The Mystery of the Anycast VTEP

Many vendors of networking equipment have introduced the combination of Multi-Chassis Link Aggregation (MLAG) in combination with an Anycast Virtual Tunnel Endpoint (VTEP) configured on both MLAG peers as a dual-homing solution for Virtual eXtensible Local Area Network (VXLAN) overlay networks. Some vendors provide a simple implementation requiring little configuration, without explicit connection between MLAG and Anycast VTEP. How can this work and why is the combination of both features needed for VXLAN dual-homing?

Leaving VXLAN

VXLAN encapsulated packets sent to the Anycast VTEP reach only one of the MLAG peers, not both. This follows from the use of Anycast. If the decapsulated frame is Broadcast, Unknown Unicast, or Multicast (often abbreviated as BUM traffic), it is flooded normally (i.e., not to remote VTEPs).

Entering VXLAN

Frames ingressing an MLAG peer switch via local MLAG port or via orphan port destined to a remote VTEP are encapsulated on that MLAG peer. BUM traffic is flooded to all remote VTEPs and via peer link to the MLAG peer.

Frames ingressing an MLAG peer via peer link are not sent to any remote VTEP, because the other MLAG peer has already done that. This is the secret sauce needed for dual-homing to a Layer-2 VPN (such as VXLAN) via MLAG.

Anycast VTEP as MLAG Port

If the Anycast VTEP is treated as an MLAG port, i.e., frames received via the MLAG peer link are not encapsulated and sent to remote VTEPs unless the MLAG peer's Anycast VTEP is down, the combination of MLAG with an Anycast VTEP can provide simple and thus robust dual-homing for VXLAN overlays.

back to my homepage.