Cisco device configuration tutorials and networking fundamentals

Cisco configuration tutorials

Archive

EVPN-VXLAN L2VNI Configuration with MP-BGP Control Plane

«    2024 Dec 26    »

What is EVPN-VXLAN?

EVPN is a Multiprotocol BGP address-family that can be deployed as the control plane for VXLAN. VXLAN also works without EVPN, however EVPN provides multiple benefits such as dynamic MAC address learning and creation of dynamic ingress replication flood lists. The following packet capture shows the EVPN MP-BGP capability advertised in an Open message sent between a VXLAN VTEP device and a BGP route reflector.

EVPN-VXLAN control plane Multiprotocol BGP OPEN message packet capture

EVPN VXLAN uses the Route Type 3 for dynamic ingress replication, in order to advertise the PMSI tunnel attribute for a specific VNI. In other words, the VTEP informs the other VTEPs that it can accept broadcast, unknown-unicast, and multicast (BUM) traffic at a specific IP address. This is not unique to VXLAN, Route Type 3 is also used in EVPN-MPLS. The following capture shows a Route Type 3 used with VXLAN.

EVPN Route Type 3 IMET BGP Update PMSI Tunnel for VXLAN Ingress Replication

Each Route Type is summarized in an EVPN introduction blog post. For example, EVPN uses the Route Type 2, which is also called a MAC advertisement route. It is used with VXLAN and also with MPLS in order to advertise MAC addresses over BGP Update messages. The following capture shows an EVPN MAC advertisement route specific to VXLAN, because a VNI is added under the BGP NLRI (instead of an MPLS label), and the "VXLAN Encapsulation" Extended Community is also attached.

EVPN Route Type 2 MAC advertisement route

While EVPN is used in the control plane, the data plane consists of a Layer-2 tunneling mechanism over UDP transport. Between VTEP devices frames are encapsulated in UDP with a VXLAN header, this method is also called MAC-in-UDP. The VXLAN header includes the VNI to indentify the virtual (overlay) network. Encryption is not natively supported, by default traffic is sent in cleartext as shown in the following capture.

VXLAN encapsulation MAC-in-UDP

Design options for EVPN-VXLAN L2VNI

A VXLAN L2VNI forwards frames within the same Layer-2 broadcast domain which is stretched between VTEP devices. When deploying a L2VNI with the EVPN control plane the following design and configuration choices can be considered among others.

Deployment options EVPN-VXLAN L2VNI
Option Description

Use of Route Reflector (BGP RR)

For improved scalability of the EVPN control plane, Route Reflectors can be deployed. This means, iBGP neighborships are configured (same BGP ASN) between the VTEP and RR.

Use of iBGP or eBGP

BGP can be configured in the VXLAN underlay network (instead of OSPF or IS-IS), and BGP can be configured in the VXLAN overlay (EVPN control plane uses MP-BGP). Focusing on the EVPN control plane, you can use auto-RD and auto-RT which is a feature to automatically derive (generate) the Route Distinguisher and the Route Target values. This feature is described in RFC 8365, and is available on the NX-OS and IOS XR platforms. However, if you deploy EVPN-VXLAN overlay with eBGP you cannot use auto-RT because the generated import/export RT values for different BGP ASN would not match on two VTEPs (no prefix will be imported). RD and RT values can be manually/statically configured as shown later in this blog post.

Ingress replication or multicast core

This relates to how BUM (broadcast, unknown-unicast and multicast) traffic is handled, and is relevant to VXLAN with or without the EVPN control plane. Multicast core (PIM) is more scalable, in which case a L2VNI with EVPN will only advertise Route Type 2 containing MAC addresses. On the other hand, with ingress replication (also called headend replication) the EVPN Route Type 3 (IMET route) is used alongside Route Type 2.

EVPN-VXLAN L2VNI with ingress replication (NX-OS)

In the following scenario, EVPN-VXLAN L2VNI is configured together with two BGP Route Reflectors (RR). MP-BGP is enabled on the VTEP devices SW1 and SW2, as well as on the RRs R4 (IOS) and SW5 (NX-OS). The two Hosts are connected in VLAN 100 over the VXLAN tunnel using VNI 5000. The VTEP devices use ingress replication for BUM traffic.

EVPN adds several benefits to VXLAN. For example, the VTEP devices no longer have a static flood list configured for ingress replication, but instead the EVPN Route Type 3 (IMET route) is used to dynamically advertise VTEP peer PMSI tunnel identifiers. The PMSI tunnel endpoints are used (for ingress replication) as the destination of BUM traffic which is transported across the VXLAN overlay network.

Another benefit is that EVPN enables advertising MAC addresses to remote VTEP devices. This means, VTEP SW1 learns the MAC address of a locally originated frame (traffic sent from Host1), and advertises the MAC address to the remote VTEP SW2 using EVPN Route Type 2 . This is called dynamic MAC learning, and is an improvement over the flood and learn approach (which used without EVPN).

EVPN-VXLAN L2VNI configuration

Configuration:

SW1 (VTEP)
    SW1# show run | sec ^nv
    nv overlay evpn
    
    SW1# show run | sec feature
    feature ospf
    feature bgp
    feature vn-segment-vlan-based
    feature nv overlay
    
    SW1# show run vlan | sec vlan
    !Command: show running-config vlan
    vlan 1,100
    vlan 100
      name VLAN100
      vn-segment 5000
    
    SW1# show run | sec ^evpn
    evpn
      vni 5000 l2
        rd 65001:1
        route-target import 65001:2
        route-target export 65001:1
    
    SW1# show run int Eth1/1 | sec int
    !Command: show running-config interface Ethernet1/1
    interface Ethernet1/1
      description ** to SW3 **
      switchport
      switchport mode trunk
      switchport trunk allowed vlan 100
      no shutdown
    
    SW1# show run int Eth1/2 | sec int
    !Command: show running-config interface Ethernet1/2
    interface Ethernet1/2
      description ** to R1 **
      ip address 10.1.0.1/30
      ip router ospf 10 area 0.0.0.0
      no shutdown
    
    SW1# show run int Lo10 | sec int
    !Command: show running-config interface loopback10
    interface loopback10
      ip address 10.1.1.1/32
      ip router ospf 10 area 0.0.0.0
    
    SW1# show run int nve1 | sec int
    !Command: show running-config interface nve1
    interface nve1
      no shutdown
      host-reachability protocol bgp
      source-interface loopback10
      member vni 5000
        ingress-replication protocol bgp
    
    SW1# show run bgp | sec ^router
    router bgp 65001
      neighbor 4.4.4.4
        remote-as 65001
        update-source loopback10
        address-family l2vpn evpn
          send-community
          send-community extended
      neighbor 5.5.5.5
        remote-as 65001
        update-source loopback10
        address-family l2vpn evpn
          send-community
          send-community extended
    
    SW1# show run ospf | sec ^router
    router ospf 10
      router-id 10.1.1.1
    
SW2 (VTEP)
    SW2# show run | sec ^nv
    nv overlay evpn
    
    SW2# show run | sec feature
    feature ospf
    feature bgp
    feature vn-segment-vlan-based
    feature nv overlay
    
    SW2# show run vlan | sec vlan
    !Command: show running-config vlan
    vlan 1,100
    vlan 100
      name VLAN100
      vn-segment 5000
    
    SW2# show run | sec ^evpn
    evpn
      vni 5000 l2
        rd 65001:2
        route-target import 65001:1
        route-target export 65001:2
    
    SW2# show run int Eth1/1 | sec int
    !Command: show running-config interface Ethernet1/1
    interface Ethernet1/1
      description ** to SW4 **
      switchport
      switchport mode trunk
      switchport trunk allowed vlan 100
      no shutdown
    
    SW2# show run int Eth1/2 | sec int
    !Command: show running-config interface Ethernet1/2
    interface Ethernet1/2
      description ** to R3 **
      ip address 10.5.0.1/30
      ip router ospf 10 area 0.0.0.0
      no shutdown
    
    SW2# show run int Lo10 | sec int
    !Command: show running-config interface loopback10
    interface loopback10
      ip address 10.2.2.2/32
      ip router ospf 10 area 0.0.0.0
    
    SW2# show run int nve1 | sec int
    !Command: show running-config interface nve1
    interface nve1
      no shutdown
      host-reachability protocol bgp
      source-interface loopback10
      member vni 5000
        ingress-replication protocol bgp
    
    SW2# show run bgp | sec ^router
    router bgp 65001
      neighbor 4.4.4.4
        remote-as 65001
        update-source loopback10
        address-family l2vpn evpn
          send-community
          send-community extended
      neighbor 5.5.5.5
        remote-as 65001
        update-source loopback10
        address-family l2vpn evpn
          send-community
          send-community extended
    
    SW2# show run ospf | sec ^router
    router ospf 10
      router-id 10.2.2.2
    
R1
    R1#show run int Gi0/0 | sec int
    interface GigabitEthernet0/0
     description ** to VTEP SW1 **
     ip address 10.1.0.2 255.255.255.252
     duplex auto
     speed auto
     media-type rj45
    
    R1#show run int Gi0/1 | sec int
    interface GigabitEthernet0/1
     description ** to R2 **
     ip address 10.2.0.1 255.255.255.252
     duplex auto
     speed auto
     media-type rj45
    
    R1#show run | sec ^router    
    router ospf 10
     router-id 1.1.1.1
     network 10.1.0.0 0.0.0.3 area 0
     network 10.2.0.0 0.0.0.3 area 0
    
R2
    R2#show run int Gi0/0 | sec int
    interface GigabitEthernet0/0
     description ** to R1 **
     ip address 10.2.0.2 255.255.255.252
     duplex auto
     speed auto
     media-type rj45
    
    R2#show run int Gi0/1 | sec int
    interface GigabitEthernet0/1
     description ** to R3 **
     ip address 10.4.0.2 255.255.255.252
     duplex auto
     speed auto
     media-type rj45
    
    R2#show run int Gi0/2 | sec int
    interface GigabitEthernet0/2
     description ** to BGP RR devices **
     ip address 10.3.0.1 255.255.255.248
     duplex auto
     speed auto
     media-type rj45
    
    R2#show run | sec ^router
    router ospf 10
     router-id 2.2.2.2
     network 10.2.0.0 0.0.0.3 area 0
     network 10.3.0.0 0.0.0.7 area 0
     network 10.4.0.0 0.0.0.3 area 0
    
R4 (IOS RR)
    R4#show run int Gi0/0 | sec int
    interface GigabitEthernet0/0
     ip address 10.3.0.2 255.255.255.248
     duplex auto
     speed auto
     media-type rj45
    
    R4#show run int Lo10 | sec int 
    interface Loopback10
     ip address 4.4.4.4 255.255.255.255
    
    R4#show run | sec ^router ospf
    router ospf 10
     router-id 4.4.4.4
     network 4.4.4.4 0.0.0.0 area 0
     network 10.3.0.0 0.0.0.7 area 0
    
    R4#show run | sec ^router bgp
    router bgp 65001
     bgp router-id 4.4.4.4
     bgp log-neighbor-changes
     neighbor 10.1.1.1 remote-as 65001
     neighbor 10.1.1.1 update-source Loopback10
     neighbor 10.2.2.2 remote-as 65001
     neighbor 10.2.2.2 update-source Loopback10
     !
     address-family l2vpn evpn
      neighbor 10.1.1.1 activate
      neighbor 10.1.1.1 send-community both
      neighbor 10.1.1.1 route-reflector-client
      neighbor 10.2.2.2 activate
      neighbor 10.2.2.2 send-community both
      neighbor 10.2.2.2 route-reflector-client
     exit-address-family
    
SW5 (NX-OS RR)
    SW5# show run | sec ^nv
    nv overlay evpn
    
    SW5# show run | sec feature
    feature ospf
    feature bgp
    
    SW5# show run int Eth1/1 | sec int
    !Command: show running-config interface Ethernet1/1
    interface Ethernet1/1
      ip address 10.3.0.3/29
      ip router ospf 10 area 0.0.0.0
      no shutdown
    
    SW5# show run int Lo10 | sec int
    !Command: show running-config interface loopback10
    interface loopback10
      ip address 5.5.5.5/32
      ip router ospf 10 area 0.0.0.0
    
    SW5# show run bgp | sec ^router
    router bgp 65001
      neighbor 10.1.1.1
        remote-as 65001
        update-source loopback10
        address-family l2vpn evpn
          send-community
          send-community extended
          route-reflector-client
      neighbor 10.2.2.2
        remote-as 65001
        update-source loopback10
        address-family l2vpn evpn
          send-community
          send-community extended
          route-reflector-client
    
    SW5# show run ospf | sec ^router
    router ospf 10
      router-id 5.5.5.5
    
SW3
    SW3#show run int Gi0/0 | sec int
    interface GigabitEthernet0/0
     description ** to Host1 **
     switchport access vlan 100
     switchport mode access
     negotiation auto
    
    SW3#show run int Gi0/1 | sec int
    interface GigabitEthernet0/1
     description ** to VTEP SW1 **
     switchport trunk allowed vlan 100
     switchport trunk encapsulation dot1q
     switchport mode trunk
     negotiation auto
    
Host1
    Host1#show run int Gi0/0 | sec int
    interface GigabitEthernet0/0
     description ** to SW3 **
     mac-address 0000.0000.0001
     ip address 192.168.1.1 255.255.255.0
     duplex auto
     speed auto
     media-type rj45
    
SW1# show nve peers
Interface Peer-IP                                 State LearnType Uptime   Route
r-Mac       
--------- --------------------------------------  ----- --------- -------- -----
------------
nve1      10.2.2.2                                Up    CP        00:02:21 n/a        « VTEP peer IP address learned with EVPN Control Plane (CP)




SW1# show nve vni 5000
Codes: CP - Control Plane        DP - Data Plane          
       UC - Unconfigured         SA - Suppress ARP        
       SU - Suppress Unknown Unicast 
       Xconn - Crossconnect      
       MS-IR - Multisite Ingress Replication
 
Interface VNI      Multicast-group   State Mode Type [BD/VRF]      Flags
--------- -------- ----------------- ----- ---- ------------------ -----
nve1      5000     UnicastBGP        Up    CP   L2 [100]                              « EVPN Control Plane uses BGP




SW1# show nve interface nve1
Interface: nve1, State: Up, encapsulation: VXLAN
 VPC Capability: VPC-VIP-Only [not-notified]
 Local Router MAC: 5204.bacd.1b08
 Host Learning Mode: Control-Plane
 Source-Interface: loopback10 (primary: 10.1.1.1, secondary: 0.0.0.0)
 



SW1# show mac address-table
Legend: 
        * - primary entry, G - Gateway MAC, (R) - Routed MAC, O - Overlay MAC
        age - seconds since last seen,+ - primary entry using vPC Peer-Link,
        (T) - True, (F) - False, C - ControlPlane MAC, ~ - vsan
   VLAN     MAC Address      Type      age     Secure NTFY Ports
---------+-----------------+--------+---------+------+----+------------------
*  100     0000.0000.0001   dynamic  0         F      F    Eth1/1
C  100     0000.0000.0002   dynamic  0         F      F    nve1(10.2.2.2)        « Remote MAC address dynamically learnt with EVPN Control Plane
G    -     5204.bacd.1b08   static   -         F      F    sup-eth1(R)





SW1# show nve peers detail
Details of nve Peers:
----------------------------------------
Peer-Ip: 10.2.2.2                              « Remote VTEP SW2 IP address
    NVE Interface       : nve1
    Peer State          : Up                   « VTEP remote peer state is Up
    Peer Uptime         : 00:02:08
    Router-Mac          : n/a
    Peer First VNI      : 5000
    Time since Create   : 00:02:08
    Configured VNIs     : 5000                 « L2VNI 5000 is configured between VTEP SW1 and SW2
    Provision State     : peer-add-complete
    Learnt CP VNIs      : 5000
    vni assignment mode : SYMMETRIC
    Peer Location       : N/A





SW1# show bgp l2vpn evpn summary | beg Ne
Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
4.4.4.4         4 65001      82      74       20    0    0 01:07:59 2               « EVPN BGP neigborship with Route Reflector R4   
5.5.5.5         4 65001      18      15       20    0    0 00:08:46 2





SW1# show bgp l2vpn evpn | beg Ne
   Network            Next Hop            Metric     LocPrf     Weight Path
Route Distinguisher: 65001:1    (L2VNI 5000)
*>l[2]:[0]:[0]:[48]:[0000.0000.0001]:[0]:[0.0.0.0]/216
                      10.1.1.1                          100      32768 i
*>i[2]:[0]:[0]:[48]:[0000.0000.0002]:[0]:[0.0.0.0]/216
                      10.2.2.2                          100          0 i
*>l[3]:[0]:[32]:[10.1.1.1]/88
                      10.1.1.1                          100      32768 i
*>i[3]:[0]:[32]:[10.2.2.2]/88
                      10.2.2.2                          100          0 i

Route Distinguisher: 65001:2                                                  « EVPN routes advertised by SW2 have RD 65001:2 assigned
* i[2]:[0]:[0]:[48]:[0000.0000.0002]:[0]:[0.0.0.0]/216                        « This is an EVPN Route Type 2 (MAC advertisement route)
                      10.2.2.2                          100          0 i
*>i                   10.2.2.2                          100          0 i
* i[3]:[0]:[32]:[10.2.2.2]/88                                                 « This is an EVPN Route Type 3 (IMET route for ingress replication)
                      10.2.2.2                          100          0 i
*>i                   10.2.2.2                          100          0 i





SW1# show bgp l2vpn evpn 0000.0000.0002
BGP routing table information for VRF default, address family L2VPN EVPN
Route Distinguisher: 65001:1    (L2VNI 5000)                                         « SW1 uses the RD 65001:1 for local routes
BGP routing table entry for [2]:[0]:[0]:[48]:[0000.0000.0002]:[0]:[0.0.0.0]/216,     « MAC address of the remote Host2, received with EVPN
 version 19
Paths: (1 available, best #1)
Flags: (0x000212) (high32 00000000) on xmit-list, is in l2rib/evpn, is not in HW

  Advertised path-id 1
  Path type: internal, path is valid, is best path, no labeled nexthop, in rib
             Imported from 65001:2:[2]:[0]:[0]:[48]:[0000.0000.0002]:[0]:[0.0.0.     « Host2 MAC route has RD 65001:2, it was received from SW2
0]/216 
  AS-Path: NONE, path sourced internal to AS
    10.2.2.2 (metric 44) from 4.4.4.4 (4.4.4.4)          « Next-hop to reach Host2 MAC address is through VTEP SW2
      Origin IGP, MED not set, localpref 100, weight 0
      Received label 5000
      Extcommunity: RT:65001:2 ENCAP:8
      Originator: 10.2.2.2 Cluster list: 4.4.4.4         « Route Reflector adds this information, EVPN route originator is SW2, Cluster list shows RR R4

  Path-id 1 not advertised to any peer

Route Distinguisher: 65001:2                             « RD assigned by SW2, two routes are visible to Host2 MAC, before best route selected on SW1
BGP routing table entry for [2]:[0]:[0]:[48]:[0000.0000.0002]:[0]:[0.0.0.0]/216,
 version 20
Paths: (2 available, best #2)
Flags: (0x000202) (high32 00000000) on xmit-list, is not in l2rib/evpn, is not i
n HW

  Path type: internal, path is valid, not best reason: Neighbor Address, no labe
led nexthop
  AS-Path: NONE, path sourced internal to AS
    10.2.2.2 (metric 44) from 5.5.5.5 (5.5.5.5)           « MAC advertisement route received from RR R5 (not best path)
      Origin IGP, MED not set, localpref 100, weight 0
      Received label 5000
      Extcommunity: RT:65001:2 ENCAP:8
      Originator: 10.2.2.2 Cluster list: 5.5.5.5 

  Advertised path-id 1
  Path type: internal, path is valid, is best path, no labeled nexthop
             Imported to 1 destination(s)
             Imported paths list: L2-5000
  AS-Path: NONE, path sourced internal to AS
    10.2.2.2 (metric 44) from 4.4.4.4 (4.4.4.4)           « MAC advertisement route received from RR R4 (selected best path)
      Origin IGP, MED not set, localpref 100, weight 0
      Received label 5000
      Extcommunity: RT:65001:2 ENCAP:8
      Originator: 10.2.2.2 Cluster list: 4.4.4.4 

  Path-id 1 not advertised to any peer





Host1#ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/11/12 ms            « Host1 can ping Host2 through VXLAN tunnel





Host1#show arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  192.168.1.1             -   0000.0000.0001  ARPA   GigabitEthernet0/0
Internet  192.168.1.2             5   0000.0000.0002  ARPA   GigabitEthernet0/0    « Host1 learns MAC address of Host2 through EVPN

EVPN-VXLAN L2VNI with multicast core (NX-OS)

In the following example scenario, an EVPN-VXLAN L2VNI is configured using a multicast core for BUM traffic. This means, under the NVE (Network Virtual Interface) on the VTEP devices, the host-reachability protocol is configured for BGP (EVPN address-family). This enables EVPN MAC advertisement routes (Route Type 2) for dynamic MAC learning.

However, in the same NVE interface configuration on each VTEP, a multicast group is added under the VNI. In other words, instead of using EVPN IMET routes (RT 3) for ingress replication, a multicast core is enabled with PIM Sparse Mode between the VTEP devices.

SW1# 
SW1# configure
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)# 
SW1(config)# interface nve1
SW1(config-if-nve)# host-reachability protocol bgp
SW1(config-if-nve)# source-interface loopback10
SW1(config-if-nve)# member vni 5000
SW1(config-if-nve-vni)# mcast-group 239.1.1.1
SW1(config-if-nve-vni)# exit
SW1(config-if-nve)# 
SW1(config-if-nve)# no shutdown
SW1(config-if-nve)# 
SW1(config-if-nve)# exit
SW1(config)# exit
SW1# 
VXLAN with EVPN using BGP peer template and multicast core

Configuration:

SW1 (VTEP)
    SW1# show run | sec ^nv
    nv overlay evpn
    
    SW1# show run | sec feature
    feature ospf
    feature bgp
    feature pim
    feature vn-segment-vlan-based
    feature nv overlay
    
    SW1# show run | grep rp-address
    ip pim rp-address 2.2.2.2 group-list 224.0.0.0/4
    
    SW1# show run vlan | sec vlan
    !Command: show running-config vlan
    vlan 1,100
    vlan 100
      name VLAN100
      vn-segment 5000
    
    SW1# show run | sec ^evpn
    evpn
      vni 5000 l2
        rd 65001:1
        route-target import 65001:2
        route-target export 65001:1
    
    SW1# show run int Eth1/1 | sec int
    !Command: show running-config interface Ethernet1/1
    interface Ethernet1/1
      description ** to Host1 **
      switchport
      switchport access vlan 100
      no shutdown
    
    SW1# show run int Eth1/2 | sec int
    !Command: show running-config interface Ethernet1/2
    interface Ethernet1/2
      description ** to SW2 **
      ip address 10.1.0.1/30
      ip router ospf 10 area 0.0.0.0
      ip pim sparse-mode
      no shutdown
    
    SW1# show run int Lo10 | sec int
    !Command: show running-config interface loopback10
    interface loopback10
      ip address 1.1.1.1/32
      ip router ospf 10 area 0.0.0.0
      ip pim sparse-mode
    
    SW1# show run int nve1 | sec int
    !Command: show running-config interface nve1
    interface nve1
      no shutdown
      host-reachability protocol bgp
      source-interface loopback10
      member vni 5000
        mcast-group 239.1.1.1
    
    SW1# show run bgp | sec ^router
    router bgp 65001
      template peer EXAMPLE-TEMPLATE
        remote-as 65001
        update-source loopback10
        address-family l2vpn evpn
          send-community
          send-community extended
      neighbor 3.3.3.3
        inherit peer EXAMPLE-TEMPLATE
    
    SW1# show run ospf | sec ^router
    router ospf 10
      router-id 1.1.1.1
    
SW2 (PIM RP)
    SW2# show run | sec feature
    feature ospf
    feature pim
    
    SW2# show run | grep rp-address
    ip pim rp-address 2.2.2.2 group-list 224.0.0.0/4
    
    SW2# show run int Eth1/1 | sec int
    !Command: show running-config interface Ethernet1/1
    interface Ethernet1/1
      description ** to VTEP SW1 **
      ip address 10.1.0.2/30
      ip router ospf 10 area 0.0.0.0
      ip pim sparse-mode
      no shutdown
    
    SW2# show run int Eth1/2 | sec int
    !Command: show running-config interface Ethernet1/2
    interface Ethernet1/2
      description ** to VTEP SW3 **
      ip address 10.2.0.2/30
      ip router ospf 10 area 0.0.0.0
      ip pim sparse-mode
      no shutdown
    
    SW2# show run int Lo10 | sec int
    !Command: show running-config interface loopback10
    interface loopback10
      ip address 2.2.2.2/32
      ip router ospf 10 area 0.0.0.0
      ip pim sparse-mode
    
    SW2# show run ospf | sec ^router
    router ospf 10
      router-id 2.2.2.2
    
SW3 (VTEP)
    SW3# show run | sec ^nv
    nv overlay evpn
    
    SW3# show run | sec feature
    feature ospf
    feature bgp
    feature pim
    feature vn-segment-vlan-based
    feature nv overlay
    
    SW3# show run | grep rp-address
    ip pim rp-address 2.2.2.2 group-list 224.0.0.0/4
    
    SW3# show run vlan | sec vlan
    !Command: show running-config vlan
    vlan 1,100
    vlan 100
      name VLAN100
      vn-segment 5000
    
    SW3# show run | sec ^evpn
    evpn
      vni 5000 l2
        rd 65001:2
        route-target import 65001:1
        route-target export 65001:2
    
    SW3# show run int Eth1/1 | sec int
    !Command: show running-config interface Ethernet1/1
    interface Ethernet1/1
      description ** to Host2 **
      switchport
      switchport access vlan 100
      no shutdown
    
    SW3# show run int Eth1/2 | sec int
    !Command: show running-config interface Ethernet1/2
    interface Ethernet1/2
      description ** to SW2 **
      ip address 10.2.0.1/30
      ip router ospf 10 area 0.0.0.0
      ip pim sparse-mode
      no shutdown
    
    SW3# show run int Lo10 | sec int
    !Command: show running-config interface loopback10
    interface loopback10
      ip address 3.3.3.3/32
      ip router ospf 10 area 0.0.0.0
      ip pim sparse-mode
    
    SW3# show run int nve1 | sec int
    !Command: show running-config interface nve1
    interface nve1
      no shutdown
      host-reachability protocol bgp
      source-interface loopback10
      member vni 5000
        mcast-group 239.1.1.1
    
    SW3# show run bgp | sec ^router
    router bgp 65001
      template peer EXAMPLE-TEMPLATE
        remote-as 65001
        update-source loopback10
        address-family l2vpn evpn
          send-community
          send-community extended
      neighbor 1.1.1.1
        inherit peer EXAMPLE-TEMPLATE
    
    SW3# show run ospf | sec ^router
    router ospf 10
      router-id 3.3.3.3
    
Host1
    Host1#show run int Gi0/0 | sec int
    interface GigabitEthernet0/0
     description ** to SW1 **
     mac-address 0000.0000.0001
     ip address 192.168.1.1 255.255.255.0
     duplex auto
     speed auto
     media-type rj45
    
SW1# show nve vni 5000
Codes: CP - Control Plane        DP - Data Plane          
       UC - Unconfigured         SA - Suppress ARP        
       SU - Suppress Unknown Unicast 
       Xconn - Crossconnect      
       MS-IR - Multisite Ingress Replication
 
Interface VNI      Multicast-group   State Mode Type [BD/VRF]      Flags
--------- -------- ----------------- ----- ---- ------------------ -----
nve1      5000     239.1.1.1         Up    CP   L2 [100]                        « Control Plane (EVPN) enabled with multicast core




SW1# show ip mroute
IP Multicast Routing Table for VRF "default"

(*, 232.0.0.0/8), uptime: 04:07:36, pim ip 
  Incoming interface: Null, RPF nbr: 0.0.0.0
  Outgoing interface list: (count: 0)


(*, 239.1.1.1/32), uptime: 04:07:34, nve pim ip 
  Incoming interface: Ethernet1/2, RPF nbr: 10.1.0.2
  Outgoing interface list: (count: 1)
    nve1, uptime: 04:07:34, nve                                                 « VXLAN NVE is in the multicast OIL (Outgoing Interface List)


(1.1.1.1/32, 239.1.1.1/32), uptime: 04:07:34, nve mrib pim ip 
  Incoming interface: loopback10, RPF nbr: 1.1.1.1
  Outgoing interface list: (count: 1)
    Ethernet1/2, uptime: 03:34:37, pim
	
	
	
	
SW1# show bgp l2vpn evpn | beg Ne
   Network            Next Hop            Metric     LocPrf     Weight Path
Route Distinguisher: 65001:1    (L2VNI 5000)
*>l[2]:[0]:[0]:[48]:[0000.0000.0001]:[0]:[0.0.0.0]/216                         « Only EVPN Route Type 2 (MAC advertisements) are exchanged
                      1.1.1.1                           100      32768 i
*>i[2]:[0]:[0]:[48]:[0000.0000.0002]:[0]:[0.0.0.0]/216
                      3.3.3.3                           100          0 i

Route Distinguisher: 65001:2
*>i[2]:[0]:[0]:[48]:[0000.0000.0002]:[0]:[0.0.0.0]/216
                      3.3.3.3                           100          0 i

EVPN-VXLAN L2VNI with IS-IS underlay routing

In the following example scenario, EVPN-VXLAN L2VNI is configured with the underlay routing protocol IS-IS, using the IS-IS Level-2 area 10. This means, the Loopback IP address of the VTEP tunnel endpoint on SW1 and on SW3 is advertised with IS-IS. Once there is end-to-end connectivity between the VTEP Loopback IP addresses, the MP-BGP neighborship using the EVPN address-family is established.

The L2VNI 5000 is configured, and the VXLAN tunnel encapsulates traffic between Host1 and Host2 in VLAN 100. For BUM traffic between VTEP devices, ingress replication is used which relies on the EVPN Route Type 3 (IMET route).

There are two ways to configure IS-IS on NX-OS shown in this example topology. VTEP SW1 uses the ip router isis EXAMPLE-ISIS command under the Loopback interface. Meanwhile, VTEP SW3 has advertise interface loopback10 added under the address-family within the IS-IS router configuration mode.

EVPN-VXLAN configuration with IS-IS underlay routing protocol

Configuration:

SW1 (VTEP)
    SW1# show run | sec ^nv
    nv overlay evpn
    
    SW1# show run | sec ^feature
    feature bgp
    feature isis
    feature vn-segment-vlan-based
    feature nv overlay
    
    SW1# show run vlan | sec vlan
    !Command: show running-config vlan
    vlan 1,100
    vlan 100
      name VLAN100
      vn-segment 5000
    
    SW1# show run | sec ^evpn
    evpn
      vni 5000 l2
        rd 65001:1
        route-target import 65001:2
        route-target export 65001:1
    
    SW1# show run int Eth1/1 | sec int
    !Command: show running-config interface Ethernet1/1
    interface Ethernet1/1
      description ** to Host1 **
      switchport
      switchport access vlan 100
      no shutdown
    
    SW1# show run int Eth1/2 | sec int
    !Command: show running-config interface Ethernet1/2
    interface Ethernet1/2
      description ** to SW2 **
      ip address 10.1.0.1/30
      isis network point-to-point
      ip router isis EXAMPLE-ISIS
      no shutdown
    
    SW1# show run int Lo10 | sec int
    !Command: show running-config interface loopback10
    interface loopback10
      ip address 10.1.1.1/32
      ip router isis EXAMPLE-ISIS
    
    SW1# show run int nve1 | sec int
    !Command: show running-config interface nve1
    interface nve1
      no shutdown
      host-reachability protocol bgp
      source-interface loopback10
      member vni 5000
        ingress-replication protocol bgp
    
    SW1# show run isis | sec ^router
    router isis EXAMPLE-ISIS
      net 49.0010.0000.0000.0001.00
      is-type level-2
      log-adjacency-changes
    
    SW1# show run bgp | sec ^router
    router bgp 65001
      neighbor 10.2.2.2
        remote-as 65001
        update-source loopback10
        address-family l2vpn evpn
          send-community
          send-community extended
    
SW2
    SW2# show run | sec ^feature
    feature isis
    
    SW2# show run int eth1/1 | sec int
    !Command: show running-config interface Ethernet1/1
    interface Ethernet1/1
      description ** to SW1 **
      ip address 10.1.0.2/30
      isis network point-to-point
      ip router isis EXAMPLE-ISIS
      no shutdown
     
    SW2# show run int eth1/2 | sec int
    !Command: show running-config interface Ethernet1/2
    interface Ethernet1/2
      description ** to SW3 **
      ip address 10.2.0.2/30
      isis network point-to-point
      ip router isis EXAMPLE-ISIS
      no shutdown
    
    SW2# show run isis | sec ^router
    router isis EXAMPLE-ISIS
      net 49.0010.0000.0000.0002.00
      is-type level-2
      log-adjacency-changes
    
SW3 (VTEP)
    SW3# show run | sec ^nv
    nv overlay evpn
    
    SW3# show run | sec ^feature
    feature bgp
    feature isis
    feature vn-segment-vlan-based
    feature nv overlay
    
    SW3# show run vlan | sec vlan
    !Command: show running-config vlan
    vlan 1,100
    vlan 100
      name VLAN100
      vn-segment 5000
    
    SW3# show run | sec ^evpn
    evpn
      vni 5000 l2
        rd 65001:2
        route-target import 65001:1
        route-target export 65001:2
    
    SW3# show run int Eth1/1 | sec int
    !Command: show running-config interface Ethernet1/1
    interface Ethernet1/1
      description ** to Host2 **
      switchport
      switchport access vlan 100
      no shutdown
    
    SW3# show run int Eth1/2 | sec int
    !Command: show running-config interface Ethernet1/2
    interface Ethernet1/2
      description ** to SW2 **
      ip address 10.2.0.1/30
      isis network point-to-point
      ip router isis EXAMPLE-ISIS
      no shutdown
    
    SW3# show run int Lo10 | sec int
    !Command: show running-config interface loopback10
    interface loopback10
      ip address 10.2.2.2/32
    
    SW3# show run int nve1 | sec int
    !Command: show running-config interface nve1
    interface nve1
      no shutdown
      host-reachability protocol bgp
      source-interface loopback10
      member vni 5000
        ingress-replication protocol bgp
    
    SW3# show run isis | sec ^router
    router isis EXAMPLE-ISIS
      net 49.0010.0000.0000.0003.00
      is-type level-2
      log-adjacency-changes
      address-family ipv4 unicast
        advertise interface loopback10
    
    SW3# show run bgp | sec ^router
    router bgp 65001
      address-family l2vpn evpn
      neighbor 10.1.1.1
        remote-as 65001
        update-source loopback10
        address-family l2vpn evpn
          send-community
          send-community extended
    
Host1
    Host1#show run int Gi0/0 | sec int
    interface GigabitEthernet0/0
     description ** to VTEP SW1 **
     mac-address 0000.0000.0001
     ip address 192.168.1.1 255.255.255.0
     duplex auto
     speed auto
     media-type rj45
    
SW1# show isis interface Loopback10
IS-IS process: EXAMPLE-ISIS VRF: default
loopback10, Interface status: protocol-up/link-up/admin-up
  IP address: 10.1.1.1, IP subnet: 10.1.1.1/32
  IPv6 routing is disabled
  Level1
    No auth type and keychain 
    Auth check set
  Level2
    No auth type and keychain 
    Auth check set
  Index: 0x0002, Local Circuit ID: 0x01, Circuit Type: L2         « IS-IS Level-2 area is used
  BFD IPv4 is locally disabled for Interface loopback10
  BFD does not support AF IPv4
  BFD IPv6 is locally disabled for Interface loopback10
  BFD does not support AF IPv6
  MTR is disabled
  Passive level: level-1
  Level      Metric
  1               1
  2               1
  Topologies enabled:
    L  MT  Metric  MetricCfg  Fwdng IPV4-MT  IPV4Cfg  IPV6-MT  IPV6Cfg 
    1  0        1       no   DN    DN       no       DN       no      
    2  0        1       no   UP    UP       yes      DN       no




SW3# show isis interface Loopback10
IS-IS process: EXAMPLE-ISIS VRF: default
loopback10, Interface status: protocol-up/link-up/admin-up
  IP address: 10.2.2.2, IP subnet: 10.2.2.2/32
  IPv6 routing is disabled
  Advertise command AF IPv4 L1-2, IPv6 NONE, combined L1-2                    « The "Advertise" command is used on SW3
  Level1
    No auth type and keychain 
    Auth check set
  Level2
    No auth type and keychain 
    Auth check set
  Index: 0x0001, Local Circuit ID: 0x01, Circuit Type: L2
  BFD IPv4 is locally disabled for Interface loopback10
  BFD does not support AF IPv4
  BFD IPv6 is locally disabled for Interface loopback10
  BFD does not support AF IPv6
  MTR is disabled
  Passive level: level-1
  Level      Metric
  1               1
  2               1
  Topologies enabled:
    L  MT  Metric  MetricCfg  Fwdng IPV4-MT  IPV4Cfg  IPV6-MT  IPV6Cfg 
    1  0        1       no   DN    DN       no       DN       no      
    2  0        1       no   UP    UP       yes      DN       no              « IS-IS Level-2 topology for IPv4 is enabled





SW3# show isis topology 
IS-IS process: EXAMPLE-ISIS
VRF: default
Topology ID: 0

IS-IS Level-1 IS routing table

IS-IS Level-2 IS routing table           « IS-IS being a link-state protocol knows about SW1 and SW2 in same Level-2 topology
SW1.00, Instance 0x0000001F
   *via SW2, Ethernet1/2, metric 80
SW2.00, Instance 0x0000001F
   *via SW2, Ethernet1/2, metric 40
   
   


SW1# show ip route isis
IP Route Table for VRF "default"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
'%' in via output denotes VRF 

10.2.0.0/30, ubest/mbest: 1/0
    *via 10.1.0.2, Eth1/2, [115/80], 01:20:57, isis-EXAMPLE-ISIS, L2
10.2.2.2/32, ubest/mbest: 1/0                                                « SW1 receives Loopback IP address of SW3 through IS-IS
    *via 10.1.0.2, Eth1/2, [115/81], 01:20:50, isis-EXAMPLE-ISIS, L2         « Next-hop is SW2
	
	
	
	

SW2# show isis adjacency
IS-IS process: EXAMPLE-ISIS VRF: default
IS-IS adjacency database:
Legend: '!': No AF level connectivity in given topology
System ID       SNPA            Level  State  Hold Time  Interface
SW1             N/A             2      UP     00:00:27   Ethernet1/1          « IS-IS neighborship is established
SW3             N/A             2      UP     00:00:26   Ethernet1/2




SW1# show bgp l2vpn evpn summary | beg Ne
Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
10.2.2.2        4 65001      85      83        9    0    0 01:17:58 2         « BGP neighborship established, two EVPN routes received





SW1# show bgp l2vpn evpn | beg Ne
   Network            Next Hop            Metric     LocPrf     Weight Path
Route Distinguisher: 65001:1    (L2VNI 5000)
*>l[2]:[0]:[0]:[48]:[0000.0000.0001]:[0]:[0.0.0.0]/216
                      10.1.1.1                          100      32768 i
*>i[2]:[0]:[0]:[48]:[0000.0000.0002]:[0]:[0.0.0.0]/216
                      10.2.2.2                          100          0 i
*>l[3]:[0]:[32]:[10.1.1.1]/88
                      10.1.1.1                          100      32768 i
*>i[3]:[0]:[32]:[10.2.2.2]/88
                      10.2.2.2                          100          0 i

Route Distinguisher: 65001:2
*>i[2]:[0]:[0]:[48]:[0000.0000.0002]:[0]:[0.0.0.0]/216                       « SW1 receives MAC address from remote VTEP through EVPN RT 2
                      10.2.2.2                          100          0 i
*>i[3]:[0]:[32]:[10.2.2.2]/88                                                « SW1 receives VTEP PMSI tunnel endpoint IP for ingress replication
                      10.2.2.2                          100          0 i




SW1# show nve vni 5000
Codes: CP - Control Plane        DP - Data Plane          
       UC - Unconfigured         SA - Suppress ARP        
       SU - Suppress Unknown Unicast 
       Xconn - Crossconnect      
       MS-IR - Multisite Ingress Replication
 
Interface VNI      Multicast-group   State Mode Type [BD/VRF]      Flags
--------- -------- ----------------- ----- ---- ------------------ -----
nve1      5000     UnicastBGP        Up    CP   L2 [100]                      « Peer status between VTEP devices is Up with EVPN Control Plane

Download section

Disclaimer: You download and use files from networkstudysite.com at your own risk.

Lab YAML file:

  • EVPN VXLAN L2VNI with BGP Route Reflectors, after loading lab you can test ping between Host1 and Host2, and verify EVPN VXLAN operation with show commands — evpn-vxlan-l2vni-bgp-control-plane.yaml

Packet captures:

How to use these files:

With YAML files you can easily recreate the example labs on networkstudysite.com. Learn more in this short guide.

Explore 313 packet captures

You can find more information at the following external links:

By clicking on the links below, you are leaving the networkstudysite.com website.

Cisco - Chapter: Information About Layer 2 EVPN VXLAN

Cisco - Chapter: Configuring EVPN VXLAN Layer 2 Overlay Network

Cisco - A Modern, Open, and Scalable Fabric: VXLAN EVPN

Cisco Community - VXLAN EVPN Just with L2VNI

RFC 8365 - A Network Virtualization Overlay Solution Using Ethernet VPN (EVPN)

Disclaimer:

Use at your own risk: networkstudysite.com makes no representations as to accuracy, completeness, currentness, suitability, or validity of any information found on this website. Full disclaimer on the About page.

Privacy Policy:

networkstudysite.com does not install browser cookies to collect or store your data.

Thank you for your interest in this blog post!

Looking for something else? View infographics, explore the archives or read the recommended posts below: