EVPN/VXLAN with Juniper QFX switches provides a scalable and efficient network solution. EVPN uses BGP to share MAC and IP info, while VXLAN enables Layer 2 connectivity over Layer 3. Juniper QFX switches, like the QFX5120 and QFX5220, support VXLAN in hardware for high performance and smooth multi-tenancy. This setup improves flexibility, simplifies management, and supports data center interconnects.
JunOS versions
For the EVPN/VXLAN on Juniper QFX, the JunOS version “21.4R3-S3.4” has proven to be very stable and works perfectly for me. Any further releaes of the version 21.4 in the JunOS SR branch can probably be used.
Chosen topology
Provided you use external type BGP for UNDERLAY and internal type MP-BGP for OVERLAY routing:
Contrary to popular belief at Juniper, EVPN/VXLAN can be configured as a mesh or ring. Besides the core/spine/leaf topology, the devices can be configured and interconnected in virtually any way (but optimized for availability and path redundancy). The used topology may be a full mesh, but also a big ring, or many interconnected rings. – My own insight
Do not use multipath, neither for UNDERLAY nor for OVERLAY routing.
EVPN route types
Route Type 1 – Ethernet Auto-Discovery (EAD)
Route Type 2 – MAC/IP Advertisement
Route Type 3 – Inclusive Multicast Ethernet Tag (IMET)
Route Type 4 – Ethernet Segment (ES) Advertisement
Route Type 5 – IP Prefix Advertisement (L3 routing)
Constraints on QFX series
“When configuring a VLAN ID for a VXLAN, we strongly recommend using a VLAN ID of 3 or higher. If you use a VLAN ID of 1 or 2, replicated broadcast, multicast, and unknown unicast (BUM) packets for these VXLANs might be untagged, which in turn might result in the packets being dropped by a device that receives the packets.” – Juniper Networks
Mutually exclusive options
The following two options are mutally exclusive, as shared-tunnels already handle the BUM traffic replication efficiently. So use only the second:
set vlans NAME vxlan ingress-node-replication
set forwarding-options evpn-vxlan shared-tunnelsARP Problems and solution
Sometimes the ARP may not work properly on connected devices (aprox. 1% of all cases). Use the following config to fix it:
set vlans NAME no-arp-suppressionForwarding problem and fix
Sometimes, due to duplicate-mac-detection, the forwarding may be disturbed, even only work in one direction etc. To fix this use:
set protocols evpn duplicate-mac-detection detection-threshold 5
set protocols evpn duplicate-mac-detection detection-window 180
set protocols evpn duplicate-mac-detection auto-recovery-time 15Storm-Control for protection
Use storm-control to protect your network from customers:
set forwarding-options storm-control-profiles default allFurther ressources
Switches in the images: QFX5200 Data Center Switch Specs
Constraints on QFX: VXLAN Constraints on QFX Series
Last updated on 2025-03-28 at 21:23 UTC