Chapter 18: Building a Secure Multi-Tenant Data Center with VXLAN/EVPN

18.1 Introduction

The demands of modern cloud computing, virtualization, and containerization have pushed traditional VLAN-based data center architectures to their limits. The explosion of applications and services requires network infrastructure that is highly scalable, agile, and capable of securely isolating multiple tenants or business units on a shared physical network.

This chapter delves into Virtual Extensible LAN (VXLAN) with EVPN (Ethernet VPN) as the control plane, a transformative technology stack for building next-generation multi-tenant data centers. We will explore how VXLAN extends Layer 2 segmentation beyond the limitations of VLANs, and how EVPN provides an intelligent, scalable control plane for discovering and distributing Layer 2 (MAC) and Layer 3 (IP) reachability information across the data center fabric.

What this chapter covers:

The fundamental limitations of traditional VLANs in large-scale data centers.
In-depth technical concepts of VXLAN encapsulation and VXLAN Tunnel Endpoints (VTEPs).
The role of EVPN as a BGP-based control plane for VXLAN, including route types and functions.
Designing and implementing a secure, multi-tenant Spine-Leaf data center architecture using VXLAN/EVPN.
Multi-vendor configuration examples for Cisco NX-OS, Juniper JunOS, and Arista EOS.
Automating VXLAN/EVPN deployments with Ansible and Python.
Critical security considerations, attack vectors, and mitigation strategies.
Verification, troubleshooting, and performance optimization techniques.

Why it’s important:

Understanding and implementing VXLAN/EVPN is crucial for network engineers responsible for designing, deploying, and operating modern data centers. It enables:

Massive Scalability: Overcoming the 4094 VLAN ID limit with 16 million VXLAN Network Identifiers (VNIs).
Multi-Tenancy: Securely isolating numerous tenants or applications on a shared physical infrastructure.
Workload Mobility: Seamless VM and container migration across the data center without IP re-addressing.
Layer 2 and Layer 3 Services: Integrated routing and bridging capabilities for optimal traffic flow.
Operational Simplicity: A centralized, distributed control plane simplifies MAC/IP learning and distribution.

What you’ll be able to do after this chapter:

Upon completion of this chapter, you will be equipped to design, configure, and troubleshoot VXLAN/EVPN solutions in a multi-tenant data center environment, preparing you for the challenges of modern network infrastructure.

18.2 Technical Concepts

18.2.1 The Need for VXLAN: Beyond VLAN Limitations

Traditional VLANs (IEEE 802.1Q) have served networks well for decades, providing Layer 2 segmentation and broadcast domain reduction. However, in the context of modern data centers with high-density virtualization and cloud requirements, VLANs exhibit significant limitations:

Limited Scale: The 12-bit VLAN ID field allows for only 4094 unique VLANs (excluding reserved IDs). This becomes a bottleneck for large enterprises, service providers, and multi-tenant cloud environments requiring thousands of isolated networks.
Spanning Tree Protocol (STP) Issues: STP operates on a per-VLAN basis, consuming significant CPU resources on switches and often leading to complex, suboptimal topologies that block redundant paths.
Lack of Workload Mobility: Extending Layer 2 networks across physical boundaries (e.g., between racks or data centers) to enable seamless VM migration is complex and often inefficient with traditional VLANs.
Inefficient Resource Utilization: Active-standby forwarding paths and static trunk configurations can lead to underutilized network resources.

VXLAN addresses these challenges by introducing an overlay networking scheme that runs on top of an existing Layer 3 underlay network.

18.2.2 VXLAN Fundamentals (RFC 7348)

VXLAN (Virtual Extensible LAN) is an encapsulation protocol that extends Layer 2 segments over an IP network. It essentially tunnels Ethernet frames within UDP packets. This allows logical Layer 2 networks to span across Layer 3 boundaries, overcoming the 4094 VLAN ID limit and enabling greater scalability and flexibility.

Key VXLAN Components:

VXLAN Network Identifier (VNI): A 24-bit identifier that uniquely identifies a Layer 2 segment within the VXLAN overlay. This provides approximately 16 million unique segments, far exceeding VLAN limits. Each VNI maps to a specific tenant’s Layer 2 network.
VXLAN Tunnel Endpoint (VTEP): A network device (physical or virtual switch, router, server) that originates and terminates VXLAN tunnels. VTEPs encapsulate Ethernet frames into VXLAN/UDP/IP packets for transmission across the IP underlay and decapsulate them upon reception. Each VTEP has an IP address reachable within the underlay network.
Overlay Network: The logical Layer 2 network created by VXLAN, providing connectivity between end hosts.
Underlay Network: The physical Layer 3 IP network that provides connectivity between VTEPs. It typically uses standard IP routing protocols (OSPF, ISIS, BGP) for reachability.

VXLAN Encapsulation Process:

When an end host (e.g., a VM) sends an Ethernet frame within a VXLAN-enabled network:

The frame arrives at the local VTEP.
The VTEP identifies the VNI associated with the incoming frame’s VLAN.
The VTEP encapsulates the original Ethernet frame with a VXLAN header, followed by a UDP header (default destination port 4789), and an outer IP header (source: VTEP’s IP, destination: remote VTEP’s IP or a multicast group address).
This new IP packet is then transmitted across the underlay network to the destination VTEP.
The destination VTEP decapsulates the packet, removes the outer headers, and forwards the original Ethernet frame to the destination end host within the corresponding VNI.

packetdiag {
  colwidth = 32
  // Original Ethernet Frame
  0-7: Destination MAC
  8-15: Source MAC
  16-17: EtherType (e.g., 0x8100 for VLAN, 0x0800 for IP)
  18-21: VLAN Tag (optional)
  22-n: Original Payload (IP Packet)
  n-m: FCS

  // VXLAN Encapsulation
  blank;
  label {
    0: Outer Ethernet Header
    1: Outer IP Header
    2: UDP Header
    3: VXLAN Header
    4: Inner Ethernet Frame (original)
  }
  blank;

  // Outer Ethernet Header
  0-7: Outer Destination MAC
  8-15: Outer Source MAC
  16-17: Outer EtherType (0x0800 for IPv4)

  // Outer IP Header
  0-3: Version/IHL
  4-7: DSCP/ECN
  8-15: Total Length
  16-19: Identification
  20-23: Flags/Fragment Offset
  24-27: TTL
  28-29: Protocol (17 for UDP)
  30-31: Header Checksum
  32-39: Outer Source IP (VTEP IP)
  40-47: Outer Destination IP (Remote VTEP IP or Multicast)

  // UDP Header
  0-3: Source Port (VTEP ephemeral)
  4-7: Destination Port (4789)
  8-11: Length
  12-15: Checksum

  // VXLAN Header (8 bytes)
  0-3: Flags (8 bits, I-flag set for valid VNI) / Reserved (24 bits)
  4-7: VXLAN Network Identifier (VNI) (24 bits) / Reserved (8 bits)

  // Inner (Original) Ethernet Frame
  blank;
  label {
    0: Original Destination MAC
    1: Original Source MAC
    2: Original EtherType
    3: Original Payload (IP Packet)
    4: FCS (removed by VTEP before re-encapsulation)
  }
  blank;

  0-7: Original Destination MAC
  8-15: Original Source MAC
  16-17: Original EtherType
  18-n: Original Payload (IP Packet)
  n-m: FCS (optional, often discarded by VTEP after validation)
}

Initial VXLAN Data Plane (Flood-and-Learn):

In early VXLAN deployments, MAC address learning for remote VTEPs relied on flood-and-learn mechanisms, similar to traditional Ethernet. Unknown unicast, broadcast, and multicast (BUM) traffic would be sent to a multicast group IP address in the underlay, which all VTEPs for that VNI would join. This approach is inefficient and places a burden on the underlay network.

This is where EVPN steps in as a superior control plane.

18.2.3 EVPN as a VXLAN Control Plane (RFC 7432)

EVPN (Ethernet VPN) uses BGP (Border Gateway Protocol) as a control plane for exchanging MAC address reachability information among VTEPs. This eliminates the need for multicast/broadcast flooding for unknown unicast traffic and provides a much more scalable and robust solution.

Key EVPN Concepts:

BGP EVPN Address Family: EVPN uses a dedicated BGP address family (l2vpn evpn) to advertise MAC and IP address reachability information.
EVPN Route Types: EVPN defines several BGP route types, each serving a specific purpose:
- Type 1 - Ethernet A-D Route per ESI: Advertises a host or a group of hosts’ MAC addresses associated with an Ethernet Segment Identifier (ESI) for multi-homing.
- Type 2 - MAC/IP Advertisement Route: Advertises a host’s MAC address, IP address (if known), and its associated VNI and originating VTEP IP. This is the primary route type for unicast MAC/IP learning.
- Type 3 - Inclusive Multicast Ethernet Tag Route: Advertises a VTEP’s readiness to receive BUM (Broadcast, Unknown Unicast, Multicast) traffic for a specific VNI. This allows VTEPs to build efficient ingress replication lists for BUM traffic, replacing multicast trees.
- Type 4 - Ethernet A-D Route per ES: Advertises the ESI and its capabilities for multi-homing redundancy.
- Type 5 - IP Prefix Route: Advertises IP prefixes belonging to a VNI, enabling Layer 3 routing between VNIs or to external networks within the EVPN domain. This is critical for Symmetric Integrated Routing and Bridging (IRB) and inter-VNI routing.
Ethernet Segment Identifier (ESI): A 10-byte identifier assigned to a group of links connecting a multi-homed device (e.g., a server, firewall) to two or more EVPN-capable provider edge (PE) devices (VTEPs). ESIs enable active-active or active-standby multi-homing and Designated Forwarder (DF) election for BUM traffic.
Route Targets (RTs) and Route Distinguishers (RDs): Used for VRF (Virtual Routing and Forwarding) and VNI separation, similar to MPLS VPNs.
- RD: Makes a prefix globally unique within the BGP domain.
- RT: Controls the import and export of routes between different VRFs/VNIs.

18.2.4 Control Plane vs. Data Plane

In a VXLAN/EVPN architecture:

Control Plane (EVPN BGP): Responsible for learning and distributing MAC and IP addresses of end hosts within different VNIs. When a host comes online or sends traffic, its MAC/IP is learned by the local VTEP, which then advertises this information via BGP EVPN routes to other VTEPs in the fabric. This builds a centralized, distributed forwarding table.
Data Plane (VXLAN Encapsulation): Responsible for the actual forwarding of traffic. Once the control plane has learned the destination MAC/IP and the corresponding remote VTEP, the local VTEP encapsulates the traffic in a VXLAN header and sends it directly to the remote VTEP over the IP underlay. This is a “lookup-and-forward” mechanism for known unicast traffic. For BUM traffic, ingress replication based on Type 3 routes is used.

This separation provides significant advantages:

Scalability: BGP is highly scalable for distributing reachability information.
Efficiency: Eliminates inefficient flooding for known unicast traffic.
Intelligence: Enables advanced features like multi-homing, optimal ingress replication, and seamless Layer 3 routing.

digraph EVPN_Control_Plane {
    rankdir=LR;
    graph [
        fontname="Arial",
        fontsize=10,
        labelloc="t",
        label="EVPN BGP Control Plane Exchange for MAC/IP Learning"
    ];
    node [
        shape=box,
        style="rounded,filled",
        fillcolor="#F0F4FF",
        fontname="Arial",
        fontsize=10
    ];
    edge [
        color="#555555",
        arrowsize=0.8,
        fontname="Arial",
        fontsize=9
    ];

    subgraph cluster_leaf1 {
        label = "Leaf 1 (VTEP_A)";
        fillcolor="#E6F2FF";
        style=filled;
        SW1 [label="Spine1"];
        SW2 [label="Spine2"];
        HostA [label="Host A\n(VLAN 10, VNI 1001)"];
        Leaf1_VTEP [label="Leaf1 VTEP"];
    }

    subgraph cluster_leaf2 {
        label = "Leaf 2 (VTEP_B)";
        fillcolor="#E6F2FF";
        style=filled;
        SW3 [label="Spine3"];
        SW4 [label="Spine4"];
        HostB [label="Host B\n(VLAN 10, VNI 1001)"];
        Leaf2_VTEP [label="Leaf2 VTEP"];
    }

    HostA -> Leaf1_VTEP [label="ARP/Data (MAC A)"];
    HostB -> Leaf2_VTEP [label="ARP/Data (MAC B)"];

    Leaf1_VTEP -> SW1 [label="eBGP EVPN Peer"];
    Leaf1_VTEP -> SW2 [label="eBGP EVPN Peer"];
    Leaf2_VTEP -> SW3 [label="eBGP EVPN Peer"];
    Leaf2_VTEP -> SW4 [label="eBGP EVPN Peer"];

    SW1 -> SW2 [label="iBGP/eBGP (Spine to Spine)"]; // Although spines usually don't peer directly in eBGP fabric, this depicts the full mesh
    SW3 -> SW4 [label="iBGP/eBGP (Spine to Spine)"]; // Representing path through spines

    Leaf1_VTEP -> Leaf2_VTEP [style=dotted, label="VXLAN Tunnel (Data Plane)"]; // Dotted line for data path abstraction

    subgraph cluster_control_flow {
        label = "EVPN Control Plane Flow";
        style=filled;
        fillcolor="#FFFFE0";
        fontcolor="#000000";

        Leaf1_VTEP -> {SW1, SW2} [label="1. Learns MAC A locally\n2. Advertises BGP EVPN Type 2 Route\n(MAC A, VNI 1001, Next-Hop VTEP_A IP)"];
        {SW1, SW2} -> {Leaf2_VTEP} [label="3. Spines reflect Type 2 Route to Leaf 2"];
        Leaf2_VTEP -> Leaf1_VTEP [label="4. Leaf 2 updates forwarding table\n(MAC A -> VTEP_A IP)"];

        Leaf2_VTEP -> {SW3, SW4} [label="1. Learns MAC B locally\n2. Advertises BGP EVPN Type 2 Route\n(MAC B, VNI 1001, Next-Hop VTEP_B IP)"];
        {SW3, SW4} -> {Leaf1_VTEP} [label="3. Spines reflect Type 2 Route to Leaf 1"];
        Leaf1_VTEP -> Leaf2_VTEP [label="4. Leaf 1 updates forwarding table\n(MAC B -> VTEP_B IP)"];
    }
}

18.2.5 Data Center Architecture with VXLAN/EVPN

The most common and robust architecture for VXLAN/EVPN is the Spine-Leaf topology.

@startuml
!theme mars

' Step 1: Define ALL elements first
cloud "External Network" as CLOUD

rectangle "Border Leaf" as BL1
rectangle "Border Leaf" as BL2

rectangle "Spine 1" as SP1
rectangle "Spine 2" as SP2
rectangle "Spine 3" as SP3

rectangle "Leaf 1 (VTEP)" as L1 {
    component "Tenant 1 VRF" as T1_L1
    component "Tenant 2 VRF" as T2_L1
}
rectangle "Leaf 2 (VTEP)" as L2 {
    component "Tenant 1 VRF" as T1_L2
    component "Tenant 2 VRF" as T2_L2
}
rectangle "Leaf 3 (VTEP)" as L3 {
    component "Tenant 1 VRF" as T1_L3
    component "Tenant 2 VRF" as T2_L3
}
rectangle "Leaf 4 (VTEP)" as L4 {
    component "Tenant 1 VRF" as T1_L4
    component "Tenant 2 VRF" as T2_L4
}

rectangle "Host Group A" as HGA
rectangle "Host Group B" as HGB

' Step 2: Then connect them
CLOUD -- BL1
CLOUD -- BL2

BL1 -u- SP1
BL1 -u- SP2
BL2 -u- SP2
BL2 -u- SP3

SP1 -d- L1
SP1 -d- L2
SP1 -d- L3
SP1 -d- L4

SP2 -d- L1
SP2 -d- L2
SP2 -d- L3
SP2 -d- L4

SP3 -d- L1
SP3 -d- L2
SP3 -d- L3
SP3 -d- L4

L1 -- HGA
L2 -- HGA
L3 -- HGB
L4 -- HGB

note right of SP1 : Underlay: iBGP/eBGP with ECMP
note right of L1 : Overlay: VXLAN/EVPN Tunnels
note right of L1 : VTEP IP: loopback address

@enduml

Spine-Leaf Topology Characteristics:

Underlay Network:
- A simple, robust Layer 3 IP network forms the underlay.
- Typically uses eBGP between leaves and spines (or OSPF/ISIS with iBGP for route reflection).
- Every device is a Layer 3 router, routing IP packets between VTEPs.
- Leverages Equal-Cost Multi-Path (ECMP) for active-active forwarding, maximizing bandwidth and resilience.
- VTEPs are typically loopback interfaces for stability and multi-pathing.
Overlay Network (VXLAN/EVPN):
- The logical network built on top of the underlay.
- VTEPs (usually on Leaf switches) encapsulate and decapsulate VXLAN traffic.
- EVPN BGP sessions run between leaves and spines (spines act as BGP route reflectors) to distribute MAC/IP reachability information.
- Multi-Tenancy with VRFs: Each tenant typically gets its own Virtual Routing and Forwarding (VRF) instance on the Leaf switches. This provides complete Layer 3 isolation between tenants, with separate routing tables. VXLAN VNIs are then mapped to these VRFs (for Layer 3 routing) and to VLANs (for Layer 2 segments within a VRF).
- Integrated Routing and Bridging (IRB): Allows a VTEP to perform both Layer 2 bridging (within a VNI) and Layer 3 routing (between VNIs or VRFs). Symmetric IRB is generally preferred for optimal forwarding paths.
- Border Leaves (Optional but Recommended): Dedicated leaves that connect the data center fabric to external networks (e.g., WAN, Internet). They perform external routing and policy enforcement.

nwdiag {
  // Define global settings
  graph_fontname = "Arial"
  graph_fontsize = 11
  span_fontsize = 9
  default_node_color = "#F0F4FF"
  default_network_color = "#E6F2FF"

  // Define network groups (VRFs)
  group {
    color = "#FFCCCC";
    label = "Tenant A VRF";

    network tenant_a_vlan10 {
      address = "10.0.10.0/24";
      description = "VNI 10010";

      L1_A [label = "Leaf1 (VTEP: 192.168.0.1)", address = "10.0.10.1"];
      L2_A [label = "Leaf2 (VTEP: 192.168.0.2)", address = "10.0.10.2"];
      ServerA1 [label = "Server A1", address = "10.0.10.10"];
      ServerA2 [label = "Server A2", address = "10.0.10.11"];
    }
    network tenant_a_vlan20 {
      address = "10.0.20.0/24";
      description = "VNI 10020";

      L1_A; // Part of same VRF
      L2_A; // Part of same VRF
      ServerA3 [label = "Server A3", address = "10.0.20.10"];
    }
  }

  group {
    color = "#CCFFCC";
    label = "Tenant B VRF";

    network tenant_b_vlan10 {
      address = "10.0.10.0/24"; // Same subnet, different VRF
      description = "VNI 20010";

      L3_B [label = "Leaf3 (VTEP: 192.168.0.3)", address = "10.0.10.1"];
      L4_B [label = "Leaf4 (VTEP: 192.168.0.4)", address = "10.0.10.2"];
      ServerB1 [label = "Server B1", address = "10.0.10.10"];
    }
  }

  // Underlay Network (connecting VTEPs)
  network underlay_core {
    address = "192.168.0.0/24";
    label = "VXLAN Underlay (IP Routing)";
    color = "#FFEEEE";

    L1_A;
    L2_A;
    L3_B;
    L4_B;

    Spine1 [address = "192.168.0.250", label="Spine 1"];
    Spine2 [address = "192.168.0.251", label="Spine 2"];
  }

  // Connect devices to their respective networks
  ServerA1 -- tenant_a_vlan10;
  ServerA2 -- tenant_a_vlan10;
  ServerA3 -- tenant_a_vlan20;
  ServerB1 -- tenant_b_vlan10;

  // Connect VTEPs to their tenant networks (implied by membership in VRF groups)
  L1_A -- tenant_a_vlan10;
  L1_A -- tenant_a_vlan20;
  L2_A -- tenant_a_vlan10;
  L3_B -- tenant_b_vlan10;
  L4_B -- tenant_b_vlan10;

  // Spines connect to the underlay and act as BGP Route Reflectors
  Spine1 -- underlay_core;
  Spine2 -- underlay_core;

  // Annotations
  L1_A -- ServerA1 [label = "VLAN 10"];
  L1_A -- ServerA3 [label = "VLAN 20"];
  L3_B -- ServerB1 [label = "VLAN 10"];

  // VXLAN tunnels are implicitly formed over the underlay
  L1_A -- L2_A [label = "VXLAN Overlay\n(VNI 10010, 10020)\nEVPN BGP Peering via Spines"];
  L1_A -- L3_B [label = "VXLAN Overlay\n(Inter-VRF routing on Leafs)"];
}

18.3 Configuration Examples

This section provides multi-vendor configuration examples for setting up a basic VXLAN/EVPN fabric. We will assume a simple Spine-Leaf setup where Leaf switches act as VTEPs and Spines act as BGP Route Reflectors. Each example will demonstrate configuring a single tenant with one Layer 2 VNI and one Layer 3 VNI (for IRB).

Common Topology Assumption:

Underlay: eBGP peering between Leafs and Spines. Loopback interfaces for VTEPs and BGP router-IDs.
Overlay: VXLAN/EVPN.
Leaf 1 VTEP IP: 192.168.0.1/32
Leaf 2 VTEP IP: 192.168.0.2/32
Tenant VRF: TENANT_A
Layer 2 VNI: 10010 mapped to VLAN 10 (subnet 10.0.10.0/24)
Layer 3 VNI: 10000 mapped to VLAN 1000 (used for IRB, typically no host interfaces directly on it)

18.3.1 Cisco NX-OS Configuration (Nexus Switches)

We will configure Leaf1 (192.168.0.1) and a Spine (192.168.0.250). Leaf2 would be similar to Leaf1.

Cisco NX-OS - Spine Configuration (Spine1 - 192.168.0.250)

The spine acts as a simple IP router and BGP route reflector for EVPN routes.

! Spine1 Configuration
!
feature bgp
feature nv overlay
!
! Underlay Interface Configuration
interface loopback0
  ip address 192.168.0.250/32
!
interface Ethernet1/1
  no switchport
  ip address 10.0.0.1/30
  no shutdown
!
interface Ethernet1/2
  no switchport
  ip address 10.0.0.5/30
  no shutdown
!
! BGP Configuration
router bgp 65001
  router-id 192.168.0.250
  address-family ipv4 unicast
    redistribute direct route-map ALLOW_LO0_ROUTES
  !
  neighbor 10.0.0.2 remote-as 65002 ! Leaf1
    update-source Ethernet1/1
    address-family l2vpn evpn
      send-community both
      route-reflector-client
  !
  neighbor 10.0.0.6 remote-as 65003 ! Leaf2
    update-source Ethernet1/2
    address-family l2vpn evpn
      send-community both
      route-reflector-client
!
! Route-map to advertise loopback IP to underlay
ip prefix-list LOOPBACK_LO0 seq 5 permit 192.168.0.250/32
!
route-map ALLOW_LO0_ROUTES permit 10
  match ip address prefix-list LOOPBACK_LO0
!
! Verification Commands
! show ip route
! show bgp l2vpn evpn summary
! show bgp l2vpn evpn route-type all
! show nve peers

Cisco NX-OS - Leaf Configuration (Leaf1 - 192.168.0.1)

Leaf1 acts as a VTEP, connecting to the underlay, hosting tenant interfaces, and performing IRB.

! Leaf1 Configuration
!
feature bgp
feature vn-segment-vlan-based
feature interface-vlan
feature nv overlay
feature vrf
!
! Create VRF for Tenant A
vrf context TENANT_A
  vni 10000 ! Layer 3 VNI for this VRF
!
! Underlay Interface Configuration
interface loopback0
  ip address 192.168.0.1/32
!
interface Ethernet1/1
  no switchport
  ip address 10.0.0.2/30
  no shutdown
!
! VLANs for VXLAN and IRB
vlan 10
  vn-segment 10010
vlan 1000
  vn-segment 10000
!
! Configure NVE (Network Virtualization Edge) Interface - the VTEP
interface nve1
  no shutdown
  source-interface loopback0
  host-reachability protocl bgp
  member vni 10010 associate-vrf ! BUM traffic for L2 VNI uses L3 VNI
    mcast-group 239.0.0.1 ! WARNING: Using multicast here. For Production, use Ingress Replication.
  member vni 10000 associate-vrf
    vrf member TENANT_A
!
! Tenant A - Layer 2 SVIs and bridge domain
interface Vlan10
  no shutdown
  vrf member TENANT_A
  ip address 10.0.10.1/24
  ipv6 address 2001:db8:a:10::1/64
  fabric forwarding mode anycast-gateway ! Enable Anycast Gateway
!
! BGP Configuration
router bgp 65002
  router-id 192.168.0.1
  address-family ipv4 unicast
    redistribute direct route-map ALLOW_LO0_ROUTES
    redistribute vrf TENANT_A route-map ALLOW_TENANT_A_ROUTES ! Advertise Tenant A routes
  !
  address-family l2vpn evpn
    retain route-target all
    advertise-svi-ip
    advertise-l2vpn evpn
  !
  neighbor 10.0.0.1 remote-as 65001 ! Spine1
    update-source Ethernet1/1
    address-family l2vpn evpn
      send-community both
!
! Route-map for underlay loopback
ip prefix-list LOOPBACK_LO0 seq 5 permit 192.168.0.1/32
route-map ALLOW_LO0_ROUTES permit 10
  match ip address prefix-list LOOPBACK_LO0
!
! Route-map for Tenant A VRF (example, adjust as needed)
ip prefix-list TENANT_A_ROUTES seq 5 permit 10.0.10.0/24
route-map ALLOW_TENANT_A_ROUTES permit 10
  match ip address prefix-list TENANT_A_ROUTES
!
! Access port for a host in VLAN 10
interface Ethernet1/2
  switchport
  switchport mode access
  switchport access vlan 10
  no shutdown
!
! Verification Commands
! show vrf TENANT_A
! show vlan brief
! show nve interface nve1 detail
! show nve peers
! show nve vni
! show bgp l2vpn evpn summary
! show bgp l2vpn evpn route-type all
! show ip route vrf TENANT_A
! show mac address-table vlan 10

WARNING: The use of mcast-group for BUM traffic is shown for illustration. In production, it is highly recommended to use ingress-replication protocol bgp for efficiency and to avoid complex multicast configurations in the underlay. This is configured under member vni in interface nve1.

18.3.2 Juniper JunOS Configuration

Juniper JunOS - Spine Configuration (Spine1 - 192.168.0.250)

# Spine1 Configuration
#
set system host-name Spine1
set interfaces lo0 unit 0 family inet address 192.168.0.250/32
set interfaces et-0/0/0 unit 0 family inet address 10.0.0.1/30
set interfaces et-0/0/1 unit 0 family inet address 10.0.0.5/30
#
set protocols bgp group LEAVES type external
set protocols bgp group LEAVES local-address 192.168.0.250
set protocols bgp group LEAVES family inet unicast
set protocols bgp group LEAVES family evpn signaling
set protocols bgp group LEAVES neighbor 10.0.0.2 peer-as 65002
set protocols bgp group LEAVES neighbor 10.0.0.2 description "To Leaf1"
set protocols bgp group LEAVES neighbor 10.0.0.6 peer-as 65003
set protocols bgp group LEAVES neighbor 10.0.0.6 description "To Leaf2"
set protocols bgp group LEAVES route-reflector-client
#
set policy-options policy-statement ADVERTISE_LO0 term 1 from protocol direct
set policy-options policy-statement ADVERTISE_LO0 term 1 from interface lo0.0
set policy-options policy-statement ADVERTISE_LO0 term 1 then accept
#
set protocols bgp group LEAVES export ADVERTISE_LO0
#
# Verification Commands
# show route
# show bgp summary
# show bgp group LEAVES
# show evpn database

Juniper JunOS - Leaf Configuration (Leaf1 - 192.168.0.1)

# Leaf1 Configuration
#
set system host-name Leaf1
set interfaces lo0 unit 0 family inet address 192.168.0.1/32
set interfaces et-0/0/0 unit 0 family inet address 10.0.0.2/30
#
# Configure integrated routing and bridging (IRB) interface
set interfaces irb unit 10 family inet address 10.0.10.1/24
#
# Ethernet Switching Options for VXLAN
set vlans VLAN_TENANT_A_L2 vlan-id 10
set vlans VLAN_TENANT_A_L2 vxlan vni 10010
set vlans VLAN_TENANT_A_L2 l3-interface irb.10
#
# Configure VXLAN tunnel endpoint (VTEP)
set interfaces esi es-0/0/0/0 ethernet-segment-identifier 00:00:00:00:00:00:00:00:00:01 # Example ESI, use unique for multi-homing
set interfaces esi es-0/0/0/0 type all-active
set interfaces vxlan.0 local-gateway-ip 192.168.0.1 # VTEP source IP
set interfaces vxlan.0 vni 10010
set interfaces vxlan.0 vni 10010 multihome-designated-forwarder-election
set interfaces vxlan.0 vni 10010 vrf-target target:65002:10010 # Route-Target for VNI 10010

# VRF configuration for Tenant A
set routing-instances TENANT_A instance-type evpn
set routing-instances TENANT_A route-distinguisher 192.168.0.1:10000
set routing-instances TENANT_A vrf-target target:65002:10000 # Route-Target for VRF
set routing-instances TENANT_A protocols evpn encapsulation vxlan
set routing-instances TENANT_A protocols evpn default-gateway no-mac-address
set routing-instances TENANT_A interface irb.10
#
set protocols bgp group SPINE type external
set protocols bgp group SPINE local-address 192.168.0.1
set protocols bgp group SPINE family inet unicast
set protocols bgp group SPINE family evpn signaling
set protocols bgp group SPINE neighbor 10.0.0.1 peer-as 65001
set protocols bgp group SPINE neighbor 10.0.0.1 description "To Spine1"
#
set policy-options policy-statement ADVERTISE_LO0 term 1 from protocol direct
set policy-options policy-statement ADVERTISE_LO0 term 1 from interface lo0.0
set policy-options policy-statement ADVERTISE_LO0 term 1 then accept
#
set protocols bgp group SPINE export ADVERTISE_LO0
#
# Access port for a host in VLAN 10
set interfaces et-0/0/1 unit 0 family ethernet-switching interface-mode access
set interfaces et-0/0/1 unit 0 family ethernet-switching vlan members VLAN_TENANT_A_L2
#
# Verification Commands
# show interfaces terse
# show vlans
# show evpn database
# show route instance TENANT_A
# show bgp summary
# show bgp group SPINE
# show evpn instance extensive
# show bridge domain

WARNING: Juniper’s EVPN configuration is quite complex. set interfaces vxlan.0 local-gateway-ip is the VTEP source. set interfaces vxlan.0 vni 10010 makes the VNI active. l3-interface irb.10 links the Layer 2 VNI to the Layer 3 IRB interface for routing. The vrf-target must match on all VTEPs for a given VNI/VRF.

18.3.3 Arista EOS Configuration

Arista EOS - Spine Configuration (Spine1 - 192.168.0.250)

! Spine1 Configuration
!
hostname Spine1
!
ip routing
!
interface Loopback0
   ip address 192.168.0.250/32
!
interface Ethernet1
   no switchport
   ip address 10.0.0.1/30
!
interface Ethernet2
   no switchport
   ip address 10.0.0.5/30
!
router bgp 65001
   router-id 192.168.0.250
   neighbor 10.0.0.2 remote-as 65002
      description Leaf1
      update-source Ethernet1
      ebgp-multihop 255
      address-family evpn
         send-community
         route-reflector-client
   neighbor 10.0.0.6 remote-as 65003
      description Leaf2
      update-source Ethernet2
      ebgp-multihop 255
      address-family evpn
         send-community
         route-reflector-client
   !
   address-family ipv4 unicast
      redistribute connected
!
! Verification Commands
! show ip route
! show bgp evpn summary
! show bgp evpn route-type all

Arista EOS - Leaf Configuration (Leaf1 - 192.168.0.1)

! Leaf1 Configuration
!
hostname Leaf1
!
ip routing
!
vlan 10
   name TENANT_A_L2
   vxlan vni 10010
!
vlan 1000
   name TENANT_A_L3_IRB
   vxlan vni 10000
!
vrf instance TENANT_A
   rd 192.168.0.1:10000
   route-target both 65002:10000
!
interface Loopback0
   ip address 192.168.0.1/32
!
interface Loopback1000 ! Loopback for IRB in VRF
   vrf forwarding TENANT_A
   ip address 10.0.10.1/24
   ip virtual-router address 10.0.10.1 ! Anycast Gateway
!
interface Ethernet1
   no switchport
   ip address 10.0.0.2/30
!
interface Ethernet2
   switchport mode access
   switchport access vlan 10
!
interface Vxlan1
   vxlan source-interface Loopback0
   vxlan udp-port 4789
   vxlan vlan 10 vni 10010
   vxlan vlan 1000 vni 10000
   vxlan routing-for-vrf TENANT_A vni 10000
!
router bgp 65002
   router-id 192.168.0.1
   neighbor 10.0.0.1 remote-as 65001
      description Spine1
      update-source Ethernet1
      ebgp-multihop 255
      address-family evpn
         send-community
   !
   address-family evpn
      vni 10010 advertise l2vpn evpn
      vni 10000 advertise l2vpn evpn
   !
   vrf TENANT_A
      address-family ipv4 unicast
         redistribute connected
!
! Verification Commands
! show vrf
! show vlan
! show ip interface brief vrf TENANT_A
! show ip route vrf TENANT_A
! show interface vxlan 1
! show vxlan vni
! show vxlan address-table
! show bgp evpn summary
! show bgp evpn route-type all

18.4 Automation Examples

Automating VXLAN/EVPN deployments is crucial for agility and reducing human error in large-scale data centers. Ansible is an excellent choice for this, leveraging its declarative nature and network modules.

18.4.1 Ansible Playbook for VXLAN/EVPN Configuration

This Ansible playbook demonstrates how to configure a new tenant (VRF, VLAN, VNI, IRB interface) on Cisco NX-OS leaf switches. It assumes the underlay BGP peering is already established.

inventory.yml

all:
  children:
    leaves:
      hosts:
        leaf1.dc.local:
          ansible_host: 192.168.1.101
          vtep_ip: 192.168.0.1
        leaf2.dc.local:
          ansible_host: 192.168.1.102
          vtep_ip: 192.168.0.2
      vars:
        ansible_network_os: nxos
        ansible_user: admin
        ansible_password: "" # Use Ansible Vault

configure_tenant_vxlan.yml

---
- name: Configure VXLAN/EVPN for a New Tenant on NX-OS Leafs
  hosts: leaves
  gather_facts: false
  connection: network_cli

  vars:
    tenant_name: TENANT_SALES
    tenant_vrf_vni: 30000 # L3 VNI for the VRF
    tenant_l2_vlan_id: 30
    tenant_l2_vni: 30030
    tenant_l2_subnet: 10.0.30.0/24
    tenant_l2_gateway_ip: 10.0.30.1 # Anycast Gateway IP

  tasks:
    - name: Ensure VXLAN features are enabled
      nxos_feature:
        feature: ""
        state: enabled
      loop:
        - bgp
        - vn-segment-vlan-based
        - interface-vlan
        - nv overlay
        - vrf
      tags: features

    - name: Create Tenant VRF
      nxos_vrf_interface:
        vrf: ""
        vni: ""
        state: present
      tags: vrf

    - name: Create Layer 2 VLAN and map to VNI
      nxos_vlan:
        vlan_id: ""
        name: "_L2_VLAN_"
        state: present
        vni: ""
      tags: vlan_vni_mapping

    - name: Configure NVE interface for Layer 2 VNI
      nxos_config:
        lines:
          - "member vni  associate-vrf"
          - "  ingress-replication protocol bgp" # Recommended for production
        parents: "interface nve1"
      tags: nve_l2_vni

    - name: Configure NVE interface for Layer 3 VRF VNI
      nxos_config:
        lines:
          - "member vni  associate-vrf"
          - "  vrf member "
        parents: "interface nve1"
      tags: nve_l3_vni

    - name: Configure SVI for Layer 2 VNI with Anycast Gateway
      nxos_interface:
        interface: "Vlan"
        description: " L2 SVI"
        state: present
        mode: L3
        enabled: true
      tags: svi_config

    - name: Assign IP address and VRF to SVI
      nxos_config:
        lines:
          - "vrf member "
          - "ip address /"
          - "fabric forwarding mode anycast-gateway"
        parents: "interface Vlan"
      tags: svi_ip_vrf

    - name: Configure BGP EVPN for new VNI in the VRF
      nxos_bgp:
        asn: 65002 # Replace with your fabric's AS number
        router_id: ""
        address_family: evpn
        config:
          - name: "vni  advertise l2vpn evpn"
          - name: "vni  advertise l2vpn evpn"
        state: merged
      tags: bgp_evpn_vni

    - name: Configure BGP for VRF
      nxos_config:
        lines:
          - "address-family ipv4 unicast"
          - "redistribute connected"
        parents: "router bgp 65002\nvrf " # Replace with your fabric's AS number
      tags: bgp_vrf

    - name: Verify NVE VNI status
      nxos_command:
        commands: "show nve vni "
      register: nve_vni_output
      tags: verify
    - name: Print NVE VNI status
      debug:
        var: nve_vni_output.stdout_lines
      tags: verify

    - name: Verify BGP EVPN routes for new VNI
      nxos_command:
        commands: "show bgp l2vpn evpn route-type all vni "
      register: bgp_evpn_output
      tags: verify
    - name: Print BGP EVPN routes
      debug:
        var: bgp_evpn_output.stdout_lines
      tags: verify

How to run this playbook:

ansible-playbook -i inventory.yml configure_tenant_vxlan.yml --ask-vault-pass

18.4.2 Python Script for Verification

This Python script uses Netmiko to connect to a Cisco NX-OS device and verify the operational status of a specific VXLAN VNI.

import os
from netmiko import ConnectHandler
import getpass
import json

# Device connection details (replace with your inventory or secrets management)
devices = [
    {
        "device_type": "cisco_nxos",
        "host": "192.168.1.101",
        "username": "admin",
        "password": os.environ.get("NETMIKO_PASSWORD", getpass.getpass("Enter password for NX-OS: ")),
    },
    # Add more devices as needed
]

def verify_vxlan_vni(device_info, vni_id):
    """Connects to an NX-OS device and verifies VXLAN VNI status."""
    print(f"\n--- Connecting to {device_info['host']} ---")
    try:
        with ConnectHandler(**device_info) as net_connect:
            # Verify NVE VNI status
            command_nve_vni = f"show nve vni {vni_id}"
            output_nve_vni = net_connect.send_command(command_nve_vni, use_textfsm=True)
            print(f"\nVerification for VNI {vni_id} on {device_info['host']}:")
            if output_nve_vni:
                for vni_entry in output_nve_vni:
                    if vni_entry['vni'] == str(vni_id):
                        print(f"  VNI {vni_id} State: {vni_entry['state']}")
                        print(f"  VNI {vni_id} Type: {vni_entry['type']}")
                        print(f"  VNI {vni_id} Mapped VLAN: {vni_entry['vlan']}")
                        print(f"  VNI {vni_id} BUM Traversal: {vni_entry['bum_traffic_type']}")
                        if vni_entry['state'] == 'Up':
                            print(f"  VNI {vni_id} is UP. Status: PASS")
                            return True
                        else:
                            print(f"  VNI {vni_id} is DOWN. Status: FAIL")
                            return False
                print(f"  VNI {vni_id} not found in 'show nve vni' output. Status: FAIL")
                return False
            else:
                print(f"  Failed to get 'show nve vni' output. Status: FAIL")
                return False

    except Exception as e:
        print(f"  Error connecting to {device_info['host']}: {e}. Status: FAIL")
        return False

if __name__ == "__main__":
    target_vni = input("Enter the VNI to verify (e.g., 30030): ")
    if not target_vni.isdigit():
        print("Invalid VNI. Please enter a number.")
    else:
        all_passed = True
        for device in devices:
            if not verify_vxlan_vni(device, int(target_vni)):
                all_passed = False
        if all_passed:
            print("\n--- All VXLAN VNI verifications passed successfully! ---")
        else:
            print("\n--- Some VXLAN VNI verifications failed. Review logs. ---")

18.5 Security Considerations

Securing a VXLAN/EVPN multi-tenant data center is paramount. While the architecture provides strong logical isolation, specific attack vectors exist that require careful mitigation.

18.5.1 Attack Vectors

VNI Spoofing: An attacker could attempt to encapsulate traffic with a spoofed VNI, potentially gaining access to an unauthorized tenant’s network segment.
EVPN Control Plane Hijacking: Compromise of BGP peering sessions (e.g., through weak authentication or router compromise) could lead to:
- MAC/IP Address Spoofing: Advertising false MAC-to-VTEP mappings, causing traffic intended for legitimate hosts to be redirected to an attacker.
- Route Hijacking: Advertising illegitimate IP prefixes (Type 5 routes), diverting inter-VNI or external traffic.
- BUM Traffic Redirection: Manipulating Type 3 routes to receive BUM traffic for unauthorized VNIs.
VTEP Compromise: If a VTEP itself is compromised, an attacker can directly encapsulate and decapsulate traffic, bypassing VXLAN security.
Underlay Network Attacks: Standard IP network attacks (DDoS, man-in-the-middle, IP spoofing) can impact the VXLAN overlay by disrupting VTEP reachability or traffic forwarding.
Multi-Tenancy Breaches: Misconfiguration of VRFs, VNI-to-VLAN mappings, or route targets can unintentionally leak traffic or routes between tenants.
Lack of Data Plane Encryption: Standard VXLAN does not inherently encrypt the encapsulated payload. Traffic traversing the underlay is in plain text unless additional measures are taken.

18.5.2 Mitigation Strategies and Best Practices

Secure the Underlay Network:
- Strong Authentication for Routing Protocols: Use MD5 or SHA authentication for BGP peerings between leaves and spines.
- Control Plane Policing (CoPP): Protect the CPU of network devices from malicious traffic (e.g., excessive BGP updates, NVE traffic).
- Access Control Lists (ACLs): Filter unauthorized traffic to VTEP IP addresses.
- Network Time Protocol (NTP) Synchronization: Crucial for logging and forensic analysis.
- Out-of-Band Management: Isolate management network traffic.
Harden BGP EVPN Control Plane:
- BGP Peer Authentication: Essential for all EVPN peerings.
- BGP Max-Prefix Limits: Prevent route table exhaustion due to malicious advertisements.
- Route Filtering: Implement strict ingress and egress route filtering for EVPN routes, especially for Type 5 (IP Prefix) routes between VRFs or to external networks.
- Loopback Protection: Secure loopback interfaces used as VTEP source IPs and BGP router-IDs.
Isolate Tenants with VRFs and VNIs:
- Strict VRF Separation: Ensure each tenant has its own dedicated VRF for Layer 3 isolation.
- Unique VNIs: Use globally unique VNIs for each Layer 2 segment and Layer 3 VRF.
- Proper Route Target/Distinguisher Configuration: Mismatched RTs/RDs are a common cause of tenant leakage.
Secure VTEPs and Host Access:
- Physical Security: Secure VTEP-capable switches.
- Port Security: Use 802.1X or MAC security on access ports to prevent unauthorized devices from connecting to a tenant’s VLAN/VNI.
- Micro-segmentation: Implement firewalls or security groups (e.g., Cisco ACI/DNA, VMware NSX) at the host or virtual machine level to enforce granular policy within and between VNIs.
Data Plane Security:
- IPsec Encapsulation: For sensitive traffic, deploy IPsec over the underlay to encrypt VXLAN packets between VTEPs. This adds overhead but provides confidentiality and integrity.
- MACsec (802.1AE): If supported, implement MACsec on physical links between VTEPs for Layer 2 encryption.
Regular Audits and Monitoring:
- Configuration Audits: Regularly review VXLAN/EVPN configurations for compliance and misconfigurations.
- Fabric Monitoring: Utilize network monitoring tools to detect unusual traffic patterns, unauthorized VNI activity, or BGP anomalies.
- Logging: Centralize logs for correlation and incident response.

18.6 Verification & Troubleshooting

Troubleshooting VXLAN/EVPN can be complex due to the overlay-underlay separation and the interplay of multiple protocols (BGP, OSPF/ISIS, VXLAN). A systematic approach is essential.

18.6.1 Common Issues

Issue Category	Specific Problem	Description
Underlay Connectivity	VTEP Reachability Issues	VTEPs cannot ping each other’s loopback (source-interface).
	Underlay MTU Mismatch	VXLAN encapsulation adds 50 bytes. Underlay needs to support jumbo frames (e.g., 9100 bytes).
Control Plane (EVPN)	BGP Peering Down	BGP sessions between leaves/spines are not established or flapping.
	Missing or Incorrect EVPN Address Family	BGP is up, but EVPN routes are not being exchanged.
	Route Target/Distinguisher Mismatch	VNIs/VRFs are not being correctly imported/exported between VTEPs, leading to tenant isolation failure.
	Missing MAC/IP Routes	Specific host MAC/IP addresses are not learned or advertised by EVPN.
	Designated Forwarder (DF) Election Issues	In multi-homed scenarios, BUM traffic forwarding might be inconsistent due to DF problems.
Data Plane (VXLAN)	VNI to VLAN Mapping Incorrect	The local VLAN is not correctly mapped to the VXLAN VNI.
	NVE (VTEP) Interface Down/Misconfigured	The VXLAN tunnel endpoint interface is not active or missing key configurations (source-interface).
	Ingress Replication/Multicast Issues	BUM traffic is not reaching all VTEPs in a VNI due to problems with ingress replication lists or underlay multicast.
	Fabric Forwarding Mode (Anycast Gateway)	Anycast Gateway not configured or misconfigured, leading to asymmetric routing or ARP issues.
Host Connectivity	ARP/MAC Address Learning	Host cannot resolve ARP for a remote host or its MAC is not learned.
	IP Routing between VNIs/VRFs	Hosts in different VNIs/VRFs cannot communicate due to incorrect IRB or VRF routing configuration.

18.6.2 Troubleshooting Methodology

Start from the Bottom (Underlay First):
- Verify physical connectivity.
- Verify IP reachability between VTEP loopback interfaces (ping <remote_vtep_ip>).
- Check underlay routing protocol (OSPF/ISIS/BGP) status and routing tables. Ensure all VTEP loopbacks are reachable.
- Verify MTU settings across the entire underlay path (ping <remote_vtep_ip> size <jumbo_frame_size> df-bit).
Move to the Control Plane (EVPN BGP):
- Verify BGP peering status (show bgp summary, show bgp evpn summary).
- Check BGP EVPN address family activation (show run | section "router bgp").
- Examine EVPN routes exchanged (show bgp l2vpn evpn route-type all). Look for Type 2 (MAC/IP), Type 3 (BUM), and Type 5 (IP Prefix) routes. Ensure correct RDs and RTs are present.
- Check EVPN database (show evpn database).
Verify the Data Plane (VXLAN):
- Check NVE interface status (show nve interface nve1 detail). Ensure state is ‘Up’ and source-interface is correctly configured.
- Verify VNI to VLAN mappings (show nve vni, show vlan brief).
- Inspect VXLAN tunnels and learned MAC addresses (show vxlan address-table, show nve peers).
- Confirm ingress replication lists (or multicast group membership if using IP multicast).
Check Tenant-Specific Configuration:
- Verify VRF configuration (show vrf).
- Check SVI/IRB interfaces and their IP addresses (show ip interface brief vrf <vrf_name>).
- Verify Anycast Gateway status (show ip interface Vlan<vlan_id> | grep "Anycast", show virtual-router).
- Check host-facing access port configuration (access VLAN, port security).

18.6.3 Verification Commands (Cisco NX-OS)

# 1. Underlay Connectivity
show ip route 192.168.0.250/32         # Check reachability to spine loopback
ping 192.168.0.2                       # Ping remote VTEP loopback
ping 192.168.0.2 size 9000 df-bit      # Check jumbo frame support

# 2. Control Plane (EVPN BGP)
show bgp l2vpn evpn summary            # BGP EVPN peer status
show bgp l2vpn evpn route-type all     # All EVPN routes (MAC/IP, BUM, IP Prefix)
show bgp l2vpn evpn route-type 2 mac 0000.abcd.0001 # Specific MAC address lookup
show evpn database                     # EVPN learned information

# 3. Data Plane (VXLAN)
show nve interface nve1 detail         # VTEP (NVE) interface status
show nve peers                         # VXLAN tunnel peer status
show nve vni                           # VNI to VLAN mappings and status
show vxlan address-table               # MAC addresses learned over VXLAN

# 4. Tenant Specific
show vrf TENANT_A                      # VRF details
show ip interface brief vrf TENANT_A   # Tenant interface IPs
show ip route vrf TENANT_A             # Tenant routing table
show virtual-router mac                # Anycast Gateway MAC
show mac address-table vlan 10         # Local MACs on VLAN 10

18.6.4 Debug Commands (Cisco NX-OS)

WARNING: Debug commands can be CPU-intensive and impact performance. Use with caution in production.

terminal monitor                      # Enable console output for debug messages
debug bgp l2vpn evpn all              # Extensive BGP EVPN debugging
debug nve all                         # VXLAN NVE interface debugging
debug vlan all                        # VLAN-related debugging
debug ip packet interface Vlan10      # Debug IP packets on a specific SVI

18.7 Performance Optimization

Optimizing VXLAN/EVPN performance ensures efficient data transfer and control plane stability in high-demand data center environments.

Jumbo Frames:
- Crucial: VXLAN encapsulation adds approximately 50 bytes (VXLAN, UDP, IP, outer Ethernet). Ensure the entire underlay network supports Jumbo Frames (e.g., MTU of 9100 bytes) to avoid fragmentation, which severely impacts performance. Configure mtu on all physical and logical interfaces in the underlay.
ECMP in Underlay:
- Leverage Equal-Cost Multi-Path (ECMP) routing in the underlay. Since VXLAN traffic is encapsulated in UDP/IP, it can naturally utilize multiple paths between VTEPs, effectively increasing bandwidth and resilience. Configure BGP (or OSPF/ISIS) with maximum ECMP paths.
Hardware Offloading:
- Modern network adapters (NICs) and switches support VXLAN hardware offloading. This means the CPU isn’t burdened with encapsulation/decapsulation, improving performance for both data plane and host applications. Verify hardware capabilities and ensure offloading is enabled.
Optimal BUM Traffic Handling:
- Ingress Replication: For BUM (Broadcast, Unknown Unicast, Multicast) traffic, always prefer BGP-signaled ingress replication over IP multicast in the underlay. Ingress replication is simpler to configure, avoids complex multicast routing, and is more scalable for a large number of VNIs.
- ARP Suppression: VTEPs can learn and cache ARP entries (MAC-IP bindings) and respond to ARP requests locally without flooding them across the VXLAN overlay. This significantly reduces BUM traffic.
Control Plane Scaling:
- BGP Route Reflectors: Use dedicated BGP route reflectors (typically on Spine switches) to simplify the BGP peering mesh and reduce the number of BGP sessions on each leaf. This scales the EVPN control plane efficiently.
- Route Summarization: Where appropriate, summarize IP prefixes (Type 5 routes) to reduce the number of routes in the BGP table.
QoS and Congestion Management:
- Implement QoS policies to prioritize critical VXLAN traffic (e.g., management, storage, vMotion) over less critical traffic within the underlay network.
- Use Explicit Congestion Notification (ECN) to help prevent packet loss due to congestion.
Monitoring and Capacity Planning:
- Monitor key performance indicators (KPIs) such as link utilization, packet drops, CPU utilization on VTEPs, BGP session status, and VNI health.
- Regularly review network design and capacities to ensure they can meet current and future demands.

18.8 Hands-On Lab

This lab guides you through configuring a basic VXLAN/EVPN fabric with two leaves and one spine. You will create a single tenant with a Layer 2 VNI and an IRB interface.

@startuml
!theme mars

' Define elements
rectangle "Spine1" as Spine {
  component "Loopback0\n(192.168.0.250/32)" as SP_LO
  component "Eth1\n(10.0.0.1/30)" as SP_ET1
  component "Eth2\n(10.0.0.5/30)" as SP_ET2
}

rectangle "Leaf1 (VTEP)" as Leaf1 {
  component "Loopback0\n(192.168.0.1/32)" as L1_LO
  component "Eth1\n(10.0.0.2/30)" as L1_ET1
  component "Eth2\n(Access Port)" as L1_ET2
  component "VRF TENANT_A" as L1_VRF
  component "VLAN 10 / VNI 10010" as L1_VLAN10
  component "NVE1 (VTEP)" as L1_NVE
}

rectangle "Leaf2 (VTEP)" as Leaf2 {
  component "Loopback0\n(192.168.0.2/32)" as L2_LO
  component "Eth1\n(10.0.0.6/30)" as L2_ET1
  component "Eth2\n(Access Port)" as L2_ET2
  component "VRF TENANT_A" as L2_VRF
  component "VLAN 10 / VNI 10010" as L2_VLAN10
  component "NVE1 (VTEP)" as L2_NVE
}

rectangle "Host A" as HostA {
  component "IP: 10.0.10.10" as HA_IP
}

rectangle "Host B" as HostB {
  component "IP: 10.0.10.11" as HB_IP
}

' Connect elements
L1_ET1 -- SP_ET1 : Underlay IP
L2_ET1 -- SP_ET2 : Underlay IP

L1_LO -[hidden]- L1_VRF
L1_NVE -[hidden]- L1_VRF
L1_NVE -[hidden]- L1_VLAN10

L2_LO -[hidden]- L2_VRF
L2_NVE -[hidden]- L2_VRF
L2_NVE -[hidden]- L2_VLAN10

L1_ET2 -- HostA : Access VLAN 10
L2_ET2 -- HostB : Access VLAN 10

' Add abstract connections
L1_NVE .. L2_NVE : VXLAN Tunnel over Underlay
Spine .u.| L1_NVE : BGP EVPN Route Reflector
Spine .u.| L2_NVE : BGP EVPN Route Reflector
L1_VLAN10 .u.| L1_VRF : IRB (Anycast Gateway 10.0.10.1)
L2_VLAN10 .u.| L2_VRF : IRB (Anycast Gateway 10.0.10.1)

@enduml

Lab Objectives:

Configure the underlay network (eBGP) on Spine and Leaf switches.
Configure VXLAN features, VNIs, and VTEPs on Leaf switches.
Configure EVPN BGP peering between Leaves and Spines.
Configure a tenant VRF, SVI, and Anycast Gateway.
Connect Hosts and verify Layer 2 and Layer 3 connectivity.

Assumptions:

Devices are running Cisco NX-OS (or a supported platform with similar commands).
Basic device configuration (hostname, management IP) is done.
Spine ASN: 65001, Leaf ASNs: 65002 (Leaf1), 65003 (Leaf2).
Tenant VRF: TENANT_GREEN
Tenant Layer 2 VNI: 20000 (mapped to VLAN 20)
Tenant Layer 3 VNI: 20001 (for VRF)
Tenant Subnet: 10.0.20.0/24 with Anycast Gateway 10.0.20.1.

Step-by-Step Configuration (Cisco NX-OS - as per previous section):

Spine1 (192.168.0.250):
- Configure loopback0 and Ethernet1/1 (to Leaf1), Ethernet1/2 (to Leaf2) with IP addresses.
- Configure BGP AS 65001 with neighbors 10.0.0.2 (Leaf1) and 10.0.0.6 (Leaf2).
- Enable address-family l2vpn evpn for neighbors and set them as route-reflector-client.
- Ensure loopback0 is advertised via BGP.
- Refer to section 18.3.1 for exact commands.
Leaf1 (192.168.0.1):
- Enable feature bgp, feature vn-segment-vlan-based, feature interface-vlan, feature nv overlay, feature vrf.
- Configure loopback0 and Ethernet1/1 (to Spine1) with IP addresses.
- Create vrf context TENANT_GREEN, set vni 20001.
- Create vlan 20, map to vn-segment 20000. Create vlan 2001 (for IRB L3 VNI) and map to vn-segment 20001.
- Configure interface nve1: source-interface loopback0, host-reachability protocol bgp.
- Add member vni 20000 associate-vrf and ingress-replication protocol bgp.
- Add member vni 20001 associate-vrf, vrf member TENANT_GREEN.
- Configure interface Vlan20: vrf member TENANT_GREEN, ip address 10.0.20.1/24, fabric forwarding mode anycast-gateway.
- Configure BGP AS 65002 with neighbor 10.0.0.1 (Spine1).
- Enable address-family l2vpn evpn, advertise-svi-ip.
- Advertise vni 20000 and vni 20001 in the EVPN address-family.
- Configure router bgp 65002, vrf TENANT_GREEN, address-family ipv4 unicast, redistribute connected.
- Configure interface Ethernet1/2 as switchport mode access, switchport access vlan 20.
- Refer to section 18.3.1 for exact commands (adjusting for TENANT_GREEN VRF and VNI/VLAN IDs).
Leaf2 (192.168.0.2):
- Repeat Leaf1 configuration, adjusting ASN (65003), VTEP IP, and neighbor IP to connect to Spine1 (10.0.0.5 to Spine1’s 10.0.0.6).
- Ensure all tenant details (VRF name, VNIs, VLANs, Anycast Gateway IP) are identical to Leaf1.
- Configure interface Ethernet1/2 as switchport mode access, switchport access vlan 20.
Host A & Host B:
- Configure Host A with IP: 10.0.20.10/24, Gateway: 10.0.20.1.
- Configure Host B with IP: 10.0.20.11/24, Gateway: 10.0.20.1.

Verification Steps:

Verify Underlay:
- From Leaf1: ping 192.168.0.250, ping 192.168.0.2
- From Spine1: ping 192.168.0.1, ping 192.168.0.2
- Ensure show ip route on all devices shows routes to all loopbacks.
Verify EVPN BGP:
- On Leaf1/Leaf2/Spine1: show bgp l2vpn evpn summary (all peers should be Established).
- On Leaf1: show bgp l2vpn evpn route-type all (should see Type 2 routes from Leaf2, Type 3 routes from all VTEPs, Type 5 routes from Leaf2 for 10.0.20.0/24).
Verify VXLAN VTEP/VNI:
- On Leaf1/Leaf2: show nve interface nve1 detail (state should be Up).
- On Leaf1/Leaf2: show nve vni (VNI 20000 and 20001 should be Up and mapped correctly).
- On Leaf1/Leaf2: show nve peers (should see the other Leaf as a peer).
Verify Tenant Configuration:
- On Leaf1/Leaf2: show vrf TENANT_GREEN
- On Leaf1/Leaf2: show ip interface brief vrf TENANT_GREEN (Vlan20 should have 10.0.20.1/24).
- On Leaf1/Leaf2: show ip route vrf TENANT_GREEN (should see connected routes and potentially routes to other VNIs via Type 5).
Verify Host Connectivity:
- From Host A: ping 10.0.20.1 (Anycast Gateway).
- From Host A: ping 10.0.20.11 (Host B).
- From Leaf1: show vxlan address-table vni 20000 (should see Host A’s MAC locally, Host B’s MAC via Leaf2’s VTEP IP).
- From Host B: ping 10.0.20.10 (Host A).

Challenge Exercises:

Add a second Layer 2 VNI (e.g., VLAN 30 / VNI 20030, subnet 10.0.30.0/24) to TENANT_GREEN and verify inter-VNI routing through the Anycast Gateway.
Introduce a new tenant, TENANT_BLUE, with its own VRF, VLAN, VNI, and subnet, ensuring complete isolation from TENANT_GREEN.
Simulate a link failure between a Leaf and a Spine. Verify that traffic continues to flow via ECMP.
Remove ingress-replication protocol bgp and configure mcast-group 239.0.0.10 on Leaf1’s VNI 20000. Try to get multicast working for BUM traffic in the underlay (requires PIM on underlay devices). Observe the complexity vs. ingress replication.

18.9 Best Practices Checklist

Adhering to these best practices ensures a robust, secure, and scalable VXLAN/EVPN deployment.

[ ] Design & Architecture

Spine-Leaf Underlay: Implement a full Layer 3 Spine-Leaf underlay with eBGP between leaves and spines.
ECMP Everywhere: Leverage ECMP for all paths in the underlay for maximal bandwidth and resilience.
Loopbacks for VTEPs: Use loopback interfaces for VTEP source IP addresses and BGP router-IDs.
Dedicated Route Reflectors: Designate spines as BGP route reflectors for EVPN address families.
Symmetric IRB: Prefer symmetric Integrated Routing and Bridging for optimal traffic flows and consistent forwarding.
Unique VNIs: Ensure unique VNIs across the entire data center fabric for each Layer 2 segment and Layer 3 VRF.
Multi-homing Design: Plan for Ethernet Segment Identifier (ESI) and Designated Forwarder (DF) election if connecting hosts/devices to multiple leaves.
Border Leaf Integration: Design clear points of egress for external connectivity (WAN, Internet) using dedicated border leaves with VRF-Lite or MPLS VPN integration.

[ ] Configuration

Jumbo Frames: Configure MTU of 9100 bytes (or appropriate size for encapsulation overhead) on ALL underlay interfaces.
BGP Authentication: Implement MD5 or SHA authentication for all BGP peerings (underlay and EVPN).
BGP Max-Prefix: Configure max-prefix limits on BGP peers to prevent route table overflow from misconfigurations or attacks.
Route Filtering: Apply strict ingress and egress route policies on BGP peers for both IPv4 unicast and EVPN address families.
Ingress Replication: Always use BGP-signaled ingress replication for BUM traffic; avoid IP multicast in the underlay unless specifically required and well-managed.
ARP Suppression: Enable ARP suppression on VTEPs to reduce ARP flooding in the overlay.
Anycast Gateway: Configure Anycast Gateway on SVIs for each VNI/VRF for distributed Layer 3 default gateway functionality.
Control Plane Policing (CoPP): Protect network device CPUs from excessive control plane traffic.

[ ] Security

VRF Isolation: Use VRFs for strict Layer 3 tenant isolation.
Route Target/Distinguisher: Carefully manage and apply RDs and RTs to prevent tenant leakage.
Access Port Security: Implement 802.1X or MAC security on host-facing access ports.
Micro-segmentation: Deploy a micro-segmentation strategy (e.g., using firewalls, DCNM/ACI/NSX policies) for granular traffic control within and between VNIs/VRFs.
Underlay Security: Secure the underlay with ACLs, control plane hardening, and dedicated management networks.
Data Plane Encryption (Optional): Consider IPsec or MACsec for sensitive traffic if data plane encryption is a requirement.

[ ] Operations & Automation

NetDevOps Practices: Embrace Infrastructure-as-Code (IaC) principles for all network configurations using tools like Ansible, Terraform, or Python.
Centralized Management: Utilize a network management solution (e.g., Cisco DCNM, Juniper Contrail, Arista CloudVision) for centralized orchestration, provisioning, and monitoring.
Comprehensive Monitoring: Monitor underlay link states, BGP sessions, VTEP health, VNI status, and fabric performance metrics.
Centralized Logging: Aggregate logs from all devices to a central SIEM for security analysis and troubleshooting.
Regular Audits: Conduct periodic security and configuration audits.
Documentation: Maintain thorough and up-to-date documentation of the underlay and overlay networks.

18.10 Reference Links

RFC 7348: Virtual eXtensible Local Area Network (VXLAN): A Framework for Overlaying Layer Two over Layer Three Communities
- https://datatracker.ietf.org/doc/html/rfc7348
RFC 7432: BGP MPLS-Based Ethernet VPN
- https://datatracker.ietf.org/doc/html/rfc7432
Cisco VXLAN EVPN Documentation (NX-OS):
- Refer to the latest Cisco Nexus 9000 Series NX-OS Configuration Guides for BGP EVPN and VXLAN.
Juniper EVPN VXLAN Documentation (JunOS):
- Refer to the latest Juniper MX/QFX Series documentation for EVPN-VXLAN.
Arista VXLAN EVPN Documentation (EOS):
- Refer to the latest Arista EOS Configuration Guides for VXLAN and EVPN.
Ansible Network Automation:
- https://docs.ansible.com/ansible/latest/network/index.html
Netmiko Documentation:
- https://github.com/ktbyers/netmiko
PlantUML Documentation:
- https://plantuml.com/
PacketDiag Documentation:
- http://blockdiag.com/en/nwdiag/packetdiag-examples.html
Graphviz DOT Language:
- https://graphviz.org/doc/info/lang.html

18.11 What’s Next

This chapter has provided a comprehensive overview of building secure, multi-tenant data centers using VXLAN/EVPN. You’ve learned about the underlying protocols, architectural considerations, configuration across multiple vendors, automation techniques, critical security aspects, and troubleshooting methodologies.

Key Learnings Recap:

VXLAN provides highly scalable Layer 2 segments over an IP underlay, overcoming VLAN limitations.
EVPN leverages BGP to offer an intelligent, distributed control plane for MAC/IP learning and BUM traffic optimization.
Spine-Leaf architecture with eBGP underlay is the foundation for VXLAN/EVPN fabrics.
Automation is essential for deploying and managing these complex networks efficiently and accurately.
Robust security practices are vital to maintain tenant isolation and protect against common attack vectors.

In the next chapters, we will expand on these concepts, potentially exploring:

Chapter 19: Advanced EVPN Features and Inter-Data Center Connectivity (DCI): Delving into more complex EVPN features like ESI multi-homing with all-active forwarding, EVPN Type 5 routes for DCI, and seamless extension of Layer 2/3 between multiple data centers.
Chapter 20: Network Programmability and SD-WAN Integration: Exploring how VXLAN/EVPN integrates with broader Software-Defined Networking (SDN) and SD-WAN solutions for end-to-end service orchestration and policy enforcement.

Mastering VXLAN/EVPN is a cornerstone for modern network engineering. Continue to practice, explore vendor-specific implementations, and stay updated with the evolving landscape of data center networking.