VXLAN Routing In and Out of Tunnels



Note: The VXLAN tunnel loopback infrastructure, identified by the trunk object named "vxlan-loopback-trunk", is used for bridging multicast or broadcast traffic in the extended VLAN and for routing traffic before VXLAN encapsulation or after VXLAN decapsulation. Non-routed unicast traffic is bridged and encapsulated or decapsulated and bridged without using the VXLAN tunnel loopback.



This feature provides support for centralized routing for VXLAN VLANs. For hosts on different VXLAN VLANs to communicate with each other, SVIs on VXLAN VLAN are configured on one cluster pair in the fabric. Any VXLAN VLAN packets that need to be routed between two hosts are sent to a centralized overlay vrouter and then VXLAN encapsulated or decapsulated depending on source or destination host location.


Since the E68-M and E28Q cannot perform VXLAN routing in and out of tunnels in a single instance, loopback support exists. Netvisor One is leveraging vxlan-loopback-trunk to support recirculation of the packets. Be sure to add ports to vxlan-loopback-trunk so that VXLAN routing in and out of tunnels works correctly. After VXLAN decapsulation, if packets are routed, the inner DMAC is either the vRouter MAC address or VRRP MAC address. The packet needs to recirculate after decapsulation as part of the routing operation. To accomplish this, Layer 2 entries for route RMAC address or VRRP MAC address on VXLAN VLAN are programmed to point to vxlan-loopback-trunk ports in hardware. The show output for the command, l2-table-show, is updated with a vxlan-loopback flag to indicate the hardware state.


CLI (network-admin@switch) > l2-table-show vlan 200


mac:                       00:0e:94:b9:ae:b0

vlan:                      200

vxlan                      10000

ip:                        2.2.2.2

ports:                     69

state:                     active,static,vxlan-loopback,router

hostname:                  Spine1

peer-intf:                 host-1

peer-state:                

peer-owner-state:          

status:                    

migrate:                   

mac:                       00:0e:94:b9:ae:b0

vlan:                      200

vxlan                      10000

ip:                        2.2.2.2

ports:                     69

state:                     active,static,vxlan-loopback,router

hostname:                  Spine1

peer-intf:                 host-1

peer-state:                active,vrrp,vxlan-loopback active,vrrp

peer-owner-state:          

status:                    

migrate:   

                

CLI (network-admin@switch) > l2-table-show vlan 100


mac:                       00:0e:94:b9:ae:b0

vlan:                      100

vxlan                      20000

ip:                        1.1.1.1

ports:                     69

state:                     active,static,vxlan-loopback,router

hostname:                  Spine1

status:                    

migrate:                   

 

Also for Layer3 entries behind VXLAN tunnels, routing and encapsulation operations requires two passes .


To obtain the Layer 3 entry, the hardware is pointing to vxlan-loopback-trunk. The show output of the l3-table-show displays the hardware state with a vxlan-loopback flag.


CLI (network-admin@Spine1) > l3-table-show ip 2.2.2.3 format all


mac:                  00:12:c0:88:07:75

ip:                   2.2.2.3

vlan:                 200

public-vlan:          200

vxlan:                10000

rt-if:                eth5.200

state:                active,vxlan-loopback

egress-id:            100030

create-time:          16:46:20

last-seen:            17:25:09

hit:                  22

tunnel:               Spine1_Spine4