Chapter 8: Modern Data Center Networking: VXLAN EVPN Automation
8.1 Introduction
The demands of modern applications, virtualization, and cloud computing have fundamentally reshaped data center networking. Traditional Layer 2 Spanning Tree Protocol (STP) based networks struggle with scalability, agility, and multi-tenancy requirements. The shift towards highly virtualized, distributed, and software-defined environments necessitates a more robust, flexible, and automated network fabric.
This chapter delves into VXLAN EVPN, the de facto standard for building scalable, resilient, and multi-tenant data center networks. VXLAN (Virtual Extensible LAN) provides the data plane for extending Layer 2 connectivity over a Layer 3 underlay, while EVPN (Ethernet VPN) acts as the control plane, leveraging BGP to distribute MAC and IP reachability information efficiently. Together, they form a powerful solution for modern data centers, enabling high levels of automation.
What this chapter covers:
- Detailed technical understanding of VXLAN and EVPN protocols.
- Architectural designs, focusing on Clos topologies.
- Multi-vendor configuration examples for Cisco, Juniper, and Arista.
- Practical automation examples using Ansible and Python (Nornir).
- Critical security considerations, verification, and troubleshooting techniques.
- Performance optimization strategies.
- A hands-on lab to solidify your understanding.
Why it’s important:
Mastering VXLAN EVPN is essential for network engineers working in contemporary data centers. Its widespread adoption means proficiency in its design, implementation, and — crucially — automation is a non-negotiable skill. A NetDevOps approach to VXLAN EVPN enables rapid deployment, consistent configuration, and agile response to business needs, moving away from error-prone manual CLI processes.
What you’ll be able to do after:
Upon completing this chapter, you will be able to design, configure, verify, and automate VXLAN EVPN fabrics across various vendors, troubleshoot common issues, and implement robust security practices. You’ll gain the foundational knowledge to integrate VXLAN EVPN into your NetDevOps pipelines.
8.2 Technical Concepts: Understanding VXLAN EVPN
VXLAN EVPN combines two powerful technologies: VXLAN for the data plane and EVPN for the control plane. This section breaks down these components and their interplay.
8.2.1 VXLAN Fundamentals: The Data Plane
VXLAN (Virtual Extensible LAN) is an encapsulation protocol that extends Layer 2 segments over a Layer 3 IP network. It addresses the scalability limitations of traditional VLANs (4094 IDs) by introducing a 24-bit VXLAN Network Identifier (VNI), supporting up to 16 million logical networks.
Key Concepts:
- VNI (VXLAN Network Identifier): A 24-bit identifier that uniquely identifies a Layer 2 segment within the VXLAN overlay network. It’s analogous to a VLAN ID but with a much larger scope.
- VTEP (VXLAN Tunnel Endpoint): A device (typically a data center switch or hypervisor) that originates and terminates VXLAN tunnels. VTEPs encapsulate Layer 2 Ethernet frames into VXLAN/UDP/IP packets for transmission across the underlay network and decapsulate them upon reception.
- Overlay Network: The logical network formed by VXLAN tunnels, providing Layer 2 connectivity between VTEPs.
- Underlay Network: The physical IP network that provides connectivity between VTEPs. This is typically a Layer 3 CLOS fabric.
- Inner Ethernet Frame: The original Layer 2 frame from the host.
- Outer Header: The VXLAN, UDP, and IP headers added by the VTEP for transport across the underlay.
VXLAN Encapsulation:
When a VTEP receives an Ethernet frame from a host connected to a specific VNI, it encapsulates the frame as follows:
- Original Ethernet Frame: Source MAC, Destination MAC, VLAN Tag (if present), Payload.
- VXLAN Header: 8-byte header including the 24-bit VNI.
- UDP Header: Standard UDP header (Source Port often derived from inner packet hash for ECMP, Destination Port 4789).
- Outer IP Header: Source IP (VTEP’s IP), Destination IP (remote VTEP’s IP or multicast group IP).
- Outer Ethernet Header: Source MAC (VTEP’s MAC), Destination MAC (next-hop router’s MAC in the underlay).
VXLAN Packet Structure:
packetdiag {
colwidth = 32
0-7: Outer Ethernet Header (DMAC)
8-15: Outer Ethernet Header (SMAC)
16-23: Outer Ethernet Header (Type=0x0800)
24-31: Outer IP Header (Ver, IHL, DSCP, ECN)
32-39: Outer IP Header (Total Length)
40-47: Outer IP Header (Identification)
48-55: Outer IP Header (Flags, Fragment Offset)
56-63: Outer IP Header (TTL, Protocol=UDP)
64-71: Outer IP Header (Header Checksum)
72-79: Outer IP Header (Source IP Address)
80-87: Outer IP Header (Source IP Address)
88-95: Outer IP Header (Destination IP Address)
96-103: Outer IP Header (Destination IP Address)
104-111: UDP Header (Source Port)
112-119: UDP Header (Destination Port=4789)
120-127: UDP Header (Length)
128-135: UDP Header (Checksum)
136-143: VXLAN Header (Flags, Reserved)
144-151: VXLAN Header (VNI)
152-159: VXLAN Header (Reserved)
160-167: Inner Ethernet Header (DMAC)
168-175: Inner Ethernet Header (SMAC)
176-183: Inner Ethernet Header (Type/Length, Optional VLAN Tag)
184-215: Inner Ethernet Payload (e.g., IP packet)
}
Underlay and Overlay Separation:
nwdiag {
// Define a group for the physical underlay
group {
label = "Underlay Network (IP Fabric)"
color = "#E0E0E0"
network spine_links {
address = "10.0.1.0/30"
Spine1 [address = "10.0.1.1"];
Leaf1 [address = "10.0.1.2"];
}
network spine_links_2 {
address = "10.0.2.0/30"
Spine1 [address = "10.0.2.1"];
Leaf2 [address = "10.0.2.2"];
}
network leaf_links_1_2 {
address = "10.0.3.0/30"
Leaf1 [address = "10.0.3.1"];
Spine2 [address = "10.0.3.2"];
}
network leaf_links_2_2 {
address = "10.0.4.0/30"
Leaf2 [address = "10.0.4.1"];
Spine2 [address = "10.0.4.2"];
}
}
// Define a group for the logical overlay
group {
label = "Overlay Network (VXLAN Tunnels)"
color = "#CCFFCC"
network VNI_100 {
description = "Tenant A Network"
Leaf1_VTEP [address = "172.16.1.1"]; // Logical VTEP IP
Leaf2_VTEP [address = "172.16.1.2"]; // Logical VTEP IP
}
network VNI_200 {
description = "Tenant B Network"
Leaf1_VTEP [address = "172.16.2.1"];
Leaf2_VTEP [address = "172.16.2.2"];
}
}
// Define VTEP nodes and map them to their physical location
Spine1 [label = "Spine-1"];
Spine2 [label = "Spine-2"];
Leaf1 [label = "Leaf-1\n(VTEP)"];
Leaf2 [label = "Leaf-2\n(VTEP)"];
// Connections for VTEP (logical addresses are internal to VTEP)
// For clarity, VTEP IPs are represented as belonging to the logical networks
// but they are provisioned on the Leaf physical devices.
}
8.2.2 EVPN: The Control Plane for VXLAN
While VXLAN handles the data plane encapsulation, it needs a control plane to learn MAC addresses, discover VTEPs, and handle ARP resolution. EVPN (Ethernet VPN), standardized in RFC 7432 and subsequent RFCs (7623, 8317, 9135, etc.), provides this intelligence by leveraging MP-BGP (Multiprotocol BGP).
Key Concepts:
- MP-BGP: BGP is extended to carry EVPN route types, which contain MAC addresses, IP addresses, VNIs, and other reachability information.
- Route Types (RTs): EVPN defines several route types, but the most common for data center fabrics are:
- Type-2 (MAC/IP Advertisement): Advertises a host’s MAC address, associated IP address (ARP/ND suppression), and the VNI it belongs to. This is crucial for MAC learning and ARP optimization.
- Type-3 (Inclusive Multicast Ethernet Tag): Advertises VTEP IP addresses for BUM (Broadcast, Unknown Unicast, Multicast) traffic flooding. This replaces the need for IP multicast in the underlay for BUM traffic, allowing for head-end replication.
- Type-5 (IP Prefix Advertisement): Used for advertising IP prefixes from the VXLAN EVPN domain into the external Layer 3 network, enabling routing between VXLAN VNIs and external networks.
- ARP Suppression: VTEPs can learn host MAC-IP bindings via Type-2 routes. When a host sends an ARP request, the local VTEP can often reply directly without flooding the ARP across the entire VXLAN domain, significantly reducing BUM traffic.
- Head-End Replication (HER): For BUM traffic, a VTEP can replicate the frame to all other VTEPs that are interested in that VNI, using unicast tunnels. This is an alternative to using IP multicast in the underlay.
EVPN Control Plane Flow (Simplified for MAC/IP Learning):
digraph evpn_flow {
rankdir=LR;
node [shape=box, style=filled, fillcolor="#ADD8E6"];
subgraph cluster_underlay {
label = "Underlay Network (IP Fabric)";
style=filled;
fillcolor="#E0E0E0";
Spine1 [label="Spine-1 (BGP RR)"];
Spine2 [label="Spine-2 (BGP RR)"];
Leaf1 [label="Leaf-1 (VTEP)"];
Leaf2 [label="Leaf-2 (VTEP)"];
Leaf1 -> Spine1 [label="BGP Peering", color=blue, fontcolor=blue];
Leaf1 -> Spine2 [label="BGP Peering", color=blue, fontcolor=blue];
Leaf2 -> Spine1 [label="BGP Peering", color=blue, fontcolor=blue];
Leaf2 -> Spine2 [label="BGP Peering", color=blue, fontcolor=blue];
}
HostA [label="Host-A\n(VLAN 10)", shape=ellipse, fillcolor="#FFDAB9"];
HostB [label="Host-B\n(VLAN 10)", shape=ellipse, fillcolor="#FFDAB9"];
HostA -> Leaf1 [label="L2 Frame"];
HostB -> Leaf2 [label="L2 Frame"];
// MAC/IP Learning Flow
Leaf1 -> Leaf1_Internal [label="1. Host-A Connects\nLearns MAC-A/IP-A", arrowhead=none, style=dotted, color=grey];
Leaf1_Internal [label="Leaf-1\n(MAC Table)", shape=plaintext];
Leaf1 -> Spine1 [label="2. Advertises Type-2\n(MAC-A/IP-A, VNI 100)", color=darkgreen, fontcolor=darkgreen];
Leaf1 -> Spine2 [label="2. Advertises Type-2\n(MAC-A/IP-A, VNI 100)", color=darkgreen, fontcolor=darkgreen];
Spine1 -> Leaf2 [label="3. Reflects Type-2 to other VTEPs", color=darkgreen, fontcolor=darkgreen];
Spine2 -> Leaf2 [label="3. Reflects Type-2 to other VTEPs", color=darkgreen, fontcolor=darkgreen];
Leaf2 -> Leaf2_Internal [label="4. Learns MAC-A/IP-A\nAdds to MAC Table", arrowhead=none, style=dotted, color=grey];
Leaf2_Internal [label="Leaf-2\n(MAC Table)", shape=plaintext];
// Data Plane Flow (after learning)
HostA -> Leaf1 [label="5. Frame to MAC-B", color=purple, fontcolor=purple];
Leaf1 -> Leaf2 [label="6. VXLAN Encapsulated\n(DMAC-B, VNI 100)", style=dashed, color=purple, fontcolor=purple];
Leaf2 -> HostB [label="7. Decapsulated Frame\nto Host-B", color=purple, fontcolor=purple];
{rank=same; HostA; Leaf1;}
{rank=same; Leaf1_Internal; Leaf2_Internal;}
{rank=same; HostB; Leaf2;}
{rank=same; Spine1; Spine2;}
}
RFC References:
- RFC 7348: Virtual eXtensible Local Area Network (VXLAN): A Framework for Overlaying Virtualized Layer 2 Networks over Layer 3 Networks. (Data Plane)
- RFC 7432: BGP MPLS-Based Ethernet VPN. (Control Plane - foundational)
- RFC 7623: Using P-Multicast Service Interface (PMSI) Tunnels in Ethernet VPN (EVPN) and Provider Backbone Bridging EVPN (PBB-EVPN).
- RFC 8317: Associated Route Table (ART) for EVPN.
- RFC 9135: Integrated Routing and Bridging (IRB) for EVPN.
8.2.3 Architecture and Design: CLOS Fabric
VXLAN EVPN is most commonly deployed on a CLOS network fabric (also known as a Spine-Leaf architecture). This architecture provides predictable latency, high bandwidth, and excellent scalability through redundant, equal-cost paths.
Components of a CLOS Fabric for VXLAN EVPN:
- Leaf Switches (VTEPs): Connect to end hosts, servers, and hypervisors. They are responsible for VXLAN encapsulation/decapsulation and act as VTEPs. They peer with all Spine switches using an IGP (OSPF/EIGRP/IS-IS) for underlay routing and with Spine switches (or dedicated Route Reflectors) for EVPN BGP.
- Spine Switches: Form the backbone of the fabric, interconnecting all Leaf switches. They provide high-speed IP routing for the underlay and typically act as BGP Route Reflectors for the EVPN control plane, simplifying the BGP peering mesh.
- Underlay Network: A simple, high-performance IP network (often using eBGP or an IGP) that provides reachability between all VTEPs. Loopback interfaces on Leaf and Spine switches are typically used as BGP peering points and VTEP source interfaces.
- Overlay Network: The VXLAN EVPN logical network providing Layer 2 and Layer 3 services over the underlay.
Why CLOS?
- Scalability: Easily add more Leaf or Spine switches to increase capacity.
- Redundancy: Multiple paths between any two Leaf switches.
- Performance: All paths are equal-cost (ECMP - Equal-Cost Multipathing), ensuring efficient load balancing.
- Simplicity: The underlay is pure IP, simplifying routing protocols.
Multi-Homing and DCI:
- Multi-Homing: Connecting a server or another device to two or more Leaf switches for redundancy (e.g., using LACP). EVPN provides mechanisms (e.g., Ethernet Segment Identifiers - ESI) to handle this gracefully, ensuring active-active or active-standby operation.
- Data Center Interconnect (DCI): Extending VXLAN EVPN fabrics between data centers for seamless workload mobility and disaster recovery. This often involves specific EVPN DCI solutions, sometimes using VXLAN-to-VXLAN or MPLS-over-IP.
CLOS Fabric Architecture with VXLAN EVPN:
@startuml
skinparam handwritten true
skinparam shadowing false
skinparam class {
BorderColor black
BackgroundColor #ADD8E6
ArrowColor black
}
skinparam component {
BorderColor black
BackgroundColor #DDA0DD
}
skinparam node {
BorderColor black
BackgroundColor #B0C4DE
}
skinparam cloud {
BorderColor black
BackgroundColor #FFD700
}
title VXLAN EVPN CLOS Fabric Architecture
cloud "Internet/External Network" as internet
node "Spine-1" as spine1 <<BGP RR, Underlay>> {
component "Routing Engine" as re1
component "Forwarding ASIC" as fa1
}
node "Spine-2" as spine2 <<BGP RR, Underlay>> {
component "Routing Engine" as re2
component "Forwarding ASIC" as fa2
}
node "Leaf-1" as leaf1 <<VTEP, L2/L3 Gateway>> {
component "Routing Engine" as le_re1
component "Forwarding ASIC" as le_fa1
rectangle "Anycast GW VRF-10" as leaf1_gw1
rectangle "Anycast GW VRF-20" as leaf1_gw2
}
node "Leaf-2" as leaf2 <<VTEP, L2/L3 Gateway>> {
component "Routing Engine" as le_re2
component "Forwarding ASIC" as le_fa2
rectangle "Anycast GW VRF-10" as leaf2_gw1
rectangle "Anycast GW VRF-20" as leaf2_gw2
}
node "Leaf-3" as leaf3 <<VTEP, L2/L3 Gateway>> {
component "Routing Engine" as le_re3
component "Forwarding ASIC" as le_fa3
rectangle "Anycast GW VRF-10" as leaf3_gw1
rectangle "Anycast GW VRF-20" as leaf3_gw2
}
node "Leaf-4" as leaf4 <<VTEP, L2/L3 Gateway>> {
component "Routing Engine" as le_re4
component "Forwarding ASIC" as le_fa4
rectangle "Anycast GW VRF-10" as leaf4_gw1
rectangle "Anycast GW VRF-20" as leaf4_gw2
}
rectangle "Server-1 (VLAN 10)" as server1
rectangle "Server-2 (VLAN 20)" as server2
rectangle "Server-3 (VLAN 10)" as server3
rectangle "Server-4 (VLAN 20)" as server4
internet -- spine1 : "BGP to Edge"
internet -- spine2 : "BGP to Edge"
spine1 -- leaf1 : "Underlay IP Fabric (eBGP/IGP)"
spine1 -- leaf2 : "Underlay IP Fabric (eBGP/IGP)"
spine1 -- leaf3 : "Underlay IP Fabric (eBGP/IGP)"
spine1 -- leaf4 : "Underlay IP Fabric (eBGP/IGP)"
spine2 -- leaf1 : "Underlay IP Fabric (eBGP/IGP)"
spine2 -- leaf2 : "Underlay IP Fabric (eBGP/IGP)"
spine2 -- leaf3 : "Underlay IP Fabric (eBGP/IGP)"
spine2 -- leaf4 : "Underlay IP Fabric (eBGP/IGP)"
leaf1 .u.> leaf1_gw1 : "L2-VNI 100\nVRF-10"
leaf1 .u.> leaf1_gw2 : "L2-VNI 200\nVRF-20"
leaf2 .u.> leaf2_gw1 : "L2-VNI 100\nVRF-10"
leaf2 .u.> leaf2_gw2 : "L2-VNI 200\nVRF-20"
leaf3 .u.> leaf3_gw1 : "L2-VNI 100\nVRF-10"
leaf3 .u.> leaf3_gw2 : "L2-VNI 200\nVRF-20"
leaf4 .u.> leaf4_gw1 : "L2-VNI 100\nVRF-10"
leaf4 .u.> leaf4_gw2 : "L2-VNI 200\nVRF-20"
server1 -- leaf1 : "Access Port VLAN 10"
server2 -- leaf2 : "Access Port VLAN 20"
server3 -- leaf3 : "Access Port VLAN 10"
server4 -- leaf4 : "Access Port VLAN 20"
leaf1 -[hidden]right- leaf2
leaf2 -[hidden]right- leaf3
leaf3 -[hidden]right- leaf4
legend top
**VXLAN EVPN CLOS Fabric**
* Spines: Underlay routing, BGP Route Reflectors
* Leaves: VTEPs, L2/L3 gateways (Anycast GW)
* Underlay: IP reachability (eBGP/IGP)
* Overlay: VXLAN tunnels, EVPN control plane
end legend
@enduml
8.3 Configuration Examples (Multi-Vendor)
This section provides complete working configurations for a simplified VXLAN EVPN fabric using a 2-Spine, 2-Leaf topology with Anycast Gateway on the Leaf switches. We will configure one VNI for Layer 2 extension and demonstrate the Layer 3 integration.
Common Fabric Parameters:
- Underlay IGP: OSPF Area 0
- Overlay BGP AS: 65000 (Internal BGP between Leaves and Route Reflectors)
- VNI: 10010 (mapped to VLAN 10)
- Tenant VRF: VRF-TENANT-A
- Subnet: 10.0.10.0/24 (Layer 3 SVI on Leaf for VNI 10010)
- Anycast Gateway IP: 10.0.10.1 (shared by all VTEPs for a given VNI/SVI)
- Loopback0 IPs:
- Spine1: 192.168.0.1
- Spine2: 192.168.0.2
- Leaf1: 192.168.0.11
- Leaf2: 192.168.0.12
- VTEP Source Interface: Loopback0
8.3.1 Cisco NX-OS Configuration
Cisco NX-OS Spine-1 (Route Reflector)
!
feature bgp
feature ospf
feature interface-vlan
!
router ospf 1
router-id 192.168.0.1
! Underlay interfaces
interface Ethernet1/1
ip address 10.0.1.1/30
ip router ospf 1 area 0.0.0.0
no shutdown
interface Ethernet1/2
ip address 10.0.2.1/30
ip router ospf 1 area 0.0.0.0
no shutdown
! Loopback for BGP peering
interface Loopback0
ip address 192.168.0.1/32
ip router ospf 1 area 0.0.0.0
no shutdown
!
router bgp 65000
router-id 192.168.0.1
address-family l2vpn evpn
retain route-target all
!
neighbor 192.168.0.11 remote-as 65000
update-source Loopback0
address-family l2vpn evpn
send-community extended
!
neighbor 192.168.0.12 remote-as 65000
update-source Loopback0
address-family l2vpn evpn
send-community extended
!
! Configure Route Reflector for EVPN
neighbor 192.168.0.11 route-reflector-client
neighbor 192.168.0.12 route-reflector-client
!
Cisco NX-OS Leaf-1 (VTEP, L2/L3 Gateway)
!
feature bgp
feature ospf
feature interface-vlan
feature vn-segment-vlan-based
feature nv overlay
!
vrf context VRF-TENANT-A
vni 10010
!
vlan 10
vn-segment 10010
!
interface Ethernet1/1
description To Spine1
ip address 10.0.1.2/30
ip router ospf 1 area 0.0.0.0
no shutdown
!
interface Ethernet1/2
description To Spine2
ip address 10.0.3.1/30
ip router ospf 1 area 0.0.0.0
no shutdown
!
interface Loopback0
ip address 192.168.0.11/32
ip router ospf 1 area 0.0.0.0
no shutdown
!
interface nve1
no shutdown
source-interface Loopback0
host-reachability protocol bgp
member vni 10010 associate-vrf
mcast-group 239.1.1.1 ! Using IP multicast for BUM, can be changed to head-end replication
! For Layer 3 routing between VNIs or external networks
member vni 10010
associate-vrf VRF-TENANT-A
!
interface Vlan10
no shutdown
vrf member VRF-TENANT-A
ip address 10.0.10.1/24 ! Anycast Gateway IP
no ip redirects
fabric forwarding mode anycast-gateway
!
router ospf 1
router-id 192.168.0.11
! Underlay interfaces already configured in interface context
!
router bgp 65000
router-id 192.168.0.11
address-family l2vpn evpn
retain route-target all
!
neighbor 192.168.0.1 remote-as 65000
update-source Loopback0
address-family l2vpn evpn
send-community extended
!
neighbor 192.168.0.2 remote-as 65000
update-source Loopback0
address-family l2vpn evpn
send-community extended
!
! VRF specific configuration for Layer 3 inter-VNI routing
vrf VRF-TENANT-A
address-family ipv4 unicast
advertise l2vpn evpn
!
Verification Commands (Cisco NX-OS):
show ip ospf neighbor
show ip route
show bgp l2vpn evpn summary
show nve interface nve1 detail
show nve peers
show vlan id 10
show mac address-table vlan 10
show ip arp vrf VRF-TENANT-A
8.3.2 Juniper JunOS Configuration
Juniper JunOS Spine-1 (Route Reflector)
#
system {
host-name Spine1;
# ... other system settings
protocols {
ospf {
area 0.0.0.0 {
interface lo0.0;
interface ge-0/0/0.0;
interface ge-0/0/1.0;
}
}
bgp {
group EVPN {
type internal;
local-address 192.168.0.1;
family evpn {
signaling;
}
neighbor 192.168.0.11 {
description "Leaf1_Loopback0";
cluster 192.168.0.1;
}
neighbor 192.168.0.12 {
description "Leaf2_Loopback0";
cluster 192.168.0.1;
}
}
}
}
}
interfaces {
lo0 {
unit 0 {
family inet {
address 192.168.0.1/32;
}
}
}
ge-0/0/0 {
unit 0 {
family inet {
address 10.0.1.1/30;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 10.0.2.1/30;
}
}
}
}
routing-options {
router-id 192.168.0.1;
autonomous-system 65000;
}
#
Juniper JunOS Leaf-1 (VTEP, L2/L3 Gateway)
#
system {
host-name Leaf1;
# ... other system settings
protocols {
ospf {
area 0.0.0.0 {
interface lo0.0;
interface ge-0/0/0.0;
interface ge-0/0/1.0;
}
}
bgp {
group EVPN {
type internal;
local-address 192.168.0.11;
family evpn {
signaling;
}
neighbor 192.168.0.1 {
description "Spine1_Loopback0";
}
neighbor 192.168.0.2 {
description "Spine2_Loopback0";
}
}
}
evpn {
encapsulation vxlan;
extended-vlan-id-list 10;
}
}
}
interfaces {
lo0 {
unit 0 {
family inet {
address 192.168.0.11/32;
}
}
}
ge-0/0/0 {
description "To Spine1";
unit 0 {
family inet {
address 10.0.1.2/30;
}
}
}
ge-0/0/1 {
description "To Spine2";
unit 0 {
family inet {
address 10.0.3.1/30;
}
}
}
irb {
unit 10 {
family inet {
address 10.0.10.1/24; # Anycast Gateway IP
}
}
}
# Access port for hosts (e.g., VLAN 10)
ge-0/0/2 {
unit 0 {
family ethernet-switching {
vlan {
members VLAN_TENANT_A;
}
}
}
}
}
routing-options {
router-id 192.168.0.11;
autonomous-system 65000;
}
vlans {
VLAN_TENANT_A {
vlan-id 10;
vxlan {
vni 10010;
ingress-node-replication; # Head-end replication for BUM
}
l3-interface irb.10;
}
}
#
Verification Commands (Juniper JunOS):
show ospf neighbor
show route
show bgp summary
show evpn database
show evpn instance
show vxlan instance
show interfaces irb.10
8.3.3 Arista EOS Configuration
Arista EOS Spine-1 (Route Reflector)
!
router ospf 1
router-id 192.168.0.1
passive-interface Loopback0
network 10.0.1.0/30 area 0
network 10.0.2.0/30 area 0
network 192.168.0.1/32 area 0
!
interface Ethernet1
description To Leaf1
no switchport
ip address 10.0.1.1/30
!
interface Ethernet2
description To Leaf2
no switchport
ip address 10.0.2.1/30
!
interface Loopback0
ip address 192.168.0.1/32
!
router bgp 65000
router-id 192.168.0.1
no bgp default ipv4-unicast
!
neighbor LEAF_PEERS peer-group
neighbor LEAF_PEERS remote-as 65000
neighbor LEAF_PEERS update-source Loopback0
neighbor LEAF_PEERS route-reflector-client
neighbor LEAF_PEERS send-community extended
!
neighbor 192.168.0.11 peer-group LEAF_PEERS
neighbor 192.168.0.12 peer-group LEAF_PEERS
!
address-family evpn
neighbor LEAF_PEERS activate
!
Arista EOS Leaf-1 (VTEP, L2/L3 Gateway)
!
vlan 10
name VLAN_TENANT_A
vxlan vni 10010
!
interface Vlan10
vrf forwarding VRF-TENANT-A
ip address 10.0.10.1/24 anycast-gateway ! Anycast Gateway IP
!
interface Ethernet1
description To Spine1
no switchport
ip address 10.0.1.2/30
!
interface Ethernet2
description To Spine2
no switchport
ip address 10.0.3.1/30
!
interface Ethernet3
description To Host-1 (VLAN 10)
switchport mode access
switchport access vlan 10
!
interface Loopback0
ip address 192.168.0.11/32
!
interface Vxlan1
vxlan source-interface Loopback0
vxlan udp-port 4789
vxlan vlan 10 vni 10010
vxlan flood head-end replication
vxlan flood static 192.168.0.12 ! Peers for head-end replication (if not using BGP Type-3)
!
vrf instance VRF-TENANT-A
!
router ospf 1
router-id 192.168.0.11
passive-interface Loopback0
network 10.0.1.0/30 area 0
network 10.0.3.0/30 area 0
network 192.168.0.11/32 area 0
!
router bgp 65000
router-id 192.168.0.11
no bgp default ipv4-unicast
!
neighbor SPINE_PEERS peer-group
neighbor SPINE_PEERS remote-as 65000
neighbor SPINE_PEERS update-source Loopback0
neighbor SPINE_PEERS send-community extended
!
neighbor 192.168.0.1 peer-group SPINE_PEERS
neighbor 192.168.0.2 peer-group SPINE_PEERS
!
address-family evpn
neighbor SPINE_PEERS activate
!
vrf VRF-TENANT-A
rd 192.168.0.11:10010
route-target import 65000:10010
route-target export 65000:10010
redistribute connected
address-family ipv4
neighbor SPINE_PEERS activate
!
Verification Commands (Arista EOS):
show ip ospf neighbor
show ip route
show bgp evpn summary
show vxlan address-table
show vxlan vni
show vlan 10
show ip interface vlan 10
8.4 Automation Examples
Automating VXLAN EVPN deployment and management is critical for operational efficiency. This section demonstrates how to use Ansible and Python (Nornir) for these tasks.
8.4.1 Ansible Playbook for VXLAN EVPN VLAN/VNI Configuration
This Ansible playbook will automate the creation of a new VLAN and VNI mapping on the Leaf switches for Cisco NX-OS, Juniper JunOS, and Arista EOS. It uses Jinja2 templates for configuration generation.
Inventory File (inventory.ini):
[all:vars]
ansible_user=admin
ansible_password=cisco
ansible_become=yes
ansible_become_method=enable
ansible_network_os=nxos # Default, will be overridden by group/host vars
[nxos_leafs]
nxos-leaf1 ansible_host=192.168.0.11 ansible_network_os=nxos
nxos-leaf2 ansible_host=192.168.0.12 ansible_network_os=nxos
[junos_leafs]
junos-leaf1 ansible_host=192.168.0.21 ansible_network_os=junos
junos-leaf2 ansible_host=192.168.0.22 ansible_network_os=junos
[eos_leafs]
eos-leaf1 ansible_host=192.168.0.31 ansible_network_os=eos
eos-leaf2 ansible_host=192.168.0.32 ansible_network_os=eos
Group Variables (group_vars/all.yml):
---
new_vlan_id: 20
new_vlan_name: VLAN_TENANT_B
new_vni: 10020
new_subnet: "10.0.20.1/24"
vrf_name: VRF-TENANT-B
Ansible Playbook (vxlan_evpn_vlan_config.yml):
---
- name: Configure new VXLAN EVPN VLAN/VNI on Multi-Vendor Leaf Switches
hosts: nxos_leafs, junos_leafs, eos_leafs
gather_facts: false
connection: network_cli
tasks:
- name: Ensure the new VLAN/VNI is configured on Cisco NX-OS
when: ansible_network_os == 'nxos'
nxos_config:
lines:
- "vlan "
- " vn-segment "
- "vrf context "
- " vni "
- "interface Vlan"
- " no shutdown"
- " vrf member "
- " ip address anycast-gateway"
- " fabric forwarding mode anycast-gateway"
- "interface nve1"
- " member vni associate-vrf"
- " member vni "
- " associate-vrf "
match: strict
diff_against: running
notify: Save NX-OS config
- name: Ensure the new VLAN/VNI is configured on Juniper JunOS
when: ansible_network_os == 'junos'
junos_config:
lines:
- "set vlans VLAN_ vlan-id "
- "set vlans VLAN_ vxlan vni "
- "set vlans VLAN_ vxlan ingress-node-replication"
- "set vlans VLAN_ l3-interface irb."
- "set interfaces irb unit family inet address "
- "set protocols evpn extended-vlan-id-list "
# Assuming you would map this VLAN to an access port
# - "set interfaces ge-0/0/X unit 0 family ethernet-switching vlan members VLAN_"
diff_against: running
load: set
notify: Save JunOS config
- name: Ensure the new VLAN/VNI is configured on Arista EOS
when: ansible_network_os == 'eos'
eos_config:
lines:
- "vlan "
- " name "
- " vxlan vni "
- "interface Vlan"
- " vrf forwarding "
- " ip address anycast-gateway"
- "interface Vxlan1"
- " vxlan vlan vni "
- "vrf instance "
- "router bgp 65000"
- " vrf "
- " rd 192.168.0.:" # Dynamically generated RD
- " route-target import 65000:"
- " route-target export 65000:"
- " redistribute connected"
- " address-family ipv4"
- " neighbor SPINE_PEERS activate"
# Assuming you would map this VLAN to an access port
# - "interface EthernetX"
# - " switchport mode access"
# - " switchport access vlan "
match: strict
diff_against: running
notify: Save EOS config
handlers:
- name: Save NX-OS config
nxos_config:
save_when: modified
listen: "Save NX-OS config"
- name: Save JunOS config
junos_config:
commit_empty_candidate: true
listen: "Save JunOS config"
- name: Save EOS config
eos_config:
save_when: modified
listen: "Save EOS config"
Explanation:
This playbook uses ansible.netcommon and vendor-specific modules (nxos_config, junos_config, eos_config). It iterates through the hosts, applying configurations based on their ansible_network_os. The diff_against: running allows a dry run to see changes before applying. Handlers are used to save configurations only if changes were made.
8.4.2 Python Script (Nornir) for VXLAN EVPN State Verification
This Python script uses Nornir to connect to multi-vendor devices and gather VXLAN EVPN operational state, specifically focusing on VTEP peer status and learned MAC addresses.
Nornir Inventory (hosts.yaml):
---
nxos-leaf1:
hostname: 192.168.0.11
platform: nxos
groups:
- nxos_leafs
junos-leaf1:
hostname: 192.168.0.21
platform: junos
groups:
- junos_leafs
eos-leaf1:
hostname: 192.168.0.31
platform: eos
groups:
- eos_leafs
Nornir Configuration (config.yaml):
---
inventory:
plugin: SimpleInventory
options:
host_file: hosts.yaml
group_file: groups.yaml
defaults_file: defaults.yaml
runner:
plugin: threaded
options:
num_workers: 20
connection_options:
network_cli:
extras:
global_delay_factor: 2
Nornir Defaults (defaults.yaml):
---
username: admin
password: cisco
# enable password for some devices (e.g., Cisco IOS/NX-OS)
# secret: cisco
Python Script (get_vxlan_evpn_state.py):
from nornir import InitNornir
from nornir_utils.plugins.functions import print_result
from nornir_napalm.plugins.tasks import napalm_get
import logging
# Suppress Nornir logging for cleaner output
logging.getLogger("nornir").setLevel(logging.WARNING)
def get_vxlan_evpn_state(task):
"""
Gathers VXLAN EVPN operational state from network devices.
"""
if task.host.platform == "nxos":
# NX-OS specific commands for VXLAN/EVPN
commands = [
"show nve peers",
"show nve interface nve1 detail",
"show bgp l2vpn evpn summary",
"show mac address-table vlan 10" # Example for a specific VLAN
]
result = task.run(
task=napalm_get,
get_timeout=60,
commands=commands,
name=f"Get VXLAN EVPN state from {task.host.name}"
)
elif task.host.platform == "junos":
# JunOS specific commands for VXLAN/EVPN
commands = [
"show evpn database",
"show evpn instance",
"show vxlan instance",
"show bgp summary"
]
result = task.run(
task=napalm_get,
get_timeout=60,
commands=commands,
name=f"Get VXLAN EVPN state from {task.host.name}"
)
elif task.host.platform == "eos":
# Arista EOS specific commands for VXLAN/EVPN
commands = [
"show vxlan address-table",
"show vxlan vni",
"show bgp evpn summary",
"show ip route vrf VRF-TENANT-A" # Example for specific VRF
]
result = task.run(
task=napalm_get,
get_timeout=60,
commands=commands,
name=f"Get VXLAN EVPN state from {task.host.name}"
)
else:
print(f"Platform {task.host.platform} not supported for VXLAN EVPN state collection.")
return None # Return None if platform is not supported
return result
def main():
# Initialize Nornir
nr = InitNornir(config_file="config.yaml")
# Filter to specific groups if needed
# nr = nr.filter(group="nxos_leafs")
# Run the task
results = nr.run(task=get_vxlan_evpn_state)
# Print results
print_result(results)
# Example of accessing specific data (uncomment to use)
# for host_name, multi_result in results.items():
# for result in multi_result:
# if result.failed:
# print(f"Failed on {host_name}: {result.exception}")
# else:
# print(f"\n--- {host_name} VXLAN EVPN State ---")
# # You would parse result.result here based on the command output
# # For napalm_get with commands, the result.result will be a dictionary
# # where keys are commands and values are their output.
# # For example, for NX-OS: print(result.result["show nve peers"])
if __name__ == "__main__":
main()
Explanation:
This Python script uses the Nornir automation framework along with the nornir_napalm plugin. It defines a task get_vxlan_evpn_state that dynamically selects appropriate show commands based on the device’s platform (defined in the Nornir inventory). The napalm_get task executes these commands and returns their output. print_result is used for a human-readable output, but in a production environment, you would parse result.result to extract structured data for further processing or storage.
8.5 Security Considerations
Securing a VXLAN EVPN fabric is paramount, given its role in handling critical data center traffic. Neglecting security can open up various attack vectors.
8.5.1 Attack Vectors
- Underlay Compromise: If the underlying IP fabric is compromised, an attacker could inject forged VXLAN packets, creating unauthorized Layer 2 segments or interfering with legitimate traffic.
- Control Plane Manipulation (BGP EVPN):
- BGP Route Hijacking: Malicious actors could inject false Type-2 or Type-5 EVPN routes, redirecting traffic to rogue VTEPs or creating blackholes.
- MAC/IP Flooding: Overloading the BGP EVPN control plane with excessive MAC/IP advertisements could destabilize the network.
- Data Plane Exploitation:
- VNI Hopping: If not properly isolated, a tenant could potentially send traffic into another tenant’s VNI.
- Unauthorized VTEP: A rogue device impersonating a VTEP could join the VXLAN EVPN domain and siphon off traffic.
- Management Plane Vulnerabilities:
- Unsecured API/CLI Access: Weak credentials or unencrypted management protocols (Telnet, HTTP) could allow unauthorized configuration changes, including disabling security features or altering VXLAN EVPN parameters.
- Automation Tool Compromise: If your Ansible control node or Nornir host is compromised, an attacker could deploy malicious configurations across the entire fabric.
8.5.2 Mitigation Strategies & Best Practices
- Secure Underlay:
- Robust Routing Protocol Security: Implement MD5 or SHA authentication for OSPF/EIGRP/IS-IS and BGP neighbor relationships.
- Control Plane Policing (CoPP): Protect the routing engine from excessive traffic (e.g., BGP packets) that could lead to DoS attacks.
- ACLs/Firewall Filters: Restrict access to VTEP source interfaces and BGP peering addresses.
- Secure Control Plane (BGP EVPN):
- BGP Authentication: Always use MD5 or stronger authentication (e.g., TCP-AO) for BGP peerings between Leaf and Spine switches (Route Reflectors).
- Route Policy/Filtering: Implement strict import and export route policies for EVPN routes to prevent injection of malicious or malformed routes. Filter on VNIs, MAC addresses, and IP prefixes.
- Max-Prefix Limits: Configure maximum prefix limits on BGP neighbors to prevent route table overflow from a compromised peer.
- Secure Data Plane (VXLAN):
- VNI Isolation: Ensure strict mapping of VLANs to VNIs and VRFs to prevent cross-tenant communication.
- Micro-segmentation: Implement security policies (e.g., ACLs, firewall filters, Security Group Tags) on VTEPs to control traffic flow within VNIs.
- IP Source Guard/DAI: Prevent spoofing of IP and MAC addresses on access ports.
- VXLAN Tunnel Encryption (IPsec): For sensitive traffic or DCI scenarios, consider encrypting VXLAN tunnels using IPsec. This adds overhead but provides confidentiality and integrity.
- Disable Unused BUM Mechanisms: If using head-end replication, ensure IP multicast is disabled or tightly controlled in the underlay to prevent unauthorized BUM flooding.
- Secure Management Plane:
- AAA (Authentication, Authorization, Accounting): Use TACACS+/RADIUS for centralized device access control.
- SSH/HTTPS: Use secure protocols for all management access. Disable Telnet, HTTP, and SNMPv1/v2. Use strong passwords and SSH keys.
- Least Privilege: Ensure automation tools and scripts run with the minimum necessary privileges.
- Automation Tool Hardening: Secure your Ansible control node, Python development environment, and any CI/CD pipelines. This includes OS hardening, firewalls, and regular security patching.
- Version Control: Store all automation code in a secure version control system (e.g., Git with proper access controls).
- Secrets Management: Use an secrets management solution (e.g., HashiCorp Vault, Ansible Vault) to store sensitive credentials securely.
8.5.3 Security Configuration Example (BGP Authentication)
Cisco NX-OS:
! On Spine and Leaf BGP configuration
router bgp 65000
neighbor 192.168.0.11 remote-as 65000
password 7 <hashed_password> ! MD5 password
Warning: Storing plain text passwords in configuration is a major security risk. Always use hashed passwords or a secrets management system.
Juniper JunOS:
# On Spine and Leaf BGP configuration
protocols {
bgp {
group EVPN {
authentication-key "$9$B3I.B2-j75w.B.t9pLh2C3"; # Hashed password
}
}
}
Warning: Storing plain text passwords in configuration is a major security risk. Always use hashed passwords or a secrets management system.
Arista EOS:
! On Spine and Leaf BGP configuration
router bgp 65000
neighbor LEAF_PEERS peer-group
neighbor LEAF_PEERS password 7 <hashed_password> ! MD5 password
Warning: Storing plain text passwords in configuration is a major security risk. Always use hashed passwords or a secrets management system.
8.6 Verification & Troubleshooting
Effective verification and troubleshooting are crucial for maintaining a healthy VXLAN EVPN fabric. Automation can assist in proactive monitoring and initial diagnostics.
8.6.1 Verification Commands and Expected Output
Beyond the individual vendor commands listed in Section 8.3, here are general areas to verify:
Underlay Connectivity: Ensure all VTEPs can reach each other’s Loopback0 (VTEP source) interfaces.
# Command (e.g., Cisco NX-OS) ping 192.168.0.12 source 192.168.0.11# Expected Output Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.0.12, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 msBGP EVPN Peer Status: All Leaf switches should have established BGP EVPN peerings with the Route Reflectors (Spines).
# Command (e.g., Cisco NX-OS) show bgp l2vpn evpn summary# Expected Output (abbreviated) BGP summary information for VRF default, address family L2VPN EVPN BGP router identifier 192.168.0.11, local AS number 65000 BGP table version is 2, main routing table version 2 ... Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 192.168.0.1 4 65000 100 102 2 0 0 00:05:30 1 192.168.0.2 4 65000 98 99 2 0 0 00:05:25 1State/PfxRcd should show “Established” or a number of prefixes received.
VNI and VTEP Configuration: Verify that VNIs are mapped to VLANs/VRFs and the NVE/VXLAN interfaces are up.
# Command (e.g., Cisco NX-OS) show nve interface nve1 detail# Expected Output (abbreviated) Interface: nve1, State: Up, Encapsulation: VXLAN VTEP IP Addr: 192.168.0.11, VTEP VRF: default, VTEP State: Up Source-interface: loopback0 ... VNI Mode Type Mcast-group State 10010 CP L2 239.1.1.1 UpMAC Address Table Learning: Verify that hosts connected to a VNI are learning MAC addresses from local and remote VTEPs.
# Command (e.g., Arista EOS) show vxlan address-table# Expected Output (abbreviated) Vlan VNI Mac Address Type Next Hop Peer-IP ---- ---- -------------- ----- -------------------- ---------------- 10 10010 00:50:56:AB:CD:EF Dynamic Ethernet3 - 10 10010 00:50:56:01:23:45 EVPN Vxlan1 192.168.0.12Type“Dynamic” indicates local learning, “EVPN” indicates learning via BGP EVPN from a remote VTEP.ARP/ND Suppression: Verify that VTEPs are responding to ARP requests for remote hosts.
# Command (e.g., Cisco NX-OS) show ip arp vrf VRF-TENANT-A# Expected Output Address Age MAC Address Interface VRF 10.0.10.1 - 0050.56b0.0001 Vlan10 VRF-TENANT-A 10.0.10.10 00:01:05 0050.56b0.1234 nve1(10010) VRF-TENANT-AEntries on
nve1(or equivalent) for remote MACs indicate successful ARP suppression.
8.6.2 Troubleshooting
| Issue | Potential Cause | Troubleshooting Steps | Debug Commands (Example: NX-OS) |
|---|---|---|---|
| No VXLAN EVPN Peering | Underlay routing issue | ping VTEP_IP source Loopback0 to test IP reachability. show ip route to check routing table. | debug ip ospf event, debug bgp l2vpn evpn |
| BGP misconfiguration | Check BGP AS, neighbor IP, update-source, address-family activation, password. | show bgp l2vpn evpn neighbor detail | |
| Route Reflector issue | Verify RR configuration on Spines. | show bgp summary, show bgp l2vpn evpn route-reflector summary | |
| MAC Address Not Learned | Host not sending traffic | Ping host from within its VLAN. | show mac address-table on access port switch. |
| VNI/VLAN mapping incorrect | Verify VLAN to VNI mapping on the Leaf. | show vlan id <VLAN_ID>, show nve interface nve1 | |
| EVPN route not advertised/received | Check BGP EVPN routes on originating Leaf and on Route Reflector. | show bgp l2vpn evpn route type 2, show bgp l2vpn evpn database | |
| No L2 Connectivity Across VTEPs | VTEP NVE interface down | Check show nve interface. | show nve interface nve1 detail |
| BUM traffic not working | If using multicast, check show ip mroute. If HER, ensure HER peer list is correct or BGP Type-3 routes are exchanged. | debug nve event, debug nve packet | |
| Misconfigured VNI in overlay | Ensure VNI is consistent across all VTEPs for the same broadcast domain. | show nve interface nve1, show vlan id <vlan-id> | |
| Inter-VNI Routing Failure | VRF/L3 VNI mapping incorrect | Verify interface VlanX vrf forwarding, nve member vni associate-vrf. | show vrf detail VRF-TENANT-A, show nve interface nve1 detail |
| Missing L3 EVPN routes | Check Type-5 route advertisement from VRF into EVPN. | show bgp l2vpn evpn route type 5 | |
| Anycast Gateway IP issue | Verify consistent Anycast GW IP and fabric forwarding mode anycast-gateway (NX-OS) or equivalent (EOS/JunOS). | show ip interface vlan <VLAN_ID> |
8.7 Performance Optimization
Optimizing VXLAN EVPN performance involves careful design of both the underlay and overlay networks.
- Underlay Design:
- High-Bandwidth Interconnects: Use 100GbE or 400GbE for Spine-Leaf links to handle aggregated traffic.
- ECMP (Equal-Cost Multipathing): Ensure the underlay routing protocol (OSPF, EIGRP, eBGP) uses ECMP to distribute traffic across all available paths, maximizing bandwidth utilization.
- Large MTU (Jumbo Frames): Configure jumbo frames (e.g., 9000 bytes) throughout the entire underlay network to accommodate the additional VXLAN header overhead without fragmentation. This is critical for performance. The minimum MTU must be 1500 + 50 (for VXLAN/UDP/IP headers).
- Control Plane Scaling:
- BGP Route Reflectors: Use dedicated or co-located Spine switches as BGP Route Reflectors to avoid a full mesh of BGP peerings among VTEPs, which can be computationally intensive.
- Route Summarization: Where appropriate, summarize Type-5 IP prefixes advertised into external networks.
- ARP/ND Suppression: Leverage ARP/ND suppression to significantly reduce BUM traffic and control plane load on VTEPs.
- Data Plane Optimization:
- Head-End Replication (HER) vs. IP Multicast:
- HER: Simpler to deploy as it only requires unicast IP routing in the underlay. Scales well for smaller number of VTEPs, but for very large fabrics, it can lead to N-1 replication overhead on the source VTEP.
- IP Multicast: More efficient for large-scale BUM traffic replication as it uses the underlay multicast capabilities, reducing replication burden on VTEPs. Requires configuring IP multicast in the underlay, which adds complexity.
- Hashing for Load Balancing: Ensure the underlay uses robust hashing algorithms (e.g., based on Layer 3/4 information) for ECMP to evenly distribute VXLAN encapsulated traffic.
- Head-End Replication (HER) vs. IP Multicast:
- Capacity Planning:
- Monitor CPU, memory, and ASIC utilization on Leaf and Spine switches.
- Track the number of learned MAC/IP addresses, EVPN routes, and VNI configurations against device capabilities.
- Plan for future growth in terms of hosts, VNIs, and overall traffic volume.
- Monitoring Recommendations:
- Telemetry: Implement streaming telemetry (e.g., gRPC, NETCONF) to gather real-time performance metrics (interface utilization, CPU, memory, packet drops, VTEP statistics, BGP/EVPN state).
- SNMP: For older deployments or supplementary monitoring.
- Network Performance Monitoring (NPM) Tools: Integrate with tools that can visualize VXLAN EVPN tunnel health, traffic flows, and VNI utilization.
8.8 Hands-On Lab: Deploying a Basic VXLAN EVPN Fabric
This lab guides you through deploying a minimal VXLAN EVPN fabric using Cisco NX-OS devices, similar to the configuration examples. You’ll use a virtual lab environment (e.g., EVE-NG, GNS3, or Cisco CML).
8.8.1 Lab Topology
nwdiag {
// Define underlay networks for links between Leaf and Spine
network leaf1_spine1_link {
address = "10.0.1.0/30"
Leaf1 [address = "10.0.1.2"];
Spine1 [address = "10.0.1.1"];
}
network leaf1_spine2_link {
address = "10.0.3.0/30"
Leaf1 [address = "10.0.3.1"];
Spine2 [address = "10.0.3.2"];
}
network leaf2_spine1_link {
address = "10.0.2.0/30"
Leaf2 [address = "10.0.2.2"];
Spine1 [address = "10.0.2.1"];
}
network leaf2_spine2_link {
address = "10.0.4.0/30"
Leaf2 [address = "10.0.4.1"];
Spine2 [address = "10.0.4.2"];
}
// Define host networks
network host1_vlan10 {
address = "10.0.10.0/24"
Leaf1;
Host1 [address = "10.0.10.10"];
}
network host2_vlan10 {
address = "10.0.10.0/24"
Leaf2;
Host2 [address = "10.0.10.20"];
}
// Define devices with their loopback IPs
Spine1 [label = "Spine-1\n(192.168.0.1)", shape = cloud];
Spine2 [label = "Spine-2\n(192.168.0.2)", shape = cloud];
Leaf1 [label = "Leaf-1\n(192.168.0.11)", shape = box];
Leaf2 [label = "Leaf-2\n(192.168.0.12)", shape = box];
Host1 [label = "Host-1\n(VLAN 10)", shape = ellipse];
Host2 [label = "Host-2\n(VLAN 10)", shape = ellipse];
}
8.8.2 Objectives
- Deploy a 2-Spine, 2-Leaf CLOS underlay network using OSPF.
- Configure BGP EVPN on Spines (as Route Reflectors) and Leaves.
- Configure VXLAN with VNI 10010 mapped to VLAN 10 and a shared Anycast Gateway IP (10.0.10.1).
- Connect two hosts to different Leaf switches within the same VXLAN segment (VLAN 10).
- Verify Layer 2 and Layer 3 connectivity between the hosts across the VXLAN fabric.
8.8.3 Step-by-Step Configuration (Cisco NX-OS)
Prerequisites:
- Four Cisco NX-OSv instances (Spine1, Spine2, Leaf1, Leaf2) and two generic hosts (Host1, Host2) connected as per the topology.
- Basic management connectivity to all devices.
1. Initial Setup on All Devices (Spine1, Spine2, Leaf1, Leaf2):
configure terminal
feature bgp
feature ospf
feature interface-vlan
feature vn-segment-vlan-based
feature nv overlay
!
copy running-config startup-config ! Save config
2. Configure Underlay and Loopback Interfaces:
- Spine1:
interface Ethernet1/1 no switchport ip address 10.0.1.1/30 no shutdown interface Ethernet1/2 no switchport ip address 10.0.2.1/30 no shutdown interface Loopback0 ip address 192.168.0.1/32 no shutdown - Spine2:
interface Ethernet1/1 no switchport ip address 10.0.3.2/30 no shutdown interface Ethernet1/2 no switchport ip address 10.0.4.2/30 no shutdown interface Loopback0 ip address 192.168.0.2/32 no shutdown - Leaf1:
interface Ethernet1/1 no switchport ip address 10.0.1.2/30 no shutdown interface Ethernet1/2 no switchport ip address 10.0.3.1/30 no shutdown interface Loopback0 ip address 192.168.0.11/32 no shutdown - Leaf2:
interface Ethernet1/1 no switchport ip address 10.0.2.2/30 no shutdown interface Ethernet1/2 no switchport ip address 10.0.4.1/30 no shutdown interface Loopback0 ip address 192.168.0.12/32 no shutdown
3. Configure Underlay OSPF on All Devices:
- Spine1:
router ospf 1 router-id 192.168.0.1 network 10.0.1.0/30 area 0.0.0.0 network 10.0.2.0/30 area 0.0.0.0 network 192.168.0.1/32 area 0.0.0.0 - Spine2:
router ospf 1 router-id 192.168.0.2 network 10.0.3.0/30 area 0.0.0.0 network 10.0.4.0/30 area 0.0.0.0 network 192.168.0.2/32 area 0.0.0.0 - Leaf1:
router ospf 1 router-id 192.168.0.11 network 10.0.1.0/30 area 0.0.0.0 network 10.0.3.0/30 area 0.0.0.0 network 192.168.0.11/32 area 0.0.0.0 - Leaf2:
Verification: On any device,router ospf 1 router-id 192.168.0.12 network 10.0.2.0/30 area 0.0.0.0 network 10.0.4.0/30 area 0.0.0.0 network 192.168.0.12/32 area 0.0.0.0show ip ospf neighborandshow ip routeshould show all loopback addresses reachable.
4. Configure BGP EVPN on Spines (Route Reflectors):
- Spine1 & Spine2 (same config):
router bgp 65000 router-id 192.168.0.1 ! Use .1 for Spine1, .2 for Spine2 address-family l2vpn evpn retain route-target all ! neighbor 192.168.0.11 remote-as 65000 update-source Loopback0 address-family l2vpn evpn send-community extended route-reflector-client ! neighbor 192.168.0.12 remote-as 65000 update-source Loopback0 address-family l2vpn evpn send-community extended route-reflector-client
5. Configure BGP EVPN and VXLAN on Leaf Switches:
- Leaf1:
vrf context VRF-TENANT-A vni 10010 ! vlan 10 vn-segment 10010 ! interface nve1 no shutdown source-interface Loopback0 host-reachability protocol bgp member vni 10010 associate-vrf mcast-group 239.1.1.1 ! Using IP multicast for BUM member vni 10010 associate-vrf VRF-TENANT-A ! interface Vlan10 no shutdown vrf member VRF-TENANT-A ip address 10.0.10.1/24 no ip redirects fabric forwarding mode anycast-gateway ! interface Ethernet1/3 ! Access port for Host1 switchport mode access switchport access vlan 10 no shutdown ! router bgp 65000 router-id 192.168.0.11 address-family l2vpn evpn retain route-target all ! neighbor 192.168.0.1 remote-as 65000 update-source Loopback0 address-family l2vpn evpn send-community extended ! neighbor 192.168.0.2 remote-as 65000 update-source Loopback0 address-family l2vpn evpn send-community extended ! vrf VRF-TENANT-A rd auto address-family ipv4 unicast advertise l2vpn evpn route-target both auto route-target both auto evpn - Leaf2 (similar to Leaf1, adjust IPs):
vrf context VRF-TENANT-A vni 10010 ! vlan 10 vn-segment 10010 ! interface nve1 no shutdown source-interface Loopback0 host-reachability protocol bgp member vni 10010 associate-vrf mcast-group 239.1.1.1 member vni 10010 associate-vrf VRF-TENANT-A ! interface Vlan10 no shutdown vrf member VRF-TENANT-A ip address 10.0.10.1/24 no ip redirects fabric forwarding mode anycast-gateway ! interface Ethernet1/3 ! Access port for Host2 switchport mode access switchport access vlan 10 no shutdown ! router bgp 65000 router-id 192.168.0.12 address-family l2vpn evpn retain route-target all ! neighbor 192.168.0.1 remote-as 65000 update-source Loopback0 address-family l2vpn evpn send-community extended ! neighbor 192.168.0.2 remote-as 65000 update-source Loopback0 address-family l2vpn evpn send-community extended ! vrf VRF-TENANT-A rd auto address-family ipv4 unicast advertise l2vpn evpn route-target both auto route-target both auto evpn
6. Configure Hosts:
- Host1: IP: 10.0.10.10/24, Gateway: 10.0.10.1
- Host2: IP: 10.0.10.20/24, Gateway: 10.0.10.1
8.8.4 Verification Steps
- Verify BGP EVPN Peers: On Leaf1/Leaf2,
show bgp l2vpn evpn summary. Both Spines should be up. - Verify NVE Interface: On Leaf1/Leaf2,
show nve interface nve1 detail. Ensure VTEP state is Up and VNI 10010 is Up. - Verify NVE Peers: On Leaf1/Leaf2,
show nve peers. Ensure the other Leaf’s VTEP IP is listed as a peer. - Ping from Host1 to Gateway: From Host1,
ping 10.0.10.1. This verifies local SVI. - Ping from Host1 to Host2: From Host1,
ping 10.0.10.20. This verifies L2 reachability over VXLAN. - Verify MAC Learning: On Leaf1,
show mac address-table vlan 10andshow nve peers detail. You should see Host1’s MAC locally and Host2’s MAC learned via the remote VTEP. - Verify ARP Suppression: On Leaf1/Leaf2,
show ip arp vrf VRF-TENANT-A. After Host1 pings Host2, Host2’s IP/MAC should appear.
8.8.5 Challenge Exercises
- Add a new VLAN (20) and VNI (10020) to the fabric. Configure it on both Leaf switches with an Anycast Gateway IP (e.g., 10.0.20.1/24).
- Connect a third host to Leaf1 in VLAN 20 (IP: 10.0.20.10/24) and verify its connectivity to its gateway.
- Modify the BUM handling from IP Multicast to Head-End Replication on the Leaf switches and verify functionality (Hint: remove
mcast-groupand configure staticpeer-listor rely on BGP Type-3 routes).
8.9 Best Practices Checklist
When implementing and automating VXLAN EVPN, adhere to these best practices:
- Underlay Simplicity: Keep the underlay as a pure IP fabric with a robust IGP (or eBGP).
- Consistent MTU: Configure jumbo frames (e.g., 9216 bytes) end-to-end across the entire underlay to avoid fragmentation.
- Loopback Interfaces: Use loopback interfaces for VTEP source IPs and BGP peerings for stability.
- BGP Route Reflectors: Utilize Spines as BGP Route Reflectors to simplify the EVPN control plane.
- BGP Authentication: Always implement MD5 or stronger authentication for BGP peerings.
- ARP/ND Suppression: Enable ARP/ND suppression to reduce BUM traffic and improve performance.
- Anycast Gateway: Configure Anycast Gateway on all VTEPs for optimal L3 routing and host mobility.
- VNI-VLAN Mapping: Maintain a clear, consistent, and well-documented mapping between VLANs, VNIs, and VRFs.
- Automation First: Automate the deployment and configuration of VXLAN EVPN using tools like Ansible and Python.
- Idempotency: Ensure automation scripts are idempotent to allow safe re-execution.
- Version Control: Store all configurations and automation code in a version control system (Git).
- Secrets Management: Use secure methods (Ansible Vault, HashiCorp Vault) for handling sensitive credentials.
- Centralized Logging & Monitoring: Implement robust logging, monitoring, and telemetry for the underlay and overlay.
- Control Plane Policing (CoPP): Protect the network devices’ control planes from malicious or excessive traffic.
- Route Filtering: Implement BGP route policies to filter EVPN routes for security and stability.
- Documentation: Thoroughly document the design, configuration, and operational procedures.
- Testing: Implement automated testing for new deployments and changes.
- Disaster Recovery Plan: Have a clear plan for backup and restoration of critical configurations.
8.10 Reference Links
- RFC 7348: Virtual eXtensible Local Area Network (VXLAN) - https://www.rfc-editor.org/info/rfc7348
- RFC 7432: BGP MPLS-Based Ethernet VPN - https://www.rfc-editor.org/info/rfc7432
- Cisco DevNet: Standard Network Devices (NETCONF/RESTCONF/gRPC/YANG) - https://developer.cisco.com/site/standard-network-devices/
- Cisco DevNet: Infrastructure as Code - https://developer.cisco.com/iac/
- Juniper EVPN Documentation: (Search for specific JunOS versions on Juniper TechLibrary)
- Arista EOS VXLAN/EVPN Documentation: (Search on Arista website for latest EOS documentation)
- Ansible Network Automation: (Official Documentation) - https://docs.ansible.com/ansible/latest/network/index.html
- Nornir Documentation: (Official Documentation) - https://nornir.tech/nornir/docs/
- Blockdiag (nwdiag, packetdiag): Official Documentation - http://blockdiag.com/en/index.html
- Graphviz: Official Documentation - https://graphviz.org/documentation/
- PlantUML: Official Documentation - https://plantuml.com/
8.11 What’s Next
This chapter provided a deep dive into VXLAN EVPN, from its core protocols to multi-vendor automation and operational best practices. You should now have a solid understanding of how to leverage this technology for modern data center networking.
Key learnings recap:
- VXLAN provides the scalable Layer 2 data plane over a Layer 3 underlay.
- EVPN acts as the intelligent control plane using BGP for MAC/IP learning and VTEP discovery.
- CLOS fabric architecture is ideal for VXLAN EVPN deployments.
- Automation with Ansible and Python is essential for efficient deployment and management.
- Robust security, verification, and troubleshooting are critical for production fabrics.
In the next chapter, we will shift our focus to Chapter 9: Advanced Network Automation with CI/CD Pipelines. We will explore how to integrate your automation scripts and playbooks into Continuous Integration and Continuous Deployment pipelines, enabling automated testing, validation, and deployment of network changes with confidence and speed. This will build upon the Infrastructure as Code principles introduced throughout this guide, bringing your NetDevOps journey to a higher level of maturity.