Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Understanding the MAC Addresses For a Default Virtual Gateway in an EVPN-VXLAN or EVPN-MPLS Overlay Network

In an Ethernet VPN (EVPN) centrally-routed bridging overlay, a device can function as a Layer 3 gateway on which you can configure integrated routing and bridging (IRB) interfaces. When you configure an IRB interface with a virtual gateway address (VGA), the device creates a default Layer 3 virtual gateway with the specified IP address. Through its IRB interface, the default virtual gateway enables the communication between non-virtualized hosts, virtual machines (VMs), and servers in different VXLANs, MPLS networks, or IP subnetworks.

When you configure a VGA for an IRB interface, the Layer 3 gateway automatically generates IPv4 media access control (MAC) address 00:00:5E:00:01:01 or IPV6 MAC address 00:00:5E:00:02:01 for that particular virtual gateway. In this topic, we refer to the virtual gateway MAC address as a virtual MAC. We refer to the MAC address for the IRB interface as the IRB MAC.

The Layer 3 gateway doesn't include the automatically generated virtual MAC as the source MAC address in the packets it generates. Instead, the device includes the IRB MAC in:

  • Data packets

  • The source MAC address field in the outer Ethernet header of:

    • Address Resolution Protocol (ARP) replies

    • Neighbor advertisement packets

When an ARP reply includes the IRB MAC as the source MAC address instead of the virtual MAC, in centrally-routed bridging (CRB) overlays you might see unknown unicast packet flooding throughout the domain.

For example, consider the EVPN-VXLAN overlay network in Figure 1. In this network, an MX Series router and a QFX10000 switch function as Layer 3 VXLAN gateways, and four QFX5100 switches function as Layer 2 VXLAN gateways. The overlay network also includes three intermediary Layer 2 switches, in this case, EX4300 switches, with connected hosts.

Figure 1: EVPN-VXLAN Centrally-Routed Bridging Overlay EVPN-VXLAN Centrally-Routed Bridging Overlay

On the MX Series router, an IRB interface named irb.1 has MAC address 00:05:85:00:53:01 and VGA 10.2.1.254. The MX Series router automatically generates the MAC address 00:00:5e:00:01:01 for the default virtual gateway.

In this overlay network, irb.1 on the MX Series router receives an ARP request from host 1. In its ARP reply, the MX Series router includes the following:

  • Source MAC address in outer Ethernet header: 00:05:85:00:53:01 (IRB MAC) → intermediary Layer 2 switch EX1 learns this MAC address.

  • Sender MAC address within ARP reply packet: 00:00:5e:00:01:01 (virtual MAC) → intermediary Layer 2 switch EX1 cannot see this MAC address, and therefore, does not learn it.

When intermediary Layer 2 switch EX1 receives the ARP reply, it learns only the source MAC address (IRB MAC). As a result, if Host 1 sends packets that include the virtual MAC in the header, EX1 is unable to find the virtual MAC in its MAC table. Therefore, EX1 floods the domain with unknown unicast packets.

Note:

Unknown unicast packet flooding isn't an issue in EVPN edge-routed bridging (ERB) overlays, where a single layer of QFX10000 switches function as both Layer 3 and Layer 2 gateways. In the ERB overlay, hosts are directly connected to the Layer 3 and Layer 2 gateways. Also, each IRB interface is typically configured with an IP address and a static MAC address. You repeat each IRB interface configuration on each gateway in the edge-routed bridging overlay. With the same MAC address configured for each IRB interface on each gateway, each host uses the same MAC address when sending inter-subnet traffic regardless of where the host is located or which gateway receives the traffic. As a result, you don't need to configure a default virtual gateway. For more information about ERB overlays, see Example: Configuring an EVPN-VXLAN Edge-Routed Bridging Fabric with an Anycast Gateway.

Starting with Junos OS Release 14.2R5 for MX Series routers and Junos OS Release 15.1X53-D63 for the QFX10000 line of switches, you can explicitly configure an IPv4 or IPv6 MAC address for a default virtual gateway in EVPN-VXLAN networks. Starting with Junos OS Release 22.1R1 on MX Series routers, you can similarly configure a default virtual gateway IPv4 or IPv6 address in an EVPN-MPLS network. Use the virtual-gateway-v4-mac or virtual-gateway-v6-mac configuration statement at the [edit interfaces name irb unit logical-unit-number] hierarchy level.

When you configure these statements, the configured virtual MAC overrides the automatically generated virtual MAC. For example, refer again to Figure 1. When the Layer 3 gateway MX1 sends data packets, ARP replies, and neighbor advertisement packets, it uses the configured virtual MAC in the outer Ethernet header of these packets. As a result, the intermediary Layer 2 switch EX1 also learns the configured virtual MAC, which eliminates the possibility that the switch floods the domain with unknown unicast packets.

Note:

The MAC address range 02:00:00:00:00:00:xy is used for internal communication. Don't use addresses in this range if you explicitly configure a virtual MAC address.

Release History Table
Release
Description
22.1R1
Starting with Junos OS Release 22.1R1 on MX Series routers, you can explicitly configure an IPv4 or IPv6 MAC address for a default virtual gateway in an EVPN-MPLS network with a CRB overlay.
14.2R5
Starting with Junos OS Release 14.2R5 for MX Series routers and Junos OS Release 15.1X53-D63 for QFX10000 switches, you can explicitly configure an IPv4 or IPv6 MAC address for a default virtual gateway in an EVPN-VXLAN network . Use the virtual-gateway-v4-mac or virtual-gateway-v6-mac configuration statement at the [edit interfaces name irb unit logical-unit-number] hierarchy level.