GRE over EVPN-VXLAN
GRE over EVPN-VXLAN enables encapsulation and de-encapsulation of GRE packets within VXLAN tunnels. This protects inner traffic from exposure to intermediate devices during traversal across network segments.
The integration of Generic Routing Encapsulation (GRE) over EVPN-VXLAN Type 2 tunnels on Junos OS Evolved leverages the forwarding ASIC to encapsulate and de-encapsulate GRE packets. This functionality ensures that GRE frames from remote locations can be efficiently transported through data center networks utilizing EVPN-VXLAN. Support for GRE encapsulation and de-encapsulation, along with configurations such as the "tunnel-loopback" option under Integrated Routing and Bridging (IRB) in the VXLAN bridge domain, enhances the flexibility and performance of complex tunneling setups. Additionally, it includes specific operational parameters and limitations, such as the support for IPv4 underlay only and a maximum throughput of 400 Gbps per DLB (Dynamic Load Balancing) port due to the loopback requirements.
Benefits of GRE over EVPN-VXLAN Support
-
Enhances network flexibility by supporting complex tunneling scenarios, accommodating diverse customer use cases and improving overall data traffic management.
-
Enhances security by encapsulating GRE traffic within VXLAN tunnels. This provides an additional layer of security by isolating customer traffic from external devices and potential threats.
-
Improves traffic handling efficiency by utilizing the forwarding ASIC for GRE encapsulation and de-encapsulation, ensuring high performance in data center network environments.
-
Simplifies configuration and implementation with the use of existing EVPN-VXLAN and GRE settings, minimizing the need for new commands or extensive reconfiguration.
Overview
When you implement GRE over EVPN-VXLAN on the Junos OS Evolved platform, you leverage the
forwarding ASIC to encapsulate and de-encapsulate GRE packets within VXLAN tunnels. This
functionality is essential for ensuring secure and efficient traversal of customer traffic
across different network segments. To configure this feature, you will primarily use the
tunnel-loopback option under IRB interfaces. This configuration allows
GRE packets to be looped back for encapsulation within VXLAN, and upon reaching the
destination, VXLAN headers are de-encapsulated first, followed by the GRE headers. This
ensures that the internal traffic remains hidden from intermediate devices, maintaining its
integrity and preventing double-billing issues for ISP customers.
To configure GRE over EVPN-VXLAN, you will use existing Junos OS Evolved CLI commands for
EVPN-VXLAN and GRE, ensuring a streamlined configuration process. Key configuration steps
include setting up the IRB interfaces with the tunnel-loopback statement.
For example, you would use commands like set interfaces irb unit
name family inet tunnel-loopback to enable the
tunnel-loopback functionality. Additionally, you need to configure the
appropriate routing instances and protocol settings to ensure proper encapsulation and
de-encapsulation of traffic. This setup is critical for maintaining the operational
efficiency and security of network traffic across multiple segments.
While this feature offers significant benefits, it is crucial to understand its
limitations. GRE over EVPN-VXLAN requires a loopback pass for both encapsulation and
de-encapsulation, which limits the overall throughput per DLB port. Additionally, it does
not support VXLAN Type 5 tunnels, bypass-loopback options configured under
the flexible tunnel interface for GRE, or filter-based de-encapsulation for GRE. GRE over
EVPN-VXLAN support is also limited to an IPv4 underlay only. Despite these limitations, this
feature enhances the flexibility and scalability of network designs, ensuring secure and
efficient traffic traversal.
Please refer to Feature Explorer for a complete list of the products that support this feature.
Configuration Example
This example illustrates an ISP using GRE over VXLAN.
set interfaces et-0/0/0 description TO_QFX5K_VXLAN; set interfaces et-0/0/0 speed 40g; set interfaces et-0/0/0 ether-options 802.3ad ae1; set interfaces et-0/0/4 description TO_MX_GRE; set interfaces et-0/0/4 flexible-vlan-tagging; set interfaces et-0/0/4 encapsulation flexible-ethernet-services; set interfaces et-0/0/4 unit 100 vlan-id 100; set interfaces et-0/0/4 unit 100 family inet address 10.100.0.1/24; set interfaces ae1 mtu 9192; set interfaces ae1 aggregated-ether-options lacp active; set interfaces ae1 aggregated-ether-options lacp periodic fast; set interfaces ae1 unit 0 family inet address 10.0.0.2/24; set interfaces fti0 unit 1 tunnel encapsulation gre source address 172.16.128.1; set interfaces fti0 unit 1 tunnel encapsulation gre destination address 172.16.128.128; set interfaces fti0 unit 1 family inet address 10.255.57.0/31; set interfaces irb mtu 9000; set interfaces irb unit 1024 family inet tunnel-loopback; set interfaces irb unit 1024 family inet address 172.16.129.77/31; set interfaces irb unit 1088 family inet address 172.16.129.76/31; set interfaces lo0 unit 0 family inet address 172.16.128.1/32 primary; set interfaces lo0 unit 0 family inet address 192.168.200.100/32; set forwarding-options tunnel-termination; set routing-instances isp instance-type virtual-router; set routing-instances isp routing-options autonomous-system 65001; set routing-instances isp protocols bgp group ext type external; set routing-instances isp protocols bgp group ext neighbor 10.100.0.2 peer-as 65002; set routing-instances isp protocols bgp group int type internal; set routing-instances isp protocols bgp group int local-address 172.16.129.76; set routing-instances isp protocols bgp group int neighbor 172.16.129.77 family inet unicast; set routing-instances isp protocols ospf area 0.0.0.0 interface irb.1088; set routing-instances isp interface et-0/0/4.100; set routing-instances isp interface irb.1088; set routing-instances l2-vrf instance-type mac-vrf; set routing-instances l2-vrf protocols evpn encapsulation vxlan; set routing-instances l2-vrf vtep-source-interface lo0.0; set routing-instances l2-vrf service-type vlan-aware; set routing-instances l2-vrf route-distinguisher 172.16.128.1:2; set routing-instances l2-vrf vrf-target target:64657:1; set routing-instances l2-vrf vlans vlan-1024 vlan-id 1024; set routing-instances l2-vrf vlans vlan-1024 l3-interface irb.1024; set routing-instances l2-vrf vlans vlan-1024 vxlan vni 101024; set routing-instances l2-vrf vlans vlan-1088 vlan-id 1088; set routing-instances l2-vrf vlans vlan-1088 l3-interface irb.1088; set routing-instances l2-vrf vlans vlan-1088 vxlan vni 101088; set routing-options router-id 172.16.128.1; set routing-options autonomous-system 65001; set protocols bgp group evpn type internal; set protocols bgp group evpn local-address 172.16.128.1; set protocols bgp group evpn family evpn signaling; set protocols bgp group evpn neighbor 172.16.128.11; set protocols bgp group isp1 type internal; set protocols bgp group isp1 local-address 172.16.129.77; set protocols bgp group isp1 tcp-mss 1400; set protocols bgp group isp1 neighbor 172.16.129.76 family inet unicast; set protocols bgp group BGP-GRE type external; set protocols bgp group BGP-GRE peer-as 65534; set protocols bgp group BGP-GRE local-as 65001; set protocols bgp group BGP-GRE neighbor 10.255.57.1; set protocols ospf area 0.0.0.0 interface lo0.0 passive; set protocols ospf area 0.0.0.0 interface ae1.0 interface-type p2p; set protocols ospf area 0.0.0.0 interface irb.1024;