In this situation, the NVE acts as a router for both upstream (subscriber edge to SF) and downstream traffic (SF to the subscriber edge). The SF must be configured with NVE as the default router.
The service-chain (EVPN) service on subscriber edge is configured with import-mode routed. NAT pools are advertised in EVPN type-5 routes. The ISA’s gateway IP address is sent in a type-5 route (Figure: EVPN route type-5).
A type-2 router advertising ISA’s MAC address and gateway IP address is generated (Figure: EVPN route type-2).
This EVPN service (called a backbone EVPN) is configured on NVE as an R-VPLS that ties to a VPRN as described in NVE routing to SF. NVE adds the received type-5 prefixes to the FIB in VPRN.
The controller in the data-center also generates type-5 routes carrying IP address or subnet for the SF. The MAC address in a type-5 route must be the R-VPLS interface MAC or NVE’s system MAC address (because the NVE is routing traffic). NVE should also generate an EVPN route type-2 to advertise the MAC of the R-VPLS interface (or single MAC address of the NVE), and optionally the IP address of the R-VPLS interface. This is shown in Figure: NVE routing traffic to and from the SF.
On subscriber edge, SF’s IP address in the filter action is resolved in the configured service in the filter action via a best match IP lookup against EVPN route type-5. If the resolved route type-5 has nonzero GW-IP, then a recursive lookup (exact match) is done in the service. If it is resolved by EVPN route type-2, then the next hop MAC (DA MAC that is used in inner Ethernet header) and the VXLAN VNI/VTEP are taken from the route type-2. If GW-IP in route type-5 is zero, then the dest MAC and next hop (VTEP) is take from the route type-5.
