In this scenario, L2-aware NAT is performed. Traffic is subjected to VAS filtering associated with the host. Based on the match entry, the output of the action contains an SF IP address, EVPN service instance, optional ESI, and optional NSH parameters (service-path-id, service-index, and optional metadata). SF IP address and optional ESI are resolved in the indicated EVPN service as per the configured import-mode of the EVPN service (described in the previous sections). The result of resolution is SF MAC address, VXLAN VTEP and VNI. The upstream packet is encapsulated as shown below:
With an optional NSH insertion, the encapsulation used is VXLAN, where the Ethernet header following the VXLAN carries Ether-Type NSH, as shown below. VXLAN-GPE is not supported.
IP => UDP (port 4789) => VXLAN => Ethernet => NSH => IP
Outer IP source address: Local VTEP (ISA’s local IP address)
Outer IP destination address: Remote VTEP (from EVPN route, as described in previous sections)
Destination MAC in Ethernet header: SF MAC address or NVE’s MAC address (depending on bridging or routing on NVE).
Source MAC in Ethernet header: MAC address of ISA (generated based on configured MAC prefix)
VNI in VXLAN: VNI from EVPN route resolution (as defined in previous sections)
Inner IP (payload) source address: NAT outside IP address
Inner IP (payload) destination address: original destination on the Internet
Without NSH the encapsulation is standard VXLAN, for example, IP => UDP => VXLAN => Ethernet => IP. The parameters in outer IP, inner Ethernet, and IP are as defined about (in other words, the same as for the encapsulation with NSH).