¶ Part3: Fix the protocol; Check the MAC adress-table
• Part1: Underlay --> Part2: Tunnel --> You Are Here
Chapter: Troubleshooting BGP EVPN VXLAN
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9400/software/release/17-5/configuration_guide/vxlan/b_175_bgp_evpn_vxlan_9400_cg/troubleshooting_bgp_evpn_vxlan.html#id_131532
¶ Part 3
MP-BGP EVPN is a standards-based control plane that supports the distribution of attached host MAC and IP addresses using MP-BGP, namely, using the EVPN address family and MAC addresses treated as routing entries in BGP. As a control plane that is separate from the data plane, MP-BGP EVPN avoids flood-and-learn in the network, and the wide use of BGP as an external gateway protocol on the internet proves its ability to scale well with large deployments.
The following topology demonstrates how MP-BGP EVPN distributes route type 2 MAC/IP advertisement routes among VTEPs in the VXLAN, and minimizes ARP broadcast traffic required for PC A to learn PC B's MAC address when pc-A tries to connect to pc-D.
(According to Fortinet: https://docs.fortinet.com/document/fortigate/7.4.4/administration-guide/52499/vxlan-with-mp-bgp-evpn)
¶ Setup BGP peers (no IP networks announced)
Create a full mesh of three iBGP peers.
BGP will use OSPF routes for connectivity
Leaf-1
router bgp 65001
bgp router-id 1.1.1.1
bgp log-neighbor-changes
no bgp default ipv4-unicast
neighbor 10.2.2.2 remote-as 65001
neighbor 10.2.2.2 update-source Loopback1
neighbor 10.3.3.3 remote-as 65001
neighbor 10.3.3.3 update-source Loopback1
!
address-family ipv4 !<--- No IP addresses, no Layer 3 routes
exit-address-family
!
! address-family ipv4 mvpn <--- Multicast routing not needed in BGP
!
address-family l2vpn evpn
neighbor 10.2.2.2 activate
neighbor 10.2.2.2 send-community both
neighbor 10.3.3.3 activate
neighbor 10.3.3.3 send-community both
exit-address-family
Leaf-2
router bgp 65001
bgp router-id 2.2.2.2
bgp log-neighbor-changes
no bgp default ipv4-unicast
neighbor 10.1.1.1 remote-as 65001
neighbor 10.1.1.1 update-source Loopback2
neighbor 10.3.3.3 remote-as 65001
neighbor 10.3.3.3 update-source Loopback2
!
address-family ipv4
exit-address-family
!
address-family l2vpn evpn
neighbor 10.1.1.1 activate
neighbor 10.1.1.1 send-community both
neighbor 10.3.3.3 activate
neighbor 10.3.3.3 send-community both
exit-address-family
Spine-3
router bgp 65001
bgp router-id 3.3.3.3
bgp log-neighbor-changes
no bgp default ipv4-unicast
neighbor 10.1.1.1 remote-as 65001
neighbor 10.1.1.1 update-source Loopback3
neighbor 10.2.2.2 remote-as 65001
neighbor 10.2.2.2 update-source Loopback3
!
address-family ipv4
exit-address-family
!
address-family l2vpn evpn
neighbor 10.1.1.1 activate
neighbor 10.1.1.1 send-community both
neighbor 10.2.2.2 activate
neighbor 10.2.2.2 send-community both
exit-address-family
¶ 
Verify
It might be a little slow in the start... ??
C:\pc-A>ping 10.1.30.20
Pinging 10.1.30.20 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
C:\pc-B>ping 10.1.30.10
Pinging 10.1.30.10 with 32 bytes of data:
Reply from 10.1.30.10: bytes=32 time=1ms TTL=128
Reply from 10.1.30.10: bytes=32 time=2ms TTL=128
Reply from 10.1.30.10: bytes=32 time=2ms TTL=128
C:\pc-A>ping 10.1.30.20
Pinging 10.1.20.10 with 32 bytes of data:
Reply from 10.1.20.10: bytes=32 time=2ms TTL=128
Reply from 10.1.20.10: bytes=32 time=1ms TTL=128
Reply from 10.1.20.10: bytes=32 time=2ms TTL=128
Leaf-2
show bgp l2vpn evpn summary
BGP router identifier 2.2.2.2, local AS number 65001 BGP table version is 1, main routing table version 1 Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 10.1.1.1 4 65001 5 5 1 0 0 00:02:07 3 10.3.3.3 4 65001 5 5 1 0 0 00:02:06 0
Source: Commands from "Troubleshooting EVPN/VXLAN on Catalyst Catalyst 9000 IOS-XE"
https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2024/pdf/LTRTRS-2556.pdf Cisco Live 2024 LTRTRS-2556
Leaf-1 and Leaf-2
show l2vpn evpn mac ip
Leaf-1#show l2vpn evpn mac ip IP Address EVI VLAN MAC Address Next Hop(s) --------------------------------------- ----- ----- -------------- ----------- 10.1.30.10 30 10 a4bb.6da2.efbc Gi1/0/10:10 10.1.30.20 30 10 a4bb.6da2.e2a6 10.2.2.2
Leaf-2#show l2vpn evpn mac ip IP Address EVI VLAN MAC Address Next Hop(s) --------------------------------------- ----- ----- -------------- ----------- 10.1.30.10 30 10 a4bb.6da2.efbc 10.1.1.1 10.1.30.20 30 20 a4bb.6da2.e2a6 Gi1/0/10:20
Leaf-1 and Leaf-2
show bgp l2vpn evpn summary
Leaf-2# <--- output deleted for clarity ---> Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 10.1.1.1 4 65001 58 43 52 0 0 00:35:04 2 10.3.3.3 4 65001 40 43 52 0 0 00:34:24 0
¶ More verification commands
L2RIB (L2 Routing Information Base)
show l2route evpn mac ip topology 30
NVE verification
show nve vni
NVE verification
show nve peers vni 12300
¶ Verify Multicast
Look for "10.1.1.1" in the multicast-group 239.30.30.30
Leaf-2#show ip mroute
IP Multicast Routing Table
< - - Output omitted for clarity - - >(*, 239.30.30.30), 00:20:57/stopped, RP 10.3.3.3, flags: SJCx
Incoming interface: GigabitEthernet1/0/4, RPF nbr 10.0.4.3
Outgoing interface list:
Tunnel1, Forward/Sparse-Dense, 00:20:51/00:00:08
(10.1.1.1, 239.30.30.30), 00:02:49/00:00:10, flags: JTx
Incoming interface: GigabitEthernet1/0/4, RPF nbr 10.0.4.3
Outgoing interface list:
Tunnel1, Forward/Sparse-Dense, 00:02:49/00:00:10
(*, 224.0.1.40), 00:34:56/00:02:05, RP 10.3.3.3, flags: SJCL
Incoming interface: GigabitEthernet1/0/4, RPF nbr 10.0.4.3
Outgoing interface list:
Loopback2, Forward/Sparse, 00:34:54/00:02:05
Leaf-2#
¶ 
Verify (Cisco Live) Multicast
From Cisco Live - not working in this example
NOT Working here! - show ip mroute 239.10.10.10 10.255.1.1 - nice to know
VTEP-1# show ip mroute 239.10.10.10 10.255.1.1 IP Multicast Routing Table Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group, C - Connected, L - Local, P - Pruned, R - RP-bit set, F - Register flag, T - SPT-bit set, J - Join SPT, M - MSDP created entry, E - Extranet, X - Proxy Join Timer Running, A - Candidate for MSDP Advertisement, U - URD, I - Received Source Specific Host Report, Z - Multicast Tunnel, z - MDT-data group sender, Y - Joined MDT-data group, y - Sending to MDT-data group, G - Received BGP C-Mroute, g - Sent BGP C-Mroute, N - Received BGP Shared-Tree Prune, n - BGP C-Mroute suppressed, Q - Received BGP S-A Route, q - Sent BGP S-A Route, V - RD & Vector, v - Vector, p - PIM Joins on route, x - VxLAN group, c - PFP-SA cache created entry Outgoing interface flags: H - Hardware switched, A - Assert winner, p - PIM Join Timers: Uptime/Expires Interface state: Interface, Next-Hop or VCD, State/Mode (10.255.1.1, 239.10.10.10), 00:00:25/00:02:34, flags: FTx <<— x flag set for VxLAN group Incoming interface: Loopback999, RPF nbr 0.0.0.0 <<— Broadcast being encapsulated into VXLAN tunnel IP Outgoing interface list: TwoGigabitEthernet1/0/2, Forward/Sparse, 00:00:23/00:03:06 <<— Sending towards core to VTEP-2 (10.255.1.4, 239.10.10.10), 3d18h/00:02:25, flags: JTx <<— BUM traffic from VTEP-2 (if the ARP request was from VTEP-2) Incoming interface: TwoGigabitEthernet1/0/2, RPF nbr 10.1.1.6 Outgoing interface list: Tunnel0, Forward/Sparse-Dense, 3d18h/00:00:14 <<— Tunnel 0 is the VXLAN tunnel used for decapsulation
Källa: Cisco troubleshooting_bgp_evpn_vxlan
¶ Recap & future features
VXLAN tunnels are established using BGP EVPN, leaf nodes can dynamically learn the MAC addresses of hosts through BGP EVPN routes. The whole original IP-packet is encapsulated.
Källa: Huawei understanding-vxlan-tunnel-establishment-in-bgp-evpn-mode-distributed-vxlan-gateway
¶ Recap: We have now created
-
VXLAN (Virtual Extensible LAN) - The technology that provides the same Ethernet Layer 2 network services as VLAN does today, but with greater extensibility and flexibility.
-
VTEP (Virtual Tunnel Endpoint) - This is the device that does the encapsulation and de-encapsulation.
-
NVE (Network Virtual Interface) - Logical interface where the encapsulation and de-encapsulation occur.
-
EVI (EVPN instance): A logical switch within the EVPN domain which spans and interconnects multiple VTEPs to provide tenant Layer 2 and Layer 3 connectivity.
-
VNI (Vxlan Network Identifier) - 24 bit segment ID that defines the broadcast domain. Interchangeable with "VXLAN Segment ID".
¶ Next step: Add L3, VRF, Anycast Gateway and more customers
Completely different 🫔 enchilada!
Next lab
Tomorrow you can do a completely different VXLAN lab with L3, VRF, Anycast Gateway!
Have a go at csepracticals.com bgp evpn vxlan lab whis is also in 3 parts: "Part 1 - Intra Vlan Routing", "Part 2 - BGP-EVPN Control Plane & Route Advertisement" and "Part 3 - Inter VNI Routing"
(BACKUP: vxlan-part1.pdf vxlan-part2.pdf vxlan-part3.pdf )
¶ END of LAB
Thank you for your interest in EVPN and VXLANs !
• Part1: Underlay --> Part2: Tunnel --> You Are Here == Finished!