Using a RIOT Loopback Port to Route Traffic in an EVPN-VXLAN Network

SUMMARY You can configure a RIOT loopback port on a device that doesn't support native VXLAN routing. With this feature, the device can serve as a Layer 3 VXLAN gateway in an EVPN-VXLAN fabric.

Loopback Port Solution for Routing in and out of VXLAN Tunnels (RIOT) for Layer 3 VXLAN Gateway Support

Some Juniper Networks EVPN-VXLAN fabric devices, such as QFX5210 switches, don't have native support for routing in and out of VXLAN tunnels (RIOT). Starting in Junos OS Release 21.3R1, you can configure a loopback port on supporting devices to perform RIOT operations in a two-pass process. With this solution, you can use the device as a Layer 3 VXLAN gateway device in an EVPN-VXLAN edge-routed bridging overlay (ERB) fabric.

RIOT Loopback Solution Overview
How RIOT Loopback Processing Works
Asymmetric Type 2 Routes with RIOT Loopback Processing
Symmetric Type 2 and Type 5 Routes with RIOT Loopback Processing
IRB Interface Status Dependency on RIOT Loopback Port State

RIOT Loopback Solution Overview

You can configure a Layer 3 VXLAN gateway using a RIOT loopback port in an EVPN-VXLAN ERB fabric with:

MAC VRF routing instances—either VLAN-based or VLAN-aware bundle service type.

See MAC-VRF Routing Instance Type Overview for more on MAC-VRF routing instances.
Enterprise style interface configuration.

See Flexible Ethernet Services Encapsulation and Understanding Flexible Ethernet Services Support With EVPN-VXLAN for details on enterprise style and flexible Ethernet services configuration.
EVPN Type 2 routing (with both the asymmetric and symmetric integrated routing and bridging [IRB] models) and EVPN Type 5 routing.

Starting in Junos OS Release 21.3R1-S1 and 21.4R1, you can enable symmetric EVPN Type 2 routing on QFX5210 switches that act as Layer 3 gateways. See Symmetric Integrated Routing and Bridging with EVPN Type 2 Routes in EVPN-VXLAN Fabrics for more details on the symmetric IRB model.

Note:
We support EVPN Type 5 routing using only the symmetric IRB model. This is the default behavior when you configure a routing instance to use Type 5 routes with the ip-prefix-routes statement. See Understanding EVPN Pure Type 5 Routes for an overview of EVPN Type 5 routes and other EVPN route types.

The following figure shows an EVPN-VXLAN ERB fabric. The leaf devices route traffic through VXLAN tunnels to the other leaf devices in the fabric. Leaf 1 is a QFX5210 switch that doesn't support native VXLAN routing in and out of the VXLAN tunnel.

Figure 1: EVPN-VXLAN ERB Overlay Fabric with a RIOT Loopback Layer 3 Gateway Leaf Device

For Leaf 1 to serve as Layer 3 VXLAN gateway, you need to configure the RIOT loopback port solution on that device. RIOT loopback routing is transparent to the other leaf devices that connect through VXLAN tunnels in the fabric. You can include Layer 3 gateway leaf devices in the same fabric that use RIOT loopback port routing with devices that use native VXLAN routing.

How RIOT Loopback Processing Works

The following figure shows how the RIOT loopback process routes traffic in or out of a VXLAN tunnel that connects to another leaf device.

Figure 2: RIOT Loopback Two-Pass Processing

You configure the RIOT loopback port as an Ethernet link aggregation group (LAG). Adjust the number of member links depending on the bandwidth of VXLAN traffic that uses the loopback path. You can use any network ports for the LAG that aren't already used for another purpose. The device automatically turns off MAC learning on the RIOT loopback LAG so the port doesn't learn its own MAC address when traffic passes through it.

The traffic flows through the RIOT loopback LAG in the first pass, then loops back into the RIOT loopback LAG for the second pass. What happens during the RIOT loopback process depends on the direction of traffic flow and the type of routes.

The device uses the RIOT loopback process for:

Access port to network port routing and VXLAN tunnel initiation with asymmetric or symmetric Type 2 routing and Type 5 routing.
Network port to access port VXLAN tunnel termination and routing with symmetric Type 2 routing and Type 5 routing only.

The device doesn't need to use the RIOT loopback LAG in the following cases:

Access port to access port with asymmetric Type 2 routing.

The device routes the traffic locally through the IRB interfaces on the device as usual (no VXLAN bridging needed).
Network port to access port with asymmetric Type 2 routing.

In this case, the ingress VTEP already routed the traffic exiting the VXLAN tunnel to the destination VLAN. The device uses normal Layer 2 VXLAN traffic processing to bridge the traffic on the destination VLAN.

We describe more about the RIOT loopback process with different EVPN route types next. Also, see Configure a RIOT Loopback Port on a Layer 3 VXLAN Gateway Leaf Device for details on what you need to configure for each EVPN route type.

Asymmetric Type 2 Routes with RIOT Loopback Processing

With asymmetric Type 2 routing, all VLANs extend over the EVPN network on all devices. The integrated bridging and forwarding (IRB) actions on the two VXLAN tunnel endpoints (VTEP) differ as follows:

The ingress VTEP IRB interface routes the traffic from the source VLAN to the destination VLAN. Then the device bridges the traffic on the destination VLAN across the VXLAN tunnel.

Note:
With asymmetric routing, you must configure all destination VLANs on the ingress VTEP even if the device doesn't serve hosts on all VLANs.
The egress VTEP receives the traffic on the destination VLAN, and then forwards the traffic on the destination VLAN. The egress VTEP doesn't need to route the traffic.

This means that devices don't need the RIOT loopback process with asymmetric Type 2 routes on VXLAN tunnel traffic coming into the device from the EVPN network.

Symmetric Type 2 and Type 5 Routes with RIOT Loopback Processing

For symmetric Type 2 routes and Type 5 routes to work with the RIOT loopback process, the device uses an extra VLAN for each tenant Layer 3 (L3) virtual routing and forwarding (VRF) instance. Each extra VLAN maps to the VXLAN network identifier (VNI) for the corresponding L3 VRF instance.

Note:

Symmetric Type 2 routing requires Layer 3 reachability between the host subnetworks. An L3 VRF in which you have enabled Type 5 IP prefix routes can provide Layer 3 connectivity.

As a result, the RIOT loopback solution uses a VRF with Type 5 routes enabled to support the Layer 3 connectivity for symmetric Type 2 routing across the VXLAN tunnels. You use the same L3 VRF instance for both symmetric Type 2 routing and Type 5 routing.

The extra VLAN enables symmetric Type 2 or Type 5 routing in both directions (to and from the VXLAN tunnel) as follows:

Access port to network port traffic:

In the first pass, the RIOT loopback process routes the traffic out of the RIOT loopback port. In the second pass for tunnel initiation, the RIOT loopback process needs the VNI for the corresponding L3 VRF instance. The RIOT loopback process uses the extra VLAN's VLAN-to-VNI mapping for that purpose.
Network port to access port traffic

When terminating the VXLAN tunnel, the device needs a VLAN tag with which to send the traffic out of the RIOT loopback port. The RIOT loopback process adds the extra VLAN ID as the VLAN tag in the first pass. In the second pass, the RIOT loopback process uses the VLAN tag to find the corresponding L3 VRF instance to do the route lookup.

IRB Interface Status Dependency on RIOT Loopback Port State

Layer 3 VXLAN gateway devices route traffic between VLANs using IRB interfaces. On devices with RIOT loopback processing, all IRB interfaces you configure for VXLAN routing depend on the RIOT loopback LAG. As a result, the RIOT loopback LAG must be available to process VXLAN traffic before the IRB interfaces are able to route traffic. For this feature to work, the device must consider the RIOT loopback LAG state when determining IRB interface status.

With RIOT loopback configuration, you configure the device to include the state of another local interface when evaluating the status of an IRB interface. In this case, the local interface is the RIOT loopback LAG.

Use the local-interface name statement at the [edit interfaces irb unit unit-number interface-state] hierarchy. Specify name as the logical interface name of the RIOT loopback LAG for the unit.

Also, to configure the delay to ensure that the RIOT loopback LAG is up before the device evaluates the IRB interface as up, you configure the hold-time up seconds option at the [edit interfaces irb unit unit-number interface-state] hierarchy. This value is the time the device waits after the RIOT loopback interface is up before it includes that state when evaluating the IRB interface status.

The RIOT loopback LAG usually remains up unless you change its configuration. As a result, we recommend to set hold-time up to a higher value based on the scale of routes in your network. A higher value helps prevent the IRB logical interfaces from flapping. We recommend that you try approximately 120 seconds for medium-to-large scale deployments.

Configure a RIOT Loopback Port on a Layer 3 VXLAN Gateway Leaf Device

Follow these steps to configure a device to use the RIOT loopback process so it can operate as a Layer 3 VXLAN gateway using EVPN Type 2 or Type 5 routing. Some configuration steps are common for asymmetric Type 2 routing, symmetric Type 2 routing, and EVPN Type 5 routing, such as:

Configure the RIOT loopback LAG and the IRB interfaces for VXLAN routing.
Set the RIOT loopback LAG as the interface that handles RIOT loopback processing on the device.

You perform a few extra steps for symmetric Type 2 and Type 5 routing, including:

Configure an extra VLAN for each EVPN L3 VRF instance. You don't use this VLAN for any other purpose. The L3 VRF instances provide the Layer 3 connectivity on which the device transfers VXLAN packets for both symmetric Type 2 routing and Type 5 routing.
Configure an IRB interface on each extra VLAN.
Map the extra VLAN to the VXLAN network identifier (VNI) of the corresponding L3 VRF instance.

See Symmetric Type 2 and Type 5 Routes with RIOT Loopback Processing for more information on the extra VLAN for symmetric Type 2 and Type 5 routing. See How RIOT Loopback Processing Works for more information on the differences in the RIOT loopback process among the supported route types.

Note:

Devices that require the RIOT loopback solution to act as a Layer 3 VXLAN gateway include the following statement in the default configuration:

This statement globally enables the RIOT loopback process on the device. You don't need to configure this statement explicitly.

To configure RIOT loopback processing:

Define an aggregated Ethernet interface for the RIOT loopback port. Use any network ports on the device in the RIOT loopback LAG that you aren't already using for network traffic.
The sample configuration below first allocates some number of aggregated Ethernet interfaces, and uses an available one (ae0) for the RIOT loopback LAG. For simplicity, this configuration includes one link in the RIOT loopback LAG, which must be up for the interface to be up. You can adjust the number of member links in the RIOT loopback LAG depending on the bandwidth of VXLAN traffic that uses the loopback path.
Configure the RIOT loopback LAG in the enterprise style with:
- Flexible VLAN tagging.
- Flexible Ethernet services encapsulation (so the interface can have multiple logical units).
For example:
Configure the RIOT loopback LAG interface in enterprise style as a member of all VLANs (units) that have IRB interfaces for which the device does Layer 3 VXLAN gateway routing. Also, configure the interface in trunk mode for each unit.
For example, here the fabric serves three VXLAN VLANs: V100, V110, and V120. Configure the RIOT loopback LAG in each VLAN with interface-mode trunk:

Configure an IRB interface for each VLAN (unit) used for VXLAN routing. This step isn't specific to the RIOT loopback process. However, it is a required part of the EVPN-VXLAN fabric setup. You use these IRB interfaces in subsequent steps.

For example, configure IRB interfaces for units 100, 110, and 120:

For each IRB interface, set the RIOT loopback LAG as a local interface whose state the device includes in evaluating the IRB interface state (up or down). Use the local-interface name statement at the [edit interfaces irb unit unit-number interface-state hierarchy. Specify the logical interface name of the RIOT loopback LAG for the local interface name. Also set the hold-time up option to ensure the RIOT loopback LAG is up before the device evaluates the IRB interface as up. See IRB Interface Status Dependency on RIOT Loopback Port State for more information on why we need this step.
For example, for IRB interfaces configured on units 100, 110, and 120, set the local interface to the RIOT loopback LAG logical interface name. Specify a hold time for each IRB—we recommend 120 seconds in this case for a medium-to-large scale deployment:
Set the RIOT loopback LAG as the interface the device uses for the RIOT loopback process for all VXLAN routing. Use the statement loopback-port loopback-port at the [edit forwarding options vxlan-routing ] hierarchy level. With this statement, specify the physical interface name of the RIOT loopback port.
For example, in our sample configuration in earlier steps, the RIOT loopback LAG is ae0:
Define each VXLAN VLAN. Set the IRB interfaces as Layer 3 IRB interfaces for each VLAN, and map the VLANs to VNI values. We require this step for VXLAN gateway configuration; it isn't specific to RIOT loopback configuration.
For example:
(Symmetric Type 2 and Type 5 use cases only) Configure an additional VLAN for each L3 VRF instance. The RIOT loopback process uses this VLAN and its corresponding VNI to support symmetric Type 2 and Type 5 routing. See Symmetric Type 2 and Type 5 Routes with RIOT Loopback Processing and Symmetric Integrated Routing and Bridging with EVPN Type 2 Routes in EVPN-VXLAN Fabrics for details. This VLAN is dedicated to this purpose and must be different from any tenant VLANs or VXLAN VLANs the device hosts.
This step combines the earlier steps where you configure the RIOT loopback LAG as part of the VXLAN VLANs. You do the same for this extra VLAN, including:
- Configure the VLAN with an IRB interface.
- Configure the RIOT loopback LAG logical interface for this unit in trunk mode.
- Set the RIOT loopback LAG interface as an IRB-enabled member of this VLAN.
- Set the RIOT loopback LAG as a local interface whose state the device includes in evaluating the IRB interface state (up or down).
For example, define an IRB-enabled VLAN named V-L3-RIOT1 with VLAN ID 999. Include the RIOT loopback LAG as a part of this VLAN. Also set the other parameters listed above that enable the RIOT loopback process:
Note:
Repeat this step to create an extra VLAN for each L3 VRF instance.
(Symmetric Type 2 and Type 5 use cases only) Configure the extra VLAN's IRB logical interface in the L3 VRF instances where you enable Type 5 routing. Both symmetric Type 2 and Type 5 routing require this configuration for the Layer 3 connectivity. Map the additional VLAN to a VNI that matches the EVPN encapsulation VNI you configure in the L3 VRF instance.
Note:
To enable Type 5 routing in an EVPN-VXLAN fabric, you set up an L3 VRF instance. In that instance, you configure the ip-prefix-routes vni vni-value statement at the [edit routing-instances type-5-instance-name protocols evpn] hierarchy level. This vni-value is the value you map to the extra VLAN.

Note that QFX5210 switches don't support asymmetric VNI values on either side of a VXLAN tunnel for a given VRF. To support EVPN Type 5 routing and symmetric IRB routing with EVPN Type 2 routes on QFX5210 switches, you must configure the same L3 VNI value for a given VRF on each of the leaf devices.

We don't include all of the standard EVPN-VXLAN L3 VRF instance configuration here. See EVPN Type 5 Route with VXLAN Encapsulation for EVPN-VXLAN for more information on Type 5 routes. Also see Configuring EVPN Type 5 for QFX10000 Series Switches: Configuration Example for an example configuration with Type 5 routing between two QFX Series devices in an EVPN network.

For example, if you configure the L3 VRF instance L3-VRF with an EVPN-VXLAN encapsulation VNI value of 5000 as follows:
then map the extra VLAN from step 8 (V-L3-RIOT1 with VLAN ID 999) to VNI 5000:
Note:
Repeat this step for the extra VLAN and VNI for each L3 VRF instance.
(Symmetric Type 2 use case only) Enable symmetric Type 2 routing in the L3 VRF instances from step 9 if you want to use symmetric routing with EVPN Type 2 routes.
Type 2 routing is asymmetric by default, so you must explicitly enable symmetric routing using the irb-symmetric-routing vni vni configuration statement at the [edit routing-instances name protocols evpn] hierarchy. You must specify the VNI as the same EVPN-VXLAN encapsulation VNI that you set for EVPN Type 5 routing in 9.

For example, following the previous configuration steps, enable symmetric routing with Type 2 routes using VNI 5000:
Note:
Repeat this step for the extra VLAN and VNI for each L3 VRF instance.
(Symmetric Type 2 and Type 5 use cases only) Finally, configure the riot-loopback statement at the [edit vlans name vxlan] hierarchy. This statement sets the VLAN from step 8 as the extra RIOT loopback VLAN for symmetric Type 2 and Type 5 routing.
For example:
Note:
Repeat this step for the extra VLAN for each L3 VRF instance.

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release

Description

21.4R1

Starting in Junos OS Release 21.3R1-S1 and 21.4R1, you can enable symmetric EVPN Type 2 routing on QFX5210 switches that act as Layer 3 gateways.

ON THIS PAGE