Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document.
Note: Even the most advanced machine translation cannot match the quality of professional translators.
Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Traffic Forwarding Model Design
Traffic on the VXLAN network is classified into the following types:
- North-south traffic: access traffic between servers on the VXLAN network and external network
- East-west traffic: access traffic between servers on the VXLAN network
Traffic forwarding model of hardware distributed VXLAN using the spine/leaf two-layer architecture
Figure 1 shows forwarding of some traffic in hardware distributed VXLAN using the spine/leaf two-layer architecture.
Figure 2-33 Forwarding of some traffic in hardware distributed VXLAN using the spine/leaf two-layer architecture
![]()
North-south traffic is classified into the following types based on the service model:
- Traffic passes through a firewall and an LB, and is forwarded to a router through a gateway.
- Traffic is directly transmitted to the external network without passing a firewall and an LB.
- Traffic passes through a firewall but not an LB, and is forwarded to a router through a gateway.
East-west traffic is classified into the following types based on the service model:
- Traffic in the same subnet and VRF: Traffic is directly forwarded on the leaf node, or is encapsulated on the leaf node and decapsulated on the other leaf node after traversing the spine node.
- Traffic across subnets and in the same VRF: After traffic is encapsulated with the VXLAN header on the leaf node, the leaf node searches for the 32-bit host route and sends it to the destination leaf node. Then the spine node forwards traffic at Layer 3 based on routes.
- Traffic across subnets and in different VRFs: When secure control of a firewall is required, traffic is forwarded according to a. When secure control of a firewall is not required, traffic is forwarded according to b.
- After traffic is encapsulated with the VXLAN header on the leaf node, the leaf node searches for the default route and sends it to the border leaf node. The border leaf node decapsulates the traffic and imports it to the firewall. The firewall controls inter-VRF traffic using security policies.
- Inter-VRF traffic is forwarded based on routes that are imported in EVPN processes based on VPN targets on each leaf node, and then is forwarded to the destination leaf node based on the queried 32-bit host route.
Traffic Forwarding Model of Hardware Distributed VXLAN Using the Gateway/Spine/Leaf Three-Layer Architecture
Figure 2 shows forwarding of some traffic in hardware distributed VXLAN using the gateway/spine/leaf three-layer architecture.
Figure 2-34 Forwarding of some traffic in hardware distributed VXLAN using the gateway/spine/leaf three-layer architecture
![]()
North-south traffic is classified into the following types based on the service model:
- Traffic passes through a firewall and an LB, and is forwarded to a router through a gateway.
- Traffic is directly transmitted to the external network without passing a firewall and an LB.
- Traffic passes through a firewall but not an LB, and is forwarded to a router through a gateway.
East-west traffic is classified into the following types based on the service model:
- Traffic in the same subnet and VRF: Traffic is directly forwarded on the leaf node, or is encapsulated on the leaf node and decapsulated on the other leaf node after traversing the spine node.
- Traffic across subnets and in the same VRF: After traffic is encapsulated with the VXLAN header on the leaf node, the leaf node searches for the 32-bit host route and sends it to the destination leaf node. Then the spine node forwards traffic at Layer 3 based on routes.
- Traffic across subnets and in different VRFs: When secure control of a firewall is required, traffic is forwarded according to a. When secure control of a firewall is not required, traffic is forwarded according to b.
- After traffic is encapsulated with the VXLAN header on the leaf node, the leaf node searches for the default route and sends it to the border leaf node. The border leaf node decapsulates the traffic and imports it to the firewall. The firewall controls inter-VRF traffic using security policies.
- Inter-VRF traffic is forwarded based on routes that are imported in EVPN processes based on VPN targets on each leaf node, and then is forwarded to the destination leaf node based on the queried 32-bit host route.