EVPN provides an extensible and flexible multihoming VPN solution over an MPLS/IP network for intra-subnet connectivity among Tenant Systems (TSs) and end devices that can be physical or virtual, where an IP subnet is represented by an EVPN instance (EVI) for a VLAN-based service or by an (EVI, VLAN) association for a VLAN-aware bundle service. However, there are scenarios for which there is a need for a dynamic and efficient inter-subnet connectivity among these Tenant Systems and end devices while maintaining the multihoming capabilities of EVPN. This document describes an Integrated Routing and Bridging (IRB) solution based on EVPN to address such requirements

Integrated Routing and Bridging combines switching of tenant data with routing into different VNID of the same tenant. This is accomplished by having a unique per-tenant layer 3 IP-VRF across all PEs hosting tenant systems for that tenant and the layer-2 MAC VRFs (mapping to one or more bridged domains (VNIDS)) belonging to that tenant on different PEs being mapped to the common IP-VRF through logical interfaces called IRB interfaces. The MAC-VRF tables are used for switching intra-subnet communication whereas the IP-VRF tables are used for routing inter-subnet traffic.

IRB has two modes of working.

In asymmetric IRB, the lookup operation is asymmetric and the ingress PE performs three lookups, whereas the egress PE performs a single lookup -- i.e., the ingress PE performs a MAC lookup, followed by an IP lookup, followed by a MAC lookup again. The egress PE performs just a single MAC lookup as depicted in following figure:

In other words, each PE participating in asymmetric IRB MUST maintain ARP entries for remote hosts (hosts connected

to other PEs) as well as maintain MAC-VRFs/BTs and IRB interfaces for ALL subnets in an IP-VRF, including subnets that may not be locally attached.

In symmetric IRB, as its name implies, the lookup operation is symmetric at both the ingress and egress PEs -- i.e., both ingress and egress PEs perform lookups on both MAC and IP addresses. The ingress PE performs a MAC lookup followed by an IP lookup, and the egress PE performs an IP lookup followed by a MAC lookup, as depicted in the following figure:

Therefore, in symmetric IRB, there is no need for the ingress PE to maintain ARP entries for the association of the destination TS2's IP and MAC addresses in its ARP table. Each PE participating in symmetric IRB only maintains ARP entries for locally connected hosts and MAC-VRFs/BTs for only locally configured subnets.