VXLAN IRB: symmetric vs asymmetric, when to use which

VXLAN IRB (Integrated Routing and Bridging) is how leaf switches route between VNIs. There are two flavors — choose wrong and you scale badly.

What IRB actually is

• Every leaf hosts an anycast gateway: same IP/MAC on every VTEP for a given VLAN.
• Hosts always have a local default gateway — no hairpinning to a centralized router.
• Inter-VNI routing happens at the ingress leaf when possible.

Asymmetric IRB

• Ingress leaf: route from source VNI directly into destination VNI, then bridge over VXLAN.
• Egress leaf: bridge only — no route lookup.
• Problem: every leaf must have every VNI configured, even VNIs with no local hosts.
• Does not scale beyond small fabrics.

Symmetric IRB

• Ingress leaf: route into a special L3 VNI (one per VRF).
• Egress leaf: route out of the L3 VNI into the destination VNI locally.
• Same VNI used in both directions — hence "symmetric".
• Win: leaves only need the VNIs they actually serve. Massively scalable.

Why symmetric won

• Smaller MAC/ARP tables per leaf.
• Cleaner multi-tenancy via L3 VNI = VRF mapping.
• Required by EVPN Type 5 (IP Prefix) routes.

Vendor defaults

• Cisco NX-OS, Arista EOS, Juniper Junos, Aruba CX — all default to symmetric.
• If you see asymmetric in production, it is either legacy or a deliberate corner case.

Practice IRB design choices in a TechLeague tournament.

Related reading

• Evpn Vxlan Explained
• How EVPN works: control plane, route types and forwarding
• VTEP and VNI explained: the building blocks of VXLAN
• Cisco NX-OS EVPN-VXLAN: configuration walkthrough (Nexus 9000)
• Bum Traffic Evpn