🌐 VXLAN BGP EVPN Lab Guide

🎯 Welcome to the VXLAN BGP EVPN Lab

This lab guide will walk you through the implementation of VXLAN (Virtual Extensible LAN) with BGP EVPN (Ethernet VPN) control plane on Cisco Catalyst 9000 series switches. You'll learn how to extend Layer 2 networks across a Layer 3 underlay using industry-standard protocols.

📚 What You'll Learn

Understand VXLAN architecture and its role in modern data center fabrics
Configure BGP EVPN as the control plane for VXLAN
Implement NVE (Network Virtualization Edge) interfaces on Catalyst 9300
Configure L2VPN EVPN instances for VLAN-to-VNI mapping
Set up iBGP peering for EVPN address family between VTEPs
Configure EIGRP underlay for loopback reachability
Verify and troubleshoot VXLAN fabric operations

🏢 Lab Environment

This lab uses a 5-switch topology with three Catalyst 9300 switches acting as VTEPs (VXLAN Tunnel Endpoints) and two Catalyst 9500 switches serving as spine/transit devices. Three PCs are connected to demonstrate Layer 2 extension across the VXLAN fabric.

💡 Key Concept

VXLAN BGP EVPN provides a standards-based control plane that eliminates the need for flood-and-learn, enabling scalable and efficient Layer 2 extension across Layer 3 boundaries. BGP EVPN distributes MAC address information, allowing optimal forwarding without multicast in the underlay.

Licensing Requirement: VXLAN features on Cisco Catalyst 9000 series require Network Advantage license level. The DNA Advantage addon is recommended for advanced features. Verify your license before beginning!

Ready to Begin? Click on the "Topology" tab to view the network architecture, then proceed through each section to complete the lab.

🗺️ Network Topology

                                    ┌─────────────┐
                                    │  ULPC-9300  │ ◄── VTEP (Leaf)
                                    │ Lo1: 10.255.255.12
                                    │ VLAN 20 SVI │
                              G1/0/1└──────┬──────┘G1/0/2
                                    │      │
                         192.168.100.0/30  │  192.168.101.0/30
                                    │      │
                              G1/0/2│      │G1/0/1
                         ┌──────────┴──┐ ┌─┴───────────┐
                         │  ULGR-9500  │ │  ULKZ-9500  │ ◄── Spine/Transit
                         │Lo1: .213   │ │  Lo1: .214  │
                         └──────┬──────┘ └──────┬──────┘
                              G1/0/8│           │G1/0/8
                         192.168.102.0/30  192.168.102.0/30
                              G1/0/1│           │G1/0/1
                         ┌──────────┴──┐ ┌──────┴──────┐
                         │  ULGR-9300  │ │  ULKZ-9300  │ ◄── VTEPs (Leaf)
                         │ Lo1: 10.255.255.11  Lo1: 10.255.255.13
                         │ VLAN 20 SVI │ │ VLAN 20 SVI │
                         └──────┬──────┘ └──────┬──────┘
                              G1/0/8│           │G1/0/8
                                │                 │
                          ┌─────┴─────┐     ┌─────┴─────┐
                          │    PC1    │     │    PC2    │
                          │10.50.216.10     │10.50.216.11
                          └───────────┘     └───────────┘

    ═══════════════════════════════════════════════════════════════════
    
    VXLAN FABRIC DETAILS:
    ─────────────────────
    • VNI: 10020 (maps to VLAN 20)
    • EVPN Instance: 20 (vlan-based)
    • Replication Type: Ingress Replication
    • BGP AS: 65001 (iBGP full mesh between VTEPs)
    • Underlay Protocol: EIGRP AS 100

    VTEP LOOPBACKS (NVE Source):
    ─────────────────────────────
    • ULGR-9300: 10.255.255.11
    • ULPC-9300: 10.255.255.12
    • ULKZ-9300: 10.255.255.13

    HOST NETWORK:
    ─────────────
    • VLAN 20: 10.50.216.0/24
    • Gateway IPs on VTEPs: .14, .15, .16

📊 Device Summary

Device	Role	Loopback1	VXLAN Function	License
ULGR-9300	Leaf/VTEP	10.255.255.11	NVE1, BGP EVPN	Network-Advantage + DNA-Advantage
ULPC-9300	Leaf/VTEP	10.255.255.12	NVE1, BGP EVPN	Network-Advantage + DNA-Advantage
ULKZ-9300	Leaf/VTEP	10.255.255.13	NVE1, BGP EVPN	Network-Advantage + DNA-Advantage
ULGR-9500	Spine/Transit	10.255.255.213	IP Transit Only	Network-Advantage
ULKZ-9500	Spine/Transit	10.255.255.214	IP Transit Only	Network-Advantage

🔗 Link Addressing

Link	Subnet	Device A (IP)	Device B (IP)
ULPC-9300 ↔ ULGR-9500	192.168.100.0/30	ULPC: .2	ULGR-9500: .1
ULPC-9300 ↔ ULKZ-9500	192.168.101.0/30	ULPC: .2	ULKZ-9500: .1
ULGR-9300 ↔ ULGR-9500	192.168.102.0/30	ULGR-9300: .2	ULGR-9500: .1
ULKZ-9300 ↔ ULKZ-9500	192.168.102.0/30	ULKZ-9300: .2	ULKZ-9500: .1
ULGR-9500 ↔ ULKZ-9500	192.168.103.0/30	ULGR-9500: .1	ULKZ-9500: .2

💡 Architecture Insight

This topology uses a partial mesh design where VTEPs connect through spine switches. The spine switches (9500s) only participate in underlay routing (EIGRP) and do not run BGP EVPN. All EVPN control plane traffic flows through the IP underlay as standard BGP updates between the three VTEP loopbacks.

📋 Prerequisites

🔐 Licensing Requirements

Critical: VXLAN features require specific license levels. Without proper licensing, commands will be rejected or features will not function.

Feature	Required License	Notes
VXLAN (NVE)	Network-Advantage	Mandatory for all VXLAN operations
BGP EVPN	Network-Advantage	L2VPN EVPN address family
Advanced Analytics	DNA-Advantage	Optional but recommended

Verify Current License

show license summary ! Look for these lines: ! network-advantage (Network-Advantage) - Required ! dna-advantage (DNA Advantage) - Recommended

Configure Boot License (if needed)

configure terminal license boot level network-advantage addon dna-advantage end write memory ! Reload required for license change reload

📡 Underlay Network Requirements

IP Reachability: All VTEP loopbacks must be reachable from each other
MTU: Minimum 1600 bytes on all transit links (VXLAN adds 50+ bytes overhead)
Routing Protocol: EIGRP, OSPF, or IS-IS for underlay (this lab uses EIGRP)
Loopback Interfaces: Each VTEP needs a loopback for NVE source

Configure MTU on Transit Interfaces

interface GigabitEthernet1/0/1 description Uplink to Spine no switchport mtu 1600 ip address 192.168.x.x 255.255.255.252

MTU Mismatch: If MTU is not configured correctly, VXLAN-encapsulated packets will be dropped or fragmented, causing intermittent connectivity issues.

🌐 BGP Requirements

BGP AS: Use iBGP (same AS) for all VTEPs - AS 65001 in this lab
Peering Source: Use loopback interfaces for BGP peering stability
Address Family: L2VPN EVPN must be activated for all neighbors
Communities: Extended communities required (send-community both)

💡 Design Note: Full Mesh vs Route Reflector

This lab uses iBGP full mesh between three VTEPs. In production with many VTEPs, implement Route Reflectors (RRs) to avoid n*(n-1)/2 peering complexity. Spine switches often serve as RRs.

✅ Pre-Configuration Checklist

Item	Verification Command	Expected Result
License Level	`show license summary`	network-advantage Active
IOS-XE Version	`show version`	17.x or later recommended
IP Routing	`show ip route`	Routes to peer loopbacks
EIGRP Neighbors	`show ip eigrp neighbors`	Adjacency with spine switches

⚙️ Configuration

Select a device to view its complete configuration. The configurations are organized by function: underlay, VXLAN/NVE, and BGP EVPN.

🔷 ULGR-9300 - VTEP Configuration

Base Configuration & Licensing

hostname ULGR-9300 ! Enable required license license boot level network-advantage addon dna-advantage ! Enable IP routing ip routing ipv6 unicast-routing

Loopback & Underlay Interfaces

! Loopback for NVE source - CRITICAL for VXLAN interface Loopback1 ip address 10.255.255.11 255.255.255.255 ! Uplink to spine switch interface GigabitEthernet1/0/1 description link to ULGR-9500 no switchport mtu 1600 ip address 192.168.102.2 255.255.255.252

VLAN and L2VPN EVPN Instance

! Define EVPN instance - maps VLAN to VNI l2vpn evpn instance 20 vlan-based encapsulation vxlan replication-type ingress ! Map VLAN 20 to VNI 10020 vlan configuration 20 member vni 10020

Order Matters: Define the L2VPN EVPN instance BEFORE configuring the VLAN membership. The EVPN instance must exist first.

NVE Interface (VXLAN Tunnel)

! NVE interface - creates VXLAN tunnel endpoint interface nve1 no ip address source-interface Loopback1 host-reachability protocol bgp member vni 10020 ingress-replication

💡 Key Configuration Elements

source-interface: Must be a routable loopback reachable by all VTEPs
host-reachability protocol bgp: Enables BGP EVPN control plane
member vni ... ingress-replication: Uses head-end replication instead of multicast

Access Port and VLAN SVI

! Host-facing access port interface GigabitEthernet1/0/8 description PC1 switchport access vlan 20 switchport mode access ! VLAN SVI for local gateway interface Vlan20 ip address 10.50.216.14 255.255.255.0

EIGRP Underlay Routing

! EIGRP for underlay reachability router eigrp 100 network 10.255.254.0 0.0.0.255 network 10.255.255.0 0.0.0.255 network 10.255.255.11 0.0.0.0 network 192.168.102.0 0.0.0.3 eigrp stub connected summary

ℹ️ EIGRP Stub

Leaf switches use eigrp stub to advertise only connected and summary routes. This reduces EIGRP query scope and improves convergence.

BGP EVPN Configuration

! BGP with EVPN address family router bgp 65001 bgp log-neighbor-changes ! Advertise loopback for VTEP reachability network 10.255.255.11 mask 255.255.255.255 ! iBGP peer to ULPC-9300 neighbor 10.255.255.12 remote-as 65001 neighbor 10.255.255.12 update-source Loopback1 ! iBGP peer to ULKZ-9300 neighbor 10.255.255.13 remote-as 65001 neighbor 10.255.255.13 update-source Loopback1 ! L2VPN EVPN address family address-family l2vpn evpn neighbor 10.255.255.12 activate neighbor 10.255.255.12 send-community both neighbor 10.255.255.13 activate neighbor 10.255.255.13 send-community both exit-address-family

send-community both: This is REQUIRED for EVPN. Without it, Route Targets and other extended communities will not be sent, and MAC routes will not be imported/exported correctly.

🔷 ULPC-9300 - VTEP Configuration

Base Configuration & Licensing

hostname ULPC-9300 license boot level network-advantage addon dna-advantage ip routing ipv6 unicast-routing

Loopback & Underlay Interfaces

interface Loopback1 ip address 10.255.255.12 255.255.255.255 ! Dual uplinks to both spine switches interface GigabitEthernet1/0/1 description link to ULGR-9500-core no switchport mtu 1600 ip address 192.168.100.2 255.255.255.252 interface GigabitEthernet1/0/2 description link to ULKZ-9500-core no switchport mtu 1600 ip address 192.168.101.2 255.255.255.252

VLAN and L2VPN EVPN Instance

l2vpn evpn instance 20 vlan-based encapsulation vxlan replication-type ingress vlan configuration 20 member vni 10020

NVE Interface (VXLAN Tunnel)

interface nve1 no ip address source-interface Loopback1 host-reachability protocol bgp member vni 10020 ingress-replication

Access Port and VLAN SVI

interface GigabitEthernet1/0/8 description PC3 switchport access vlan 20 switchport mode access interface Vlan20 ip address 10.50.216.15 255.255.255.0

EIGRP Underlay Routing

router eigrp 100 network 10.20.20.0 0.0.0.255 network 10.255.254.0 0.0.0.255 network 10.255.255.0 0.0.0.255 network 10.255.255.12 0.0.0.0 network 192.168.100.0 0.0.0.3 network 192.168.101.0 0.0.0.3 eigrp stub connected summary

BGP EVPN Configuration

router bgp 65001 bgp log-neighbor-changes network 10.255.255.12 mask 255.255.255.255 neighbor 10.255.255.11 remote-as 65001 neighbor 10.255.255.11 update-source Loopback1 neighbor 10.255.255.13 remote-as 65001 neighbor 10.255.255.13 update-source Loopback1 address-family l2vpn evpn neighbor 10.255.255.11 activate neighbor 10.255.255.11 send-community both neighbor 10.255.255.13 activate neighbor 10.255.255.13 send-community both exit-address-family

🔷 ULKZ-9300 - VTEP Configuration

Base Configuration & Licensing

hostname ULKZ-9300 license boot level network-advantage addon dna-advantage ip routing ipv6 unicast-routing

Loopback & Underlay Interfaces

interface Loopback1 ip address 10.255.255.13 255.255.255.255 interface GigabitEthernet1/0/1 description link to ULKZ-9500-core gi1/0/8 no switchport mtu 1600 ip address 192.168.102.2 255.255.255.252

VLAN and L2VPN EVPN Instance

l2vpn evpn instance 20 vlan-based encapsulation vxlan replication-type ingress ! Note: ULKZ-9300 uses slightly different syntax vlan configuration 20 member evpn-instance 20 vni 10020

ℹ️ Alternative Syntax

ULKZ-9300 demonstrates an alternative VLAN-to-VNI mapping syntax using member evpn-instance 20 vni 10020. Both syntaxes achieve the same result.

NVE Interface

interface nve1 no ip address source-interface Loopback1 host-reachability protocol bgp member vni 10020 ingress-replication

Access Port and VLAN SVI

interface GigabitEthernet1/0/8 description PC2 switchport access vlan 20 switchport mode access interface Vlan20 ip address 10.50.216.16 255.255.255.0

EIGRP Underlay Routing

router eigrp 100 network 10.255.255.0 0.0.0.255 network 10.255.255.13 0.0.0.0 network 192.168.102.0 0.0.0.3 network 192.168.103.0 0.0.0.3 eigrp stub connected summary

BGP EVPN Configuration

router bgp 65001 bgp log-neighbor-changes network 10.255.255.13 mask 255.255.255.255 network 192.168.102.0 mask 255.255.255.252 neighbor 10.255.255.11 remote-as 65001 neighbor 10.255.255.11 update-source Loopback1 neighbor 10.255.255.12 remote-as 65001 neighbor 10.255.255.12 update-source Loopback1 address-family l2vpn evpn neighbor 10.255.255.11 activate neighbor 10.255.255.11 send-community both neighbor 10.255.255.12 activate neighbor 10.255.255.12 send-community both exit-address-family

🔶 ULGR-9500 - Spine/Transit Configuration

ℹ️ Spine Role

Spine switches in this design only provide IP transit for the underlay. They do NOT participate in BGP EVPN or VXLAN encapsulation. This simplifies the spine configuration significantly.

Base Configuration

hostname ULGR-9500 license boot level network-advantage ip routing ipv6 unicast-routing

Loopback & Underlay Interfaces

interface Loopback1 ip address 10.255.255.213 255.255.255.255 ! Link to ULKZ-9500 interface GigabitEthernet1/0/1 description ULKZ-9500 no switchport mtu 1600 ip address 192.168.103.1 255.255.255.252 ! Link to ULPC-9300 (VTEP) interface GigabitEthernet1/0/2 description link to ULPC-9300-core no switchport mtu 1600 ip address 192.168.100.1 255.255.255.252 ! Link to ULGR-9300 (VTEP) interface GigabitEthernet1/0/8 description link to ULGR-9300 no switchport mtu 1600 ip address 192.168.102.1 255.255.255.252

EIGRP Underlay Routing

! Full EIGRP - no stub on spine router eigrp 100 network 10.255.255.213 0.0.0.0 network 192.168.100.0 0.0.0.3 network 192.168.101.0 0.0.0.3 network 192.168.102.0 0.0.0.3 network 192.168.103.0 0.0.0.3

💡 No EIGRP Stub on Spine

Unlike leaf switches, spine switches do NOT use eigrp stub. They need to propagate routes between all leaf switches for full mesh reachability.

🔶 ULKZ-9500 - Spine/Transit Configuration

Base Configuration

hostname ULKZ-9500 license boot level network-advantage ip routing ipv6 unicast-routing

Loopback & Underlay Interfaces

interface Loopback1 ip address 10.255.255.214 255.255.255.255 ! Link to ULGR-9500 interface GigabitEthernet1/0/1 description link to ULGR-9500-core no switchport mtu 1600 ip address 192.168.103.2 255.255.255.252 ! Link to ULPC-9300 (VTEP) interface GigabitEthernet1/0/2 description link to ULPC-9300-core no switchport mtu 1600 ip address 192.168.101.1 255.255.255.252 ! Link to ULKZ-9300 (VTEP) interface GigabitEthernet1/0/8 description link to ULKZ-9300-core no switchport mtu 1600 ip address 192.168.102.1 255.255.255.252

EIGRP Underlay Routing

router eigrp 100 network 10.255.255.214 0.0.0.0 network 192.168.101.0 0.0.0.3 network 192.168.102.0 0.0.0.3 network 192.168.103.0 0.0.0.3

🔧 Troubleshooting

Common Issues and Solutions

NVE Interface Not Coming Up

Symptom: show nve interface nve1 shows interface down or missing

Possible Causes:

Missing Network-Advantage license
Source loopback interface not configured or down
L2VPN EVPN instance not defined

! Verify license show license summary | include network ! Verify loopback status show ip interface brief | include Loopback ! Verify EVPN instance exists show l2vpn evpn summary

Solution: Ensure license is active, loopback is up with IP, and L2VPN EVPN instance is configured before NVE interface.

BGP EVPN Neighbors Not Establishing

Symptom: show bgp l2vpn evpn summary shows neighbors in Idle or Active state

! Check BGP neighbor status show bgp l2vpn evpn summary ! Verify underlay connectivity to peer loopback ping 10.255.255.11 source loopback1 ! Check for TCP connectivity issues show ip bgp neighbors 10.255.255.11 | include state

Common Fixes:

Verify underlay routing - peer loopback must be reachable
Ensure update-source Loopback1 is configured
Check for ACLs blocking TCP port 179
Verify AS numbers match for iBGP

VXLAN Tunnel Not Forming

Symptom: show nve peers shows no peers or peers in DOWN state

! Check NVE peers show nve peers ! Verify VXLAN encapsulation show nve vni ! Check for EVPN routes show bgp l2vpn evpn

Common Cause: Missing send-community both under the L2VPN EVPN address family. Without extended communities, Route Targets are not exchanged.

MAC Addresses Not Learning Across Fabric

Symptom: Hosts can't ping across VTEPs, MAC table shows only local MACs

! Check local MAC table show mac address-table vlan 20 ! Check EVPN MAC routes show bgp l2vpn evpn route-type 2 ! Verify VNI to VLAN mapping show vlan configuration

Troubleshooting Steps:

Verify VLAN-to-VNI mapping is consistent across all VTEPs
Check that EVPN Type-2 routes are being advertised
Ensure NVE interface has correct VNI membership

MTU Issues Causing Packet Drops

Symptom: Ping works but large transfers fail, intermittent connectivity

! Check interface MTU show interfaces GigabitEthernet1/0/1 | include MTU ! Test with large packets ping 10.255.255.12 source loopback1 size 1550 df-bit

💡 MTU Calculation

VXLAN adds 50 bytes of overhead (8-byte VXLAN header + 8-byte UDP header + 20-byte outer IP + 14-byte outer Ethernet). For 1500-byte inner frames, underlay MTU must be at least 1550 bytes. Recommended: 1600 or higher.

EVPN Route-Type Reference

Route Type	Name	Purpose
Type-2	MAC/IP Advertisement	Advertises MAC and optional IP for hosts
Type-3	Inclusive Multicast	VTEP discovery and BUM traffic handling
Type-5	IP Prefix Route	Inter-subnet routing (L3VNI)

🛠️ Quick Diagnostic Commands

! === VXLAN/NVE Status === show nve interface nve1 detail show nve peers show nve vni ! === BGP EVPN Status === show bgp l2vpn evpn summary show bgp l2vpn evpn show bgp l2vpn evpn route-type 2 show bgp l2vpn evpn route-type 3 ! === L2VPN EVPN Instance === show l2vpn evpn summary show l2vpn evpn evi detail ! === VLAN/VNI Mapping === show vlan configuration show vxlan vni ! === Underlay Verification === show ip eigrp neighbors show ip route eigrp

✅ Verification

Use these commands to verify your VXLAN BGP EVPN fabric is operating correctly.

🔍 Step 1: Verify NVE Interface Status

ULGR-9300# show nve interface nve1 Interface: nve1, State: Admin Up, Oper Up Encapsulation: Vxlan source-interface: Loopback1 (primary:10.255.255.11 vrf:0) Host Reachability: BGP

Expected: State shows "Admin Up, Oper Up" and source-interface shows correct loopback IP

🔍 Step 2: Verify NVE Peers (VXLAN Tunnels)

ULGR-9300# show nve peers Interface VNI Type Peer-IP RMAC/Num_RTs eVNI state flags UP time nve1 10020 L2CP 10.255.255.12 2 10020 UP A/M/4 00:45:12 nve1 10020 L2CP 10.255.255.13 2 10020 UP A/M/4 00:44:58

Expected: All remote VTEP peers show state "UP" with correct VNI

🔍 Step 3: Verify BGP EVPN Neighbors

ULGR-9300# show bgp l2vpn evpn summary BGP router identifier 10.255.255.11, local AS number 65001 BGP table version is 15, main routing table version 15 6 network entries using 2304 bytes of memory 8 path entries using 1728 bytes of memory 3/3 BGP path/bestpath attribute entries using 888 bytes of memory 1 BGP extended community entries using 40 bytes of memory Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 10.255.255.12 4 65001 156 158 15 0 0 02:15:34 4 10.255.255.13 4 65001 154 156 15 0 0 02:14:22 4

Expected: All neighbors show established state with PfxRcd (prefixes received) > 0

🔍 Step 4: Verify EVPN MAC Routes (Type-2)

ULGR-9300# show bgp l2vpn evpn route-type 2 BGP routing table entry for [2][10.255.255.11:20][0][48][AABB.CC00.0100][0][*]/20 Paths: 1 available, best #1 Advertised to update-groups: 1 Local :: from 0.0.0.0 (10.255.255.11) Origin IGP, localpref 100, weight 32768, valid, local, best Extended Community: RT:65001:10020 ENCAP:8 Local vxlan vtep: vrf: default, vni: 10020 local router mac: AABB.CC00.0100 BGP routing table entry for [2][10.255.255.12:20][0][48][AABB.CC00.0200][0][*]/20 Paths: 1 available, best #1 Not advertised to any peer 10.255.255.12 from 10.255.255.12 (10.255.255.12) Origin IGP, localpref 100, valid, internal, best Extended Community: RT:65001:10020 ENCAP:8 Remote vxlan vtep: 10.255.255.12

Expected: Type-2 routes showing MAC addresses from all VTEPs with correct RT (Route Target)

🔍 Step 5: Verify VNI Membership

ULGR-9300# show nve vni Interface VNI Multicast-group VNI state Mode VLAN cfg Vrf nve1 10020 N/A Up L2CP 20 CLI N/A

Expected: VNI state "Up", correct VLAN mapping, Mode "L2CP" (Layer 2 Control Plane)

🔍 Step 6: Verify MAC Address Table

ULGR-9300# show mac address-table vlan 20 Mac Address Table ------------------------------------------- Vlan Mac Address Type Ports ---- ----------- -------- ----- 20 aabb.cc00.0100 DYNAMIC Gi1/0/8 20 aabb.cc00.0200 DYNAMIC nve1(10.255.255.12) 20 aabb.cc00.0300 DYNAMIC nve1(10.255.255.13)

Expected: Local MACs show physical port, remote MACs show nve1 with remote VTEP IP

🔍 Step 7: End-to-End Connectivity Test

! From PC1 (10.50.216.10), ping PC2 and PC3 PC1> ping 10.50.216.11 PING 10.50.216.11 (10.50.216.11): 56 data bytes 64 bytes from 10.50.216.11: icmp_seq=1 ttl=64 time=2.534 ms 64 bytes from 10.50.216.11: icmp_seq=2 ttl=64 time=1.876 ms PC1> ping 10.50.216.12 PING 10.50.216.12 (10.50.216.12): 56 data bytes 64 bytes from 10.50.216.12: icmp_seq=1 ttl=64 time=2.123 ms

Expected: All hosts in VLAN 20 can ping each other across the VXLAN fabric

✅ Verification Checklist

Check	Command	Success Criteria
NVE Interface	`show nve interface nve1`	State: Oper Up
NVE Peers	`show nve peers`	All peers UP
BGP EVPN Neighbors	`show bgp l2vpn evpn summary`	Established, PfxRcd > 0
EVPN Routes	`show bgp l2vpn evpn`	Type-2 and Type-3 routes present
VNI Status	`show nve vni`	VNI state Up
MAC Learning	`show mac address-table vlan 20`	Remote MACs via nve1
Connectivity	`ping`	Cross-VTEP ping success

📝 Knowledge Check

Test your understanding of VXLAN BGP EVPN concepts covered in this lab.

1. What is the primary purpose of BGP EVPN in a VXLAN fabric?

To encrypt VXLAN traffic between VTEPs
To provide a control plane for MAC address distribution
To perform NAT on encapsulated packets
To manage VLAN trunking between switches

2. What license level is required for VXLAN features on Cisco Catalyst 9000 series?

Network Essentials
Network Advantage
DNA Essentials
IP Base

3. What is the purpose of the NVE interface source-interface configuration?

To define the physical port for VXLAN traffic
To specify the IP address used as the VTEP tunnel endpoint
To configure the management interface
To set the default gateway for the switch

4. Why is "send-community both" required under the BGP L2VPN EVPN address family?

To enable BGP authentication
To allow Route Targets and extended communities for EVPN route import/export
To compress BGP updates
To enable graceful restart

5. What is the minimum recommended MTU for underlay interfaces in a VXLAN fabric?

1500 bytes
1550 bytes
9000 bytes (jumbo frames only)
1400 bytes

6. In this lab topology, what is the role of the 9500 spine switches?

They act as VTEPs and terminate VXLAN tunnels
They provide IP transit only and don't participate in EVPN
They serve as BGP Route Reflectors
They perform VXLAN-to-MPLS translation

7. What EVPN route type is used to advertise MAC addresses learned from hosts?

Type-1 (Ethernet Auto-Discovery)
Type-2 (MAC/IP Advertisement)
Type-3 (Inclusive Multicast)
Type-5 (IP Prefix Route)

🎯 Welcome to the VXLAN BGP EVPN Lab

📚 What You'll Learn

🏢 Lab Environment

💡 Key Concept

🗺️ Network Topology

📊 Device Summary

🔗 Link Addressing

💡 Architecture Insight

📋 Prerequisites

🔐 Licensing Requirements

Verify Current License

Configure Boot License (if needed)

📡 Underlay Network Requirements

Configure MTU on Transit Interfaces

🌐 BGP Requirements

💡 Design Note: Full Mesh vs Route Reflector

✅ Pre-Configuration Checklist

⚙️ Configuration

🔷 ULGR-9300 - VTEP Configuration

Base Configuration & Licensing

Loopback & Underlay Interfaces

VLAN and L2VPN EVPN Instance

NVE Interface (VXLAN Tunnel)

💡 Key Configuration Elements

Access Port and VLAN SVI

EIGRP Underlay Routing

ℹ️ EIGRP Stub

BGP EVPN Configuration

🔷 ULPC-9300 - VTEP Configuration

Base Configuration & Licensing

Loopback & Underlay Interfaces

VLAN and L2VPN EVPN Instance

NVE Interface (VXLAN Tunnel)

Access Port and VLAN SVI

EIGRP Underlay Routing

BGP EVPN Configuration

🔷 ULKZ-9300 - VTEP Configuration

Base Configuration & Licensing

Loopback & Underlay Interfaces

VLAN and L2VPN EVPN Instance

ℹ️ Alternative Syntax

NVE Interface

Access Port and VLAN SVI

EIGRP Underlay Routing

BGP EVPN Configuration

🔶 ULGR-9500 - Spine/Transit Configuration

ℹ️ Spine Role

Base Configuration

Loopback & Underlay Interfaces

EIGRP Underlay Routing

💡 No EIGRP Stub on Spine

🔶 ULKZ-9500 - Spine/Transit Configuration

Base Configuration

Loopback & Underlay Interfaces

EIGRP Underlay Routing

🔧 Troubleshooting

Common Issues and Solutions

NVE Interface Not Coming Up

BGP EVPN Neighbors Not Establishing

VXLAN Tunnel Not Forming

MAC Addresses Not Learning Across Fabric

MTU Issues Causing Packet Drops

💡 MTU Calculation

EVPN Route-Type Reference

🛠️ Quick Diagnostic Commands

✅ Verification

🔍 Step 1: Verify NVE Interface Status

🔍 Step 2: Verify NVE Peers (VXLAN Tunnels)

🔍 Step 3: Verify BGP EVPN Neighbors

🔍 Step 4: Verify EVPN MAC Routes (Type-2)

🔍 Step 5: Verify VNI Membership

🔍 Step 6: Verify MAC Address Table

🔍 Step 7: End-to-End Connectivity Test

✅ Verification Checklist

📝 Knowledge Check

🎉 Congratulations!