VXLAN Constraints on QFX Series and EX Series Switches

 

When configuring Virtual Extensible LANs (VXLANs) on QFX Series and EX Series switches, be aware of the constraints described in the following sections. In these sections, “Layer 3 side” refers to a network-facing interface that performs VXLAN encapsulation and de-encapsulation, and “Layer 2 side” refers to a server-facing interface that is a member of a VLAN that is mapped to a VXLAN.

VXLAN Constraints on QFX5100, QFX5110, QFX5200, QFX5210, EX4300-48MP, and EX4600 Switches

  • (QFX5100 switches only) You can use VXLANs on a Virtual Chassis or Virtual Chassis Fabric (VCF) if all of the members are supported QFX5100 switches. You cannot use VXLANs if any of the members is not a supported QFX5100 switch.

  • (EX4600 switches only) You can use VXLANs on a Virtual Chassis if all of the members are supported EX4600 switches. You cannot use VXLANs if any of the members is not a supported EX4600 switch.

  • EVPN-VXLAN is not supported on QFX5110 or EX4300-48MP Virtual Chassis and VCF.

  • (QFX5100, QFX5110, QFX5200, QFX5210, EX4300-48MP, and EX4600 switches) VXLAN configuration is supported only in the default-switch routing instance.

  • (QFX5100, QFX5200, QFX5210, EX4300-48MP, and EX4600 switches) Routing traffic between different VXLANs is not supported.

  • (QFX5110 switches only) By default, routing traffic between a VXLAN and a Layer 3 logical interface—for example, an interface configured with the set interfaces interface-name unit logical-unit-number family inet address ip-address/prefix-length command—is disabled. If this routing functionality is required in your EVPN-VXLAN network, you can perform some additional configuration to make it work. For more information, see Understanding How to Configure VXLANs on QFX5110 Switches and Layer 3 Logical Interfaces to Interoperate.

  • Integrated routing and bridging (IRB) interfaces used in EVPN-VXLAN overlay networks do not support the IS-IS routing protocol.

  • (EX4300-48MP and EX4600 switches) A physical interface cannot be a member of a VLAN and a VXLAN. That is, an interface that performs VXLAN encapsulation and de-encapsulation cannot also be a member of a VLAN. For example, if a VLAN that is mapped to a VXLAN is a member of trunk port xe-0/0/0, any other VLAN that is a member of xe-0/0/0 must also be assigned to a VXLAN.

  • Multichassis link aggregation groups (MC-LAGs) are not supported with VXLAN.

    Note

    In an EVPN-VXLAN environment, EVPN multihoming active-active mode is used instead of MC-LAG for redundant connectivity between hosts and leaf devices.

  • IP fragmentation and defragmentation are not supported on the Layer 3 side.

  • The following features are not supported on the Layer 2 side:

    • (QFX5100, QFX5200, QFX5210, EX4300-48MP, and EX4600 switches) IGMP snooping with EVPN-VXLAN.

    • Redundant trunk groups (RTGs).

    • The ability to shut down a Layer 2 interface or temporarily disable the interface when a storm control level is exceeded is not supported.

    • STP (any variant).

  • Access port security features are not supported with VXLAN. For example, the following features are not supported:

    • DHCP snooping.

    • Dynamic ARP inspection.

    • MAC limiting and MAC move limiting.

      Note

      An exception to this constraint is that MAC limiting is supported on OVSDB-managed interfaces in an OVSDB-VXLAN environment with Contrail controllers. For more information, see Features Supported on OVSDB-Managed Interfaces.

  • Ingress node replication is not supported in the following cases:

    • When PIM is used for the control plane (manual VXLAN).

    • When an SDN controller is used for the control plane (OVSDB-VXLAN).

    Ingress node replication is supported with EVPN-VXLAN.

  • PIM-BIDIR and PIM-SSM are not supported with VXLANs.

  • If you configure a port-mirroring instance to mirror traffic exiting from an interface that performs VXLAN encapsulation, the source and destination MAC addresses of the mirrored packets are invalid. The original VXLAN traffic is not affected.

  • When configuring a VLAN ID for a VXLAN, we strongly recommend using a VLAN ID of 3 or higher. If you use a VLAN ID of 1 or 2, replicated broadcast, multicast, and unknown unicast (BUM) packets for these VXLANs might be untagged, which in turn might result in the packets being dropped by a device that receives the packets.

  • (QFX5110 switches only) VLAN firewall filters are not supported on IRB interfaces on which EVPN-VXLAN is enabled.

  • (QFX5100, QFX5100 Virtual Chassis, and QFX5110 switches) Firewall filters and policers are not supported on transit traffic on which EVPN-VXLAN is enabled. They are supported only in the ingress direction on CE-facing interfaces.

  • (QFX5100, QFX5100 Virtual Chassis, and QFX5110 switches) For IRB interfaces in an EVPN-VXLAN one-layer IP fabric, firewall filtering and policing is supported only at the ingress point of non-encapsulated frames routed through the IRB interface.

  • (EX4300-48MP switches only) The following styles of interface configuration are not supported:

    • Service provider style, where a physical interface is divided into multiple logical interfaces, each of which is dedicated to a particular customer VLAN. The extended-vlan-bridge encapsulation type is configured on the physical interface.

    • Flexible Ethernet services, which is an encapsulation type that enables a physical interface to support both service provider and enterprise styles of interface configuration.

    For more information about these styles of interface configuration, see Flexible Ethernet Services Encapsulation.

  • (EX4300-48MP switches only) Access control features including but not limited to 802.1X authentication and MAC RADIUS authentication are not supported with VXLAN.

VXLAN Constraints on QFX10000 Switches

  • MC-LAGs are not supported with VXLAN.

    Note

    In an EVPN-VXLAN environment, EVPN multihoming active-active mode is used instead of MC-LAG for redundant connectivity between hosts and leaf devices.

  • IP fragmentation is not supported on the Layer 3 side.

  • The following features are not supported on the Layer 2 side:

    • IGMP snooping with EVPN-VXLAN in Junos OS Releases before Junos OS Release 17.2R1.

    • STP (any variant).

  • Access port security features are not supported with VXLAN. For example, the following features are not supported:

    • DHCP snooping.

    • Dynamic ARP inspection.

    • MAC limiting and MAC move limiting.

  • Ingress node replication is not supported when an SDN controller is used for the control plane (OVSDB-VXLAN). Ingress node replication is supported for EVPN-VXLAN.

  • QFX10000 switches that are deployed in an EVPN-VXLAN environment do not support an IPv6 physical underlay network.

  • When the next-hop database on a QFX10000 switch includes next hops for both the underlay network and the EVPN-VXLAN overlay network, the next hop to a VXLAN peer cannot be an Ethernet segment identifier (ESI) or a virtual tunnel endpoint (VTEP) interface.

  • IRB interfaces used in EVPN-VXLAN overlay networks do not support the IS-IS routing protocol.

  • VLAN firewall filters applied to IRB interfaces on which EVPN-VXLAN is enabled.

  • Filter-based forwarding (FBF) is not supported on IRB interfaces used in an EVPN-VXLAN environment.