EVPN-VXLAN L3VNI is a method to connect two different subnets over a dedicated VRF-aware transit VNI by exchanging EVPN IP Prefix routes. It is important that L3VNI uses IP routing on the VTEP devices to enable inter-VLAN connectivity. This is the main difference between L3VNI and L2VNI, namely that L2VNI connects remote hosts at Layer-2 only (the VTEPs do not route traffic).
The following capture shows an EVPN Route Type 5 which advertises an IP Prefix Route originating from a L3VNI VTEP device and destined to a BGP Route Reflector. The transit VNI number is included in the NLRI, and the VXLAN Encapsulation extended community informs about the tunnel type. This is an important distinction, because EVPN Route Type 5 is also used with MPLS Layer-3 VPN.
How to configure EVPN-VXLAN L3VNI?
In the following scenario, Host1 and Host2 are in different subnets and need to communicate with each other. This means, packets need to be routed from subnet 192.168.1.0/24 (VLAN 100) to subnet 192.168.2.0/24 (VLAN 200). EVPN VXLAN Layer-3 VNI is used as the solution.
VTEP SW1 and SW2 route packets from the locally configured VLANs onto a transit VLAN 500 which is associated with VNI 5000. The transit VNI spans between VTEP SW1 and SW2, and is assigned to VRF Blue.
BGP Route Reflectors (RR) are deployed for scalability. The VTEP devices only have BGP peering configured with the RR devices, this is how they exchange EVPN Route Type 5 (IP Prefixes).
On each VTEP there are two Switch Virtual Interfaces (SVI) configured. VTEP SW1 has an SVI in VLAN 100, this is the default gateway for Host1. And VTEP SW1 also has an SVI in VLAN 500, this is the transit VLAN that carries traffic between the VTEPs.
Multicast or ingress replication is not configured for pure L3VNI routing between the VTEPs. No devices have multicast routing enabled.
Only the VTEPs have VRF Blue configured. This is also called the tenant VRF and uniquely identifies the Layer-3 virtual network which includes VLAN 100 and VLAN 200. No other devices have VRF configured (no VRF on RR, no VRF on transport network R1, R2, R3).
Configuration:
SW1 (VTEP)
SW1# show run | sec ^nv
nv overlay evpn
SW1# show run | sec ^feature
feature ospf
feature bgp
feature interface-vlan
feature vn-segment-vlan-based
feature nv overlay
SW1# show run vlan | sec vlan
!Command: show running-config vlan
vlan 1,100,500
vlan 100
vn-segment 100
vlan 500
vn-segment 5000
SW1# show run vrf Blue | sec ^vrf
vrf context Blue
vni 5000
rd 65001:1
address-family ipv4 unicast
route-target import 65001:2 evpn
route-target export 65001:1 evpn
SW1# show run int vlan 100 | sec int
!Command: show running-config interface Vlan100
interface Vlan100
description ** SVI for Host1 in local VLAN 100 **
no shutdown
vrf member Blue
ip address 192.168.1.2/24
SW1# show run int vlan 500 | sec int
!Command: show running-config interface Vlan500
interface Vlan500
description ** SVI for L3VNI transit **
no shutdown
vrf member Blue
ip forward
SW1# show run int Eth1/1 | sec int
!Command: show running-config interface Ethernet1/1
interface Ethernet1/1
description ** to SW3 **
switchport mode trunk
switchport trunk allowed vlan 100
SW1# show run int Eth1/2 | sec int
!Command: show running-config interface Ethernet1/2
interface Ethernet1/2
description ** to R1 **
no switchport
ip address 10.1.0.1/30
ip router ospf 10 area 0.0.0.0
no shutdown
SW1# show run int Lo10 | sec int
!Command: show running-config interface loopback10
interface loopback10
ip address 10.1.1.1/32
ip router ospf 10 area 0.0.0.0
SW1# show run int nve1 | sec int
!Command: show running-config interface nve1
interface nve1
no shutdown
host-reachability protocol bgp
source-interface loopback10
member vni 100
member vni 5000 associate-vrf
SW1# show run | sec ^router
router ospf 10
router-id 10.1.1.1
router bgp 65001
neighbor 4.4.4.4
remote-as 65001
update-source loopback10
address-family l2vpn evpn
send-community
send-community extended
neighbor 5.5.5.5
remote-as 65001
update-source loopback10
address-family l2vpn evpn
send-community
send-community extended
vrf Blue
address-family ipv4 unicast
network 192.168.1.0/24
SW2 (VTEP)
SW2# show run | sec ^nv
nv overlay evpn
SW2# show run | sec ^feature
feature ospf
feature bgp
feature interface-vlan
feature vn-segment-vlan-based
feature nv overlay
SW2# show run vlan | sec vlan
!Command: show running-config vlan
vlan 1,200,500
vlan 200
vn-segment 200
vlan 500
vn-segment 5000
SW2# show run vrf Blue | sec ^vrf
vrf context Blue
vni 5000
rd 65001:2
address-family ipv4 unicast
route-target import 65001:1 evpn
route-target export 65001:2 evpn
SW2# show run int vlan 200 | sec int
!Command: show running-config interface Vlan200
interface Vlan200
description ** SVI for Host2 in local VLAN 200 **
no shutdown
vrf member Blue
ip address 192.168.2.2/24
SW2# show run int vlan 500 | sec int
!Command: show running-config interface Vlan500
interface Vlan500
description ** SVI for L3VNI transit **
no shutdown
vrf member Blue
ip forward
SW2# show run int Eth1/1 | sec int
!Command: show running-config interface Ethernet1/1
interface Ethernet1/1
description ** to SW4 **
switchport mode trunk
switchport trunk allowed vlan 200
SW2# show run int Eth1/2 | sec int
!Command: show running-config interface Ethernet1/2
interface Ethernet1/2
description ** to R3 **
no switchport
ip address 10.5.0.1/30
ip router ospf 10 area 0.0.0.0
no shutdown
SW2# show run int Lo10 | sec int
!Command: show running-config interface loopback10
interface loopback10
ip address 10.2.2.2/32
ip router ospf 10 area 0.0.0.0
SW2# show run int nve1 | sec int
!Command: show running-config interface nve1
interface nve1
no shutdown
host-reachability protocol bgp
source-interface loopback10
member vni 200
member vni 5000 associate-vrf
SW2# show run | sec ^router
router ospf 10
router-id 10.2.2.2
router bgp 65001
neighbor 4.4.4.4
remote-as 65001
update-source loopback10
address-family l2vpn evpn
send-community
send-community extended
neighbor 5.5.5.5
remote-as 65001
update-source loopback10
address-family l2vpn evpn
send-community
send-community extended
vrf Blue
address-family ipv4 unicast
network 192.168.2.0/24
R4 (IOS RR)
R4#show run int Lo10 | sec int
interface Loopback10
ip address 4.4.4.4 255.255.255.255
R4#show run int Gi0/0 | sec int
interface GigabitEthernet0/0
ip address 10.3.0.2 255.255.255.248
duplex auto
speed auto
media-type rj45
R4#show run | sec ^router
router ospf 10
router-id 4.4.4.4
network 4.4.4.4 0.0.0.0 area 0
network 10.3.0.0 0.0.0.7 area 0
router bgp 65001
bgp router-id 4.4.4.4
bgp log-neighbor-changes
neighbor 10.1.1.1 remote-as 65001
neighbor 10.1.1.1 update-source Loopback10
neighbor 10.2.2.2 remote-as 65001
neighbor 10.2.2.2 update-source Loopback10
!
address-family l2vpn evpn
neighbor 10.1.1.1 activate
neighbor 10.1.1.1 send-community both
neighbor 10.1.1.1 route-reflector-client
neighbor 10.2.2.2 activate
neighbor 10.2.2.2 send-community both
neighbor 10.2.2.2 route-reflector-client
exit-address-family
SW5 (NX-OS RR)
SW5# show run | sec ^feature
feature ospf
feature bgp
SW5# show run int Lo10 | sec int
!Command: show running-config interface loopback10
interface loopback10
ip address 5.5.5.5/32
ip router ospf 10 area 0.0.0.0
SW5# show run int Eth1/1 | sec int
!Command: show running-config interface Ethernet1/1
interface Ethernet1/1
no switchport
ip address 10.3.0.3/29
ip router ospf 10 area 0.0.0.0
no shutdown
SW5# show run | sec ^router
router ospf 10
router-id 5.5.5.5
router bgp 65001
neighbor 10.1.1.1
remote-as 65001
update-source loopback10
address-family l2vpn evpn
send-community
send-community extended
route-reflector-client
neighbor 10.2.2.2
remote-as 65001
update-source loopback10
address-family l2vpn evpn
send-community
send-community extended
route-reflector-client
R1
R1#show run int Gi0/0 | sec int
interface GigabitEthernet0/0
description ** to VTEP SW1 **
ip address 10.1.0.2 255.255.255.252
duplex auto
speed auto
media-type rj45
R1#show run int Gi0/1 | sec int
interface GigabitEthernet0/1
description ** to R2 **
ip address 10.2.0.1 255.255.255.252
duplex auto
speed auto
media-type rj45
R1#show run | sec ^router
router ospf 10
router-id 1.1.1.1
network 10.1.0.0 0.0.0.3 area 0
network 10.2.0.0 0.0.0.3 area 0
R2
R2#show run int Gi0/0 | sec int
interface GigabitEthernet0/0
description ** to R1 **
ip address 10.2.0.2 255.255.255.252
duplex auto
speed auto
media-type rj45
R2#show run int Gi0/1 | sec int
interface GigabitEthernet0/1
description ** to R3 **
ip address 10.4.0.2 255.255.255.252
duplex auto
speed auto
media-type rj45
R2#show run int Gi0/2 | sec int
interface GigabitEthernet0/2
description ** to BGP RR devices **
ip address 10.3.0.1 255.255.255.248
duplex auto
speed auto
media-type rj45
R2#show run | sec ^router
router ospf 10
router-id 2.2.2.2
network 10.2.0.0 0.0.0.3 area 0
network 10.3.0.0 0.0.0.7 area 0
network 10.4.0.0 0.0.0.3 area 0
R3
R3#show run int Gi0/0 | sec int
interface GigabitEthernet0/0
description ** to VTEP SW2 **
ip address 10.5.0.2 255.255.255.252
duplex auto
speed auto
media-type rj45
R3#show run int Gi0/1 | sec int
interface GigabitEthernet0/1
description ** to R2 **
ip address 10.4.0.1 255.255.255.252
duplex auto
speed auto
media-type rj45
R3#show run | sec ^router
router ospf 10
router-id 3.3.3.3
network 10.4.0.0 0.0.0.3 area 0
network 10.5.0.0 0.0.0.3 area 0
SW3
SW3#show run int Gi0/0 | sec int
interface GigabitEthernet0/0
description ** to Host1 **
switchport access vlan 100
switchport mode access
negotiation auto
no cdp enable
SW3#show run int Gi0/1 | sec int
interface GigabitEthernet0/1
description ** to VTEP SW1 **
switchport trunk allowed vlan 100
switchport trunk encapsulation dot1q
switchport mode trunk
negotiation auto
no cdp enable
SW4
SW4#show run int Gi0/0 | sec int
interface GigabitEthernet0/0
description ** to Host2 **
switchport access vlan 200
switchport mode access
negotiation auto
no cdp enable
SW4#show run int Gi0/1 | sec int
interface GigabitEthernet0/1
description ** to VTEP SW2 **
switchport trunk allowed vlan 200
switchport trunk encapsulation dot1q
switchport mode trunk
negotiation auto
no cdp enable
Host1
Host1#show run int Gi0/0 | sec int
interface GigabitEthernet0/0
description ** to SW3 **
mac-address 0000.0000.0001
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
media-type rj45
Host1#show run | sec ^ip route
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 192.168.1.2
SW1# show nve peers detail
Details of nve Peers:
----------------------------------------
Peer-Ip: 10.2.2.2« NVE Peer-IP is that of the remote VTEP SW2
NVE Interface : nve1
Peer State : Up
Peer Uptime : 00:25:20
Router-Mac : 5212.7a73.1b08
Peer First VNI : 5000« Transit VNI used between VTEP SW1 and SW2
Time since Create : 00:25:21
Configured VNIs : 100,5000
Provision State : peer-add-complete
Learnt CP VNIs : 5000
vni assignment mode : SYMMETRIC
Peer Location : N/A
Group policy capable: no
----------------------------------------
SW1# show nve interface nve1
Interface: nve1, State: Up, encapsulation: VXLAN
VPC Capability: VPC-VIP-Only [not-notified]
Local Router MAC: 521c.58d4.1b08
Host Learning Mode: Control-Plane
Source-Interface: loopback10 (primary: 10.1.1.1, secondary: 0.0.0.0) « NVE peering uses IP configured on Loopback interfaceSW1# show nve vni 5000
Codes: CP - Control Plane DP - Data Plane
UC - Unconfigured SA - Suppress ARP
S-ND - Suppress ND
SU - Suppress Unknown Unicast
Xconn - Crossconnect
MS-IR - Multisite Ingress Replication
HYB - Hybrid IRB mode
Interface VNI Multicast-group State Mode Type [BD/VRF] Flags
--------- -------- ----------------- ----- ---- ------------------ -----
nve1 5000 n/a Up CP L3 [Blue]« Layer-3 transit VNI is configured in VRF BlueSW1# show nve vni 100
Codes: CP - Control Plane DP - Data Plane
UC - Unconfigured SA - Suppress ARP
S-ND - Suppress ND
SU - Suppress Unknown Unicast
Xconn - Crossconnect
MS-IR - Multisite Ingress Replication
HYB - Hybrid IRB mode
Interface VNI Multicast-group State Mode Type [BD/VRF] Flags
--------- -------- ----------------- ----- ---- ------------------ -----
nve1 100 Unconfigured Down CP L2 [100] « Layer-2 VNI is only configured locally, no peers, state is DownSW1# show mac address-table
Legend:
* - primary entry, G - Gateway MAC, (R) - Routed MAC, O - Overlay MAC
age - seconds since last seen,+ - primary entry using vPC Peer-Link,
(T) - True, (F) - False, C - ControlPlane MAC, ~ - vsan,
(NA)- Not Applicable A – ESI Active Path, S – ESI Standby Path
VLAN MAC Address Type age Secure NTFY Ports
---------+-----------------+--------+---------+------+----+------------------
* 100 0000.0000.0001 dynamic NA F F Eth1/1 « MAC address of locally attached device, remote MAC not learned, only IP
* 500 5212.7a73.1b08 static - F F nve1(10.2.2.2)
* 500 521c.58d4.1b08 static - F F Vlan500
G - 521c.58d4.1b08 static - F F sup-eth1(R)
G 100 521c.58d4.1b08 static - F F sup-eth1(R)
G 500 521c.58d4.1b08 static - F F sup-eth1(R)
As visible in the above outputs, L2VNI is not established between VTEPs in this example scenario. Therefore, MAC advertisement routes (EVPN Route Type 2) are not transmitted, so the MAC address of remote Host devices is not learned. Instead, only IP Prefixes are exchanged, which can be viewed with BGP show commands, as displayed below.
SW1# show bgp l2vpn evpn summary | beg Ne
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
4.4.4.4 4 65001 55 49 8 0 0 00:45:46 1« BGP L2VPN EVPN neighborship with Route Reflector5.5.5.5 4 65001 52 51 8 0 0 00:45:48 1
Neighbor T AS PfxRcd Type-2 Type-3 Type-4 Type-5 Type-12
4.4.4.4 I 65001 1 0 0 0 1 0 « Only single EVPN IP Prefix route (type 5) received from RR
5.5.5.5 I 65001 1 0 0 0 1 0
SW1# show bgp l2vpn evpn | beg Ne
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 65001:2
* i[5]:[0]:[0]:[24]:[192.168.2.0]/224« IP Prefix route received from RR on VTEP SW1
10.2.2.2 100 0 i
*>i 10.2.2.2 100 0 i
Route Distinguisher: 65001:1 (L3VNI 5000) « Routes that are imported locally to VRF Blue (VNI 5000)
*>l[5]:[0]:[0]:[24]:[192.168.1.0]/224
10.1.1.1 100 32768 i
*>i[5]:[0]:[0]:[24]:[192.168.2.0]/224
10.2.2.2 100 0 i
SW1# show bgp l2vpn evpn 192.168.2.0 vrf Blue
BGP routing table information for VRF default, address family L2VPN EVPN
Route Distinguisher: 65001:1 (L3VNI 5000)
BGP routing table entry for [5]:[0]:[0]:[24]:[192.168.2.0]/224, version 7
Paths: (1 available, best #1)
Flags: (0x000002) (high32 00000000) on xmit-list, is not in l2rib/evpn, is not in HW
Advertised path-id 1
Path type: internal, path is valid, is best path, no labeled nexthop
Imported from 65001:2:[5]:[0]:[0]:[24]:[192.168.2.0]/224 « IP Prefix with Route Distinguisher 65001:2 received from RR is imported
Gateway IP: 0.0.0.0
AS-Path: NONE, path sourced internal to AS
10.2.2.2 (metric 44) from 4.4.4.4 (4.4.4.4) « Next-hop is remote VTEP SW2
Origin IGP, MED not set, localpref 100, weight 0
Received label 5000« Transit VNI connecting VTEP SW1 with SW2
Extcommunity: RT:65001:2 ENCAP:8 Router MAC:5212.7a73.1b08
Originator: 10.2.2.2 Cluster list: 4.4.4.4« Attributes added by the BGP Route Reflector R4
Path-id 1 not advertised to any peer
SW5# show bgp l2vpn evpn | beg Ne
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 65001:1
*>i[5]:[0]:[0]:[24]:[192.168.1.0]/224 « IP Prefixes on the RR received from the VTEP device
10.1.1.1 100 0 i
Route Distinguisher: 65001:2
*>i[5]:[0]:[0]:[24]:[192.168.2.0]/224
10.2.2.2 100 0 i
Download section
Disclaimer: You download and use files from networkstudysite.com at your own risk.
Use at your own risk: networkstudysite.com makes no representations as to accuracy, completeness, currentness, suitability, or validity of any information found on this website. Full disclaimer on the About page.
Privacy Policy:
networkstudysite.com does not install browser cookies to collect or store your data.
Thank you for your interest in this blog post!
Looking for something else? View infographics, explore the archives or read the recommended posts below:
