabric-to-lr lrp-gw

# Configure HA chassis group for the gateway port.
$ ovn-nbctl ha-chassis-group-add ha-gw
$ ovn-nbctl ha-chassis-group-add-chassis ha-gw \
    chassis-1 10
$ ovn-nbctl ha-chassis-group-add-chassis ha-gw \
    chassis-2 5
$ GRP=$(ovn-nbctl --bare --columns=_uuid \
    find HA_Chassis_Group name=ha-gw)
$ ovn-nbctl set Logical_Router_Port lrp-gw \
    ha_chassis_group=$GRP

Add NAT and load balancer.

$ ovn-nbctl lr-nat-add lr-dist dnat_and_snat \
    172.16.0.10 10.0.1.10
$ ovn-nbctl lb-add lb-web 172.16.0.100:80 \
    10.0.1.10:8080,10.0.2.10:8080
$ ovn-nbctl lr-lb-add lr-dist lb-web

Enable dynamic routing with NAT and LB redistribution.

Here dynamic-routing-redistribute includes nat (NAT external IPs) and lb (load balancer VIPs) in addition to connected subnets. Setting dynamic-routing-redistribute-local-only=true on the gateway port ensures these host routes are only advertised from the chassis where the tracked workload port is locally bound, avoiding unnecessary traffic tromboning.

$ ovn-nbctl set Logical_Router lr-dist \
    options:dynamic-routing=true \
    options:dynamic-routing-redistribute=connected,nat,lb \
    options:dynamic-routing-vrf-id=200

$ ovn-nbctl set Logical_Router_Port lrp-gw \
    options:dynamic-routing-maintain-vrf=true \
    options:dynamic-routing-redistribute-local-only=true

With local-only enabled, NAT and LB host routes are only advertised on the chassis where their traffic is processed, ensuring optimal traffic forwarding.

Set up routing protocol redirect and FRR (same pattern as the gateway router example above).

Verification

Checking OVN State

Verify that ovn-northd has populated the Advertised_Route table:

$ ovn-sbctl list Advertised_Route

Check for learned routes from external peers:

$ ovn-sbctl list Learned_Route

Checking the VRF and Kernel Routes

Verify the VRF exists and is up:

$ ip link show type vrf

List routes in the VRF table. Routes marked proto ovn were installed by ovn-controller; routes with other protocol values (e.g., proto bgp) were learned from the routing daemon:

$ ip route show table 100

Checking FRR State

Verify BGP peering is established:

$ vtysh -c "show bgp summary"

Check received and advertised routes:

$ vtysh -c "show bgp ipv4 unicast"
$ vtysh -c "show bgp ipv6 unicast"

Best Practices

Use explicit VRF IDs. Set dynamic-routing-vrf-id rather than relying on the datapath tunnel key. Explicit IDs make the VRF configuration predictable and easier to reference in FRR configurations and monitoring.

Use local-only for host routes. When using connected-as-host redistribution, combine it with dynamic-routing-redistribute-local-only=true to ensure host routes are only announced from the chassis that owns the workload. This provides optimal traffic forwarding and avoids unnecessary traffic tromboning.

Let ovn-controller manage VRFs when possible. Set dynamic-routing-maintain-vrf=true on the logical router port to let ovn-controller handle VRF creation and deletion. This simplifies chassis provisioning and ensures VRF lifecycle matches port binding.

Configure BFD for fast failure detection. Include BFD in the routing-protocols option and enable BFD in FRR for sub-second failure detection. This significantly improves convergence time compared to relying on BGP hold timers alone.

Use per-port redistribution for multi-homed setups. When a chassis has multiple fabric links, use per-port dynamic-routing-redistribute and dynamic-routing-port-name to control exactly which routes are advertised and learned on each link.

See Also

  • Dynamic Routing Integration — Architecture and internal design of the dynamic routing feature.

  • ovn-nb(5) — Full reference for all Logical_Router and Logical_Router_Port dynamic routing options.

  • ovn-sb(5) — Documentation of the Advertised_Route and Learned_Route tables.

  • ovn-controller(8) — Controller-side configuration options including dynamic-routing-port-mapping.