Got this remark from a reader after he read the VXLAN and Q-in-Q blog post:
Another area where there is a feature gap with EVPN VXLAN is Private VLANs with VXLAN. They’re not supported on either Nexus or Juniper switches.
I have one word on using private VLANs in 2019: Don’t. They are messy and hard to maintain (not to mention it gets really interesting when you’re combining virtual and physical switches).
Having said that, as EVPN supports Route Distinguishers and Route Targets it should be possible to implement a 2-VRF hub-and-spoke VPN topology (like the one we described in the original MPLS and VPN Architectures book) and even configure inter-VRF routing on the hub device assuming the hardware supports VXLAN-to-VXLAN routing.
Has anyone done that? I hope not. Is anything along these lines supported? I have no idea – if you know more please write a comment.
Nonetheless, as I said it is 2019 and I’d strongly recommend you use microsegmentation (ACLs in front of servers or virtual machines) in data center environments instead of Private VLANs, more so if you’re running a virtualized environment. Hub-and-spoke VPN topologies are obviously a totally different beast.
Want to know more about VXLAN and EVPN? Why don’t you:
- Start with Introduction to Virtual Networking if you’re just starting with network virtualization;
- Watch Networking in Private and Public Clouds to understand the challenges we’re trying to solve and explore various approaches to virtual networking;
- Continue with a deep dive into VXLAN;
- Conclude the journey with EVPN deep dive.