9.2 KiB
9.2 KiB
Configuration Guide
This guide walks through the key configuration concepts used in this EVPN-VXLAN lab.
Table of Contents
- Architecture Overview
- Underlay Configuration
- Overlay Configuration
- MLAG Configuration
- L2 VXLAN Configuration
- L3 VXLAN Configuration
- Best Practices
Architecture Overview
Topology Design
- Spine-Leaf Architecture: 2 Spines, 8 Leafs forming 4 VTEPs
- Underlay: BGP with eBGP between Spine-Leaf, iBGP between MLAG pairs
- Overlay: BGP EVPN for control plane
- Data Plane: VXLAN encapsulation
AS Number Scheme
Spine: AS 65000
VTEP1: AS 65001 (Leaf1/Leaf2)
VTEP2: AS 65002 (Leaf3/Leaf4)
VTEP3: AS 65003 (Leaf5/Leaf6)
VTEP4: AS 65004 (Leaf7/Leaf8)
IP Addressing Plan
Management: 172.16.0.0/24
Router-ID Loopbacks: 10.0.250.0/24
VTEP Loopbacks: 10.0.255.0/24
Spine1 P2P Links: 10.0.1.0/24
Spine2 P2P Links: 10.0.2.0/24
MLAG iBGP Peering: 10.0.3.0/24
MLAG Peer-Link: 10.0.199.0/24
Underlay Configuration
1. Enable Multi-Agent Routing Protocol Model
Required for EVPN to function properly:
service routing protocols model multi-agent
2. Configure Loopback Interfaces
Each device needs two loopbacks:
! Router-ID Loopback (unique per device)
interface Loopback0
ip address 10.0.250.x/32
! VTEP Loopback (shared within MLAG pair)
interface Loopback1
ip address 10.0.255.x/32
3. Configure Point-to-Point Interfaces
Use /31 subnets for efficiency:
interface Ethernet11
description spine1
no switchport
ip address 10.0.1.1/31
mtu 9214
4. Configure BGP Underlay
On Spines:
router bgp 65000
router-id 10.0.250.1
no bgp default ipv4-unicast
distance bgp 20 200 200
neighbor 10.0.1.1 remote-as 65001
neighbor 10.0.1.3 remote-as 65001
# ... more neighbors
address-family ipv4
neighbor 10.0.1.1 activate
network 10.0.250.1/32
maximum-paths 4 ecmp 64
On Leafs:
router bgp 65001
router-id 10.0.250.11
no bgp default ipv4-unicast
distance bgp 20 200 200
neighbor underlay peer group
neighbor underlay remote-as 65000
neighbor 10.0.1.0 peer group underlay
neighbor 10.0.2.0 peer group underlay
address-family ipv4
neighbor underlay activate
network 10.0.250.11/32
network 10.0.255.11/32
maximum-paths 4 ecmp 64
Why These Settings?
- no bgp default ipv4-unicast: Requires explicit activation per address family
- distance bgp 20 200 200: eBGP=20, iBGP=200, Local=200 (prefer eBGP routes)
- maximum-paths 4 ecmp 64: Enable ECMP with up to 4 paths
- mtu 9214: Support jumbo frames for VXLAN overhead
Overlay Configuration
1. Configure EVPN Neighbors
On Leafs:
router bgp 65001
neighbor evpn peer group
neighbor evpn remote-as 65000
neighbor evpn update-source Loopback0
neighbor evpn ebgp-multihop 3
neighbor evpn send-community extended
neighbor 10.0.250.1 peer group evpn
neighbor 10.0.250.2 peer group evpn
address-family evpn
neighbor evpn activate
On Spines:
router bgp 65000
neighbor evpn peer group
neighbor evpn next-hop-unchanged
neighbor evpn update-source Loopback0
neighbor evpn ebgp-multihop 3
neighbor evpn send-community extended
neighbor 10.0.250.11 peer group evpn
neighbor 10.0.250.11 remote-as 65001
# ... more neighbors
address-family evpn
neighbor evpn activate
Why These Settings?
- update-source Loopback0: Use loopback for stable peering
- ebgp-multihop 3: Allow multi-hop eBGP through underlay
- send-community extended: Required for EVPN route-targets
- next-hop-unchanged: On spines, preserve original next-hop for optimal routing
2. Configure VXLAN Interface
interface Vxlan1
vxlan source-interface Loopback1
vxlan udp-port 4789
vxlan learn-restrict any
- source-interface Loopback1: Use VTEP loopback as source
- udp-port 4789: Standard VXLAN port
- learn-restrict any: Use EVPN control plane only (no data plane learning)
MLAG Configuration
1. Configure MLAG VLANs
vlan 4090
name mlag-peer
trunk group mlag-peer
vlan 4091
name mlag-ibgp
trunk group mlag-peer
2. Configure MLAG SVIs
interface Vlan4090
description MLAG Peer-Link
ip address 10.0.199.254/31
no autostate
interface Vlan4091
description MLAG iBGP Peering
ip address 10.0.3.0/31
mtu 9214
3. Configure Peer-Link
interface Ethernet10
channel-group 999 mode active
interface Port-Channel999
switchport mode trunk
switchport trunk group mlag-peer
spanning-tree link-type point-to-point
4. Configure MLAG Domain
mlag configuration
domain-id leafs
local-interface Vlan4090
peer-address 10.0.199.255
peer-link Port-Channel999
dual-primary detection delay 10 action errdisable all-interfaces
peer-address heartbeat 172.16.0.50 vrf mgmt
5. Configure iBGP Between MLAG Peers
router bgp 65001
neighbor underlay_ibgp peer group
neighbor underlay_ibgp remote-as 65001
neighbor underlay_ibgp next-hop-self
neighbor 10.0.3.1 peer group underlay_ibgp
address-family ipv4
neighbor underlay_ibgp activate
6. Configure Virtual Router MAC
ip virtual-router mac-address c001.cafe.babe
This MAC is used for anycast gateway functionality across the MLAG pair.
L2 VXLAN Configuration
For extending Layer 2 domains across the fabric:
1. Create VLAN
vlan 40
name test-l2-vxlan
2. Map VLAN to VNI
interface Vxlan1
vxlan vlan 40 vni 110040
3. Configure BGP EVPN for VLAN
router bgp 65001
vlan 40
rd 65001:110040
route-target both 40:110040
redistribute learned
Key Concepts
- VNI (VXLAN Network Identifier): 24-bit segment ID (110040)
- RD (Route Distinguisher): Makes routes unique (AS:VNI format)
- RT (Route Target): Controls route import/export (VLAN:VNI format)
- redistribute learned: Advertise locally learned MAC addresses
L3 VXLAN Configuration
For routing between VRFs across the fabric:
1. Create VRF
vrf instance gold
ip routing vrf gold
2. Map VRF to VNI
interface Vxlan1
vxlan vrf gold vni 100001
3. Configure VRF VLAN Interface
vlan 34
name vrf-gold-subnet
interface Vlan34
vrf gold
ip address 10.34.34.2/24
ip virtual-router address 10.34.34.1
4. Configure BGP for VRF
router bgp 65002
vrf gold
rd 10.0.250.13:1
route-target import evpn 1:100001
route-target export evpn 1:100001
redistribute connected
Key Concepts
- VRF: Virtual Routing and Forwarding instance
- L3 VNI: VNI for routing between VRFs
- Anycast Gateway: Same gateway IP/MAC on both MLAG peers
- Type-5 Routes: EVPN IP prefix routes for inter-subnet routing
Best Practices
IP Addressing
- Use consistent /31 for P2P links
- Reserve /32 blocks for loopbacks
- Use non-overlapping private address space
BGP Configuration
- Always use peer groups for scalability
- Set appropriate maximum-routes limits
- Enable logging for troubleshooting
- Use
distance bgp 20 200 200for predictable behavior
VXLAN/EVPN
- Use meaningful VNI numbers (e.g., 1XXYYY where XX is VLAN/VRF)
- Keep RD unique per device
- Keep RT consistent across devices in same domain
- Enable
vxlan learn-restrict anyto avoid data-plane learning
MLAG
- Always configure dual-active detection
- Use trunk groups to isolate MLAG VLANs
- Configure iBGP between peers for redundancy
- Use consistent domain-id across pairs
MTU
- Set MTU to 9214 on underlay links for VXLAN overhead
- Ensure consistent MTU across the fabric
- Account for 50-byte VXLAN header overhead
Security
- Change default passwords immediately
- Configure management VRF
- Use authentication for BGP peers (not shown in lab configs)
- Implement prefix-lists and route-maps in production
Verification Checklist
After configuration, verify:
- All BGP neighbors established
- Loopbacks reachable via underlay
- EVPN routes being exchanged
- MLAG state is Active
- VXLAN interface is up
- Remote VTEPs discovered
- MAC addresses learned via EVPN
- VRF routing working end-to-end
Refer to validation-commands.md for detailed verification steps.
Troubleshooting Tips
- No BGP neighbors: Check IP connectivity and firewall rules
- No EVPN routes: Verify
send-community extendedis configured - No MAC learning: Check VNI mapping and route-targets
- MLAG not working: Verify peer-link and domain-id match
- No VXLAN traffic: Check MTU and VNI configuration