Building Scalable VXLAN BGP

EVPN Fabrics for Enterprise

networks
Catalyst 9000 Switching Platforms

Raj Kumar Goli - Technical Marketing Engineer

BRKENS-2092

-
 • What is BGP EVPN ?
• BGP EVPN in Enterprise Campus
Underlay and Overlay Networks
Agenda
•

• Scaling Multicast in Fabric

• BGP EVPN Interworking
• SD-Access with BGP EVPN

-
BRKENS-2092 © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
 Webex App
Questions?
Use the Webex app to chat with the speaker
after the session

How
1 Find this session in the Cisco Events mobile app

2 Click “Join the Discussion”

3 Install the Webex app or go directly to the Webex space

4 Enter messages/questions in the Webex space

Webex spaces will be moderated

by the speaker until February 28, 2025.

-
BRKENS-2092 © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
 Catalyst 9000 Spine | Leaf | Border Hybrid Role - Spine + Leaf + Border Support BGP EVPN RT2 to RT5 re-originate
Catalyst 9000 Leaf | Border support
Support BGP EVPN Layer 2 Multi-home ESI support
Support Increased VNI Scale in 2X (512)
Overlay Type : Layer 2, Centralized Distributed AnyCast RP for TRM
Overlay Type : Layer 3 Overlay Gateway IPv4 ARP / IPv6 ND Suppression Catalyst 9500-H Custom SDM Template
IPv4/IPv4 host overlay Multicast with Default
Overlay Type : Distributed AnyCast for Distributed AnyCast Gateway, Layer 2 MDT, Fabric External Domain RP for large scale MAC/IP routes
Gateway Leaf Increased up to 500 Leaf scale per Fabric
L3/L3 Overlay Topologies : Full-mesh | Partial-
EVPN L2 Multi-homing with Cisco Mesh | Hub-n-Spoke | P2P Domain
IPv4 host in overlay
StackWise Virtual Optimized L2 Multicast with IGMP/MLD
Ingress Replication for BUM Per-VNI Multicast BUM Rate-Limiter
Central Switching Wireless support Snooping for Centralized Gateway
DHCPv4 Relay in EVPN VRF BGP EVPN PVLAN based Segmentation
Firewall integration for Service-Insertion IPv4 host overlay Multicast with Data MDT
Multicast DNS Service-Routing over BGP EVPN IPv6 host overlay Multicast with Data MDT
Border : Multi-VRF IPv4 Handoff IPv6 host in overlay
VXLAN
Border : L2 VLAN Handoff DHCPv4/v6 Relay in Default VRF Border : Multi-VRF IPv4 and IPv6 Data
Border Multi-VRF v4/v6 Multicast Handoff MDT to external Multicast Handoff
VXLAN Aware Flexible Netflow - IPv4 /
IPv6 Unicast/Multicast overlay Border : EVPN to VPLS IRB Interworking Border : EVPN IPv4 and IPv6 Data MDT to
Border : Multi-VRF IPv6 Handoff domain external Multicast Multicast VPN Handoff
Border : EVPN to MPLS VPNv4 Integration Border : EVPN to MPLS Multicast VPNv4 Border : EVPN to Global VN Extranet
Border : EVPN to MPLS VPNv6 Integration Integration support
Border : EVPN to VPLS Bridge Border : EVPN to Non-EVPN VN Extranet
Interworking support
16.9.1 16.12.1 17.3.1 17.6.1

17.9.1 17.12.1 17.15.1

EVPN VXLAN with NAT44 support RT-2 and RT-5 BGP EVPN Route-Map support VXLANv6 Overlay – TRM Multicast – v6
Per-VLAN Peer-to-Peer Protected Mode Per-VLAN ESI Layer 2 Multi-home support Support for DAG
BGP EVPN VXLANv6 Control-Plane EVPN Micro-Segmentation C9500X | C9600X – Per-VLAN BGP
VXLANv6 Underlay – IPv6 BGP EVPN AF CLI Simplicity – Dynamic BGP EVPN Address- EVPN ESI Layer 2 Multi-home support
Peering support Family Peering Support C9500X | C9600X – Centralized Gateway
VXLANv6 Overlay – Layer 3 Overlay, CLI Simplicity – IP VRF Auto RD and Auto RT / Asymmetric IRB
Distributed AnyCast GW & Layer 2 Scalable Fabric – 1024 VNI Scale Tenant Routed Multicast SSO High
Overlay over VXLANv6 Scalable Fabric – Multi-Tenant IEEE 802.3ad Availability
VXLANv6 Overlay – Border Layer 2, Layer Layer 2 Overlay Networks CLI Simplicity – L2VPN Profile
3 & MPLS VPNv6 802.1Q IPv6 Handoff Secure First Hop Layer 2 overlay with DHCP IPv6 Neighbor Discovery Proxy for BGP
VXLANv6 Overlay – VXLANv4 to Snooping and ARP Inspection EVPN Fabric
VXLANv6 Migration w/ IR VXLANv6 Overlay – TRM Multicast – v4 Support Programmable EVPN Fabric with
VXLANv6 Overlay – IPv6 Multicast for DAG, AnyCast RP over VXLANv6 support OpenConfig models
Replication for VXLANv6 VXLANv6 Underlay – IPv6 BGP mVPN AF
VXLANv6 Overlay – VXLANv4 to Peering support
VXLANv6 Migration w/ Multicast Rep 802.1Q VLAN over Layer 2 VNI Overlay

-
BRKENS-2092 © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
 Cisco Catalyst 9000
BGP EVPN VXLAN Fabric

Enterprise Healthcare Education Financial Public Sector Manufacturing Hospitality Media Transportation Retail

-
BRKENS-2092 © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
 VXLAN Overview
Ethernet Frame
Classical

DMAC SMAC 802.1Q Etype Payload CRC

VLAN is expressed over 12 bits (802.1Q tag)

VNI
802.1Q

VXLAN leverages the VNI field

Original Layer 2 Frame
with a total address space of
VXLAN Frame

Outer Outer
UDP VXLAN DMAC SMAC Etype Payload
CRC 24 bits
MAC IP (new)
The VXLAN Network Identifier

4B
(VNI/VNID) is part of the
14B 20B 8B 8B 14B
VXLAN Header
MAC-in-UDP Encapsulation
20B + 8B +8B + 14B* = 50 Bytes
of total overhead

-
BRKENS-2092 © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
 VXLAN with BGP EVPN

• Standards based Overlay (VXLAN) with Standards based Control-

Plane (BGP)
Spine • Layer-2 MAC and Layer-3 IP information distribution by Control-
Plane (BGP)
• Forwarding decision based on Control-Plane (minimizes flooding)
• Integrated Routing/Bridging (IRB) for Optimized Forwarding in the
Overlay
• Multi-Tenancy At Scale

Control
Leaf EVPN MP-BGP - RFC 7432
Plane

Multi-Protocol Label Provider Backbone Bridges Network Virtualization Overlay

Data (NVO)
Plane Switching (MPLS) (PBB)
draft-ietf-l2vpn-evpn draft-ietf-l2vpn-pbb-evpn draft-ietf-bess-evpn-overlay

EVPN over NVO Tunnels ( VXLAN)

Provides Layer-2 and Layer-3 Overlays over simple IP Networks

-
BRKENS-2092 © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
 BGP EVPN System Role Catalyst EVPN Scale and Performance Matrix

Cisco Catalyst BGP EVPN Configuration Guide

Scale and Performance Chapter
BORDER-GATEWAY:
A gateway point of between two or System Support Mode
Layer 2 Layer 3
more BGP EVPN administrative 802.1Q | VPLS VRF | MPLS Nexus 9000 Standalone
domain boundary.
System Support Mode
BORDER : Catalyst 9300 – 9600 (9500-H/X/9600/X) Standalone | Stack
A gateway point of between EVPN Catalyst 8000 Edge | ASR 1000 Physical
fabric and external network domain.
Nexus 9000 Standalone
ASR 9000 Standalone
INTERMEDIATE :
A Layer 2 or Layer 3 (IP/MPLS) System Support Mode
Underlay network system providing Any Any
basic transport and forwarding plane.
System Support Mode
Catalyst 9300 – 9600 (9500-H/X &
Standalone | Stack
SPINE : 9600/X)
An BGP EVPN reflects the L2/L3 VPN Catalyst 8000 Edge | ASR 1000 Physical | Virtual
prefixes providing hierarchical
Nexus 9000 Standalone
neighbor peering, learning and
distribution point. ASR 9000 Standalone
System Support Mode
VTEP (LEAF) : Catalyst 9300L | 9300 | 9300X Series Standalone | StackWise
An origination and termination point Catalyst 9400 | 9400X Series Standalone | StackWise-Virtual
of VXLAN enabled overlay network. Fabric-Domain-A
Catalyst 9500 | 9500X Series Standalone | StackWise-Virtual
SITE-A
- Recommended Catalyst 9600 | 9600X Series Standalone | StackWise-Virtual

-
BRKENS-2092 © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
 BGP-EVPN in
Campus

-
 Enterprise Campus BGP EVPN Drivers

Industry Standard Multi-vendor IT strategy

One Fabric Architecture Unified operation across – Campus | DC | WAN

Proven and Scalable BGP Protocol History. Minimum new learning

curve

Hierarchical Fabric Domain Multi-tier Overlay network architecture

Use-case driven customize Overlay networks

Flexible Overlay Types and Topologies

-
BRKENS-2092 © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
 Enterprise BGP EVPN Reference Architecture
DC– EVPN DC – ACI WAN Shared-Services DMZ

IP | MPLS | EVPN SD-WAN Internet

ACI ACI ACI ACI ACI ACI

APIC
ACI ACI ACI ACI

Industry Standard Unified Fabric Proven Hierarchical Flexible

Standard-based Fabric Cross-PIN single fabric Non-blocking architecture Complex network solution
Reliable control-plane
Multi-vendor interoperable Extensible beyond site Structured & Scalable fabric Tailored L2/L3 overlays
Multi-protocol capabilities
Broad innovation adoption Simplified Management Hybrid system role support Deep eco-system integration
Less new learning-curve
BRKENS-2092 © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public
-
 EVPN Basics

-
 VXLAN Constructs
SVI
X

Layer-3 VNI X’ • 1 Layer-3 VNI per Tenant (VRF) for routing

L3VNI • VNI X’ is used for routed packets

VLAN X

SVI SVI SVI

A B B

Layer-2 VNI A Layer-2 VNI B Layer-2 VNI C

L2VNI
VLAN A VLAN B VLAN C

• 1 Layer-2 VNI per Layer-2 segment

• L2VNI’s are used for bridged packets
• Traffic between L2VNI’s is routed
VNI – Virtual Network Identifier

-
BRKENS-2092 © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
 VXLAN Constructs
SVI
X

Layer-3 VNI X’ • 1 Layer-3 VNI per Tenant (VRF) for routing

L3VNI • VNI X’ is used for routed packets

VLAN X

SVI SVI SVI

A B C

Layer-2 VNI A Layer-2 VNI B Layer-2 VNI C

VLAN A VLAN B VLAN C

VNI – Virtual Network Identifier

-
BRKENS-2092 © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
 VXLAN Constructs
SVI
X

Layer-3 VNI X’ • 1 Layer-3 VNI per Tenant (VRF) for routing

L3VNI VRF-X VRF-Y • VNI X’ is used for routed packets VRF-Z
VLAN X
L2VNI-B L2VNI-B L2VNI-B
L2VNI-A L2VNI-A L2VNI-A

L2VNI-C L2VNI-C L2VNI-C

L2VNI-G L2VNI-H L2VNI-G L2VNI-H L2VNI-G L2VNI-H

SVI SVI SVI

A
L2VNI-D B L2VNI-D C L2VNI-D

L2VNI-F L2VNI-F L2VNI-F

L2VNI-E L2VNI-E L2VNI-E
Layer-2 VNI A Layer-2 VNI B Layer-2 VNI C

VLAN A VLAN B VLAN C

VNI – Virtual Network Identifier

-
BRKENS-2092 © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
 MP-BGP EVPN Route Type(s)
Type 1
RFC 7432
Ethernet Auto-Discovery (A-D) route

Type 2 MAC/IP advertisement route

Type 3 Inclusive Multicast Route
EVPN Ingress Replication (IR) (unicast mode for BUM)

Type 4 Ethernet Segment Route

9136
RFC

Type 5 IP Prefix Route → Layer-3 VNI Route

Type 6 Selective Multicast Ethernet Tag Route

9251
RFC

Type 7 IGMP Join Sync routes (Join/Leave)

Type 8 IGMP Leave Sync routes (Join/Leave)
-
BRKENS-2092 © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
 VXLAN Overview RR RR

Route

Bridge

VTEP-1 VTEP-2 VTEP-3 VTEP-4

VLAN10 VLAN10 VLAN20

Host A Host B Host D

MAC: 0000.1111.1111 MAC: 0000.2222.2222 MAC: 0000.4444.4444
IP: 192.168.10.10 IP: 192.168.10.11 IP: 192.168.20.11

-
BRKENS-2092 © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
 MAC/IP Advertisement route
Route-Type 2
Route MAC, IP L2VNI Layer-3 VNI NH Encap Seq
Type (“VRF”)
• Host “A” attaches to Edge Device (VTEP)
2 MAC_A, IP_A 30001 50001 IP_V1 8:VXLAN 0
• VTEP V1 advertises Host “A” reachability
information
• MAC and L2VNI [mandatory]
• IP and L3VNI [optional]
• depending on ARP

• Additional Attributes advertised

▪ MPLS Label 1 (Layer-2 VNI)
▪ MPLS Label 2 (Layer-3 VNI)
▪ Extended Communities

Host A Host B
MAC_A / IP_A MAC_B / IP_B

-
BRKENS-2092 © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
 Protocol Learning & Distribution
“Subnet Route Advertisement (Route-Type 5)”
Route MAC, IP Layer-3 VNI NH Encap
Type (“VRF”)

• IP Prefix Redistribution 5 Subnet_A/24 50001 IP_V1 8:VXLAN

• From “Direct” (connected), Static or dynamically learned

Routes

• VTEP V1 advertises local Subnet through

redistribution of “Direct” (connected) routes
• IP Prefix, IP Prefix Length, and Layer-3 VNI

• Additional route attributes advertised

• MPLS Label (Layer-3 VNI)
• Extended Communities

• Multiple VTEPs can announce same IP Prefix

Host A Host B
MAC_A / IP_A MAC_B / IP_B

-
BRKENS-2092 © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
 Host Advertisement
RR RR

MAC Host IP VNI VTEP

0000.1111.1111 192.168.10.10 VNI-1 VTEP-1

Local learning of host info

VTEP-1 VTEP-2 VTEP-3 VTEP-4

MAC Host IP VNI VTEP MAC Host IP VNI VTEP

0000.1111.1111 192.168.10.10 VNI-1 VTEP-1 0000.1111.1111 192.168.10.10 VNI-1 VTEP-1

Host A
MAC: 0000.1111.1111 MAC Host IP VNI VTEP
IP: 192.168.10.10 0000.1111.1111 192.168.10.10 VNI-1 VTEP-1

-
BRKENS-2092 © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
 Packet Walk – ARP Request
RR RR

SIP DIP VXLAN SMAC DMAC

ARP Request for
172.168.1.1 225.0.0.1 111110 0010.9400.1002 FFFF.FFFF.FFFF 10.10.10.3

172.168.1.1 172.168.1.2
VTEP-1 VTEP-2

VLAN10 VLAN10

ARP Request for 10.10.10.3 ARP Request for 10.10.10.3

SMAC: DMAC: SMAC: DMAC:

0010.9400.1002 FFFF.FFFF.FFFF 0000.1111.111 FFFF.FFFF.FFFF
1
Host A Host B
MAC: 0010.9400.1002 MAC: 0010.9400.1003
IP: 10.10.10.2 IP: 10.10.10.3

-
BRKENS-2092 © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
 Packet Walk – ARP Request
RR RR

SIP DIP VXLAN SMAC DMAC

ARP Response for 10.10.10.3
172.168.1.2 172.168.1.1 111110 0010.9400.1003 0010.9400.1002

172.168.1.1 172.168.1.2
VTEP-1 VTEP-2

VLAN10 VLAN10

ARP Response for 10.10.10.3 ARP Response for 10.10.10.3

SMAC: DMAC: SMAC: DMAC:

0010.9400.1003 0010.9400.1002 0010.9400.1003 0010.9400.1002

Host A Host B
MAC: 0010.9400.1002 MAC: 0010.9400.1003
IP: 10.10.10.2 IP: 10.10.10.3

-
BRKENS-2092 © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
 Overlay Leaf Configuration – BGP EVPN Control Plane
Spine-1 Spine-2

router bgp 64500 router bgp 64500

neighbor 3.3.3.3 remote-as 64500 neighbor 3.3.3.3 remote-as 64500
neighbor 3.3.3.3 update-source Loopback0 Spine 1 Spine 2 neighbor 3.3.3.3 update-source Loopback0
neighbor 4.4.4.4 remote-as 64500 neighbor 4.4.4.4 remote-as 64500
neighbor 4.4.4.4 update-source Loopback0 neighbor 4.4.4.4 update-source Loopback0
! !
address-family l2vpn evpn Spine address-family l2vpn evpn
neighbor 3.3.3.3 activate neighbor 3.3.3.3 activate
neighbor 3.3.3.3 send-community both neighbor 3.3.3.3 send-community both
neighbor 3.3.3.3 route-reflector-client RR RR neighbor 3.3.3.3 route-reflector-client
neighbor 4.4.4.4 activate neighbor 4.4.4.4 activate
neighbor 4.4.4.4 send-community both neighbor 4.4.4.4 send-community both
neighbor 4.4.4.4 route-reflector-client neighbor 4.4.4.4 route-reflector-client
maximum-paths 2 maximum-paths 2

Intermediate

Leaf-1 Leaf-2

router bgp 65000 router bgp 65000

neighbor 1.1.1.1 remote-as 64500 neighbor 1.1.1.1 remote-as 64500
neighbor 1.1.1.1 update-source Loopback0 neighbor 1.1.1.1 update-source Loopback0
neighbor 2.2.2.2 remote-as 64500 neighbor 2.2.2.2 remote-as 64500
neighbor 2.2.2.2 update-source Loopback0 neighbor 2.2.2.2 update-source Loopback0
! Leaf !
address-family l2vpn evpn address-family l2vpn evpn
neighbor 1.1.1.1 activate neighbor 1.1.1.1 activate
neighbor 1.1.1.1 send-community both VTEP VTEP neighbor 1.1.1.1 send-community both
neighbor 2.2.2.2 activate neighbor 2.2.2.2 activate
neighbor 2.2.2.2 send-community both neighbor 2.2.2.2 send-community both
exit-address-family exit-address-family

-
BRKENS-2092 © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
 VNI Configuration

Spine Spine
1 2

Spine

RR RR

Intermediate

Leaf

VTEP VTEP

-
BRKENS-2092 © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
 VNI Configuration

Spine Spine
1 2

Spine

RR RR

Intermediate

Leaf

VTEP VTEP

Vlan 10 Vlan 10
-
BRKENS-2092 © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
 VNI Configuration
Leaf-1 Leaf-2

l2vpn evpn l2vpn evpn

replication-type static Spine Spine replication-type static
1 2
router-id Loopback0 router-id Loopback0
! Spine !
l2vpn evpn instance 10 vlan-based l2vpn evpn instance 10 vlan-based
encapsulation vxlan RR RR encapsulation vxlan
! !
vlan configuration 10 vlan configuration 10
member evpn-instance 10 vni 101000 member evpn-instance 10 vni 101000
! !
vlan configuration 102 vlan configuration 102
Intermediate
member vni 102102 member vni 102102
! !
interface Vlan10 interface Vlan10
mac-address 0010.0010.0010 mac-address 0010.0010.0010
vrf forwarding S1-EVPN vrf forwarding S1-EVPN
ip address 172.16.10.1 255.255.255.0 ip address 172.16.10.1 255.255.255.0
! !
interface Vlan102
Leaf interface Vlan102
vrf forwarding S1-EVPN vrf forwarding S1-EVPN
ip unnumbered Loopback0 VTEP VTEP ip unnumbered Loopback0

Vlan 10 Vlan 10
-
BRKENS-2092 © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
 VNI Configuration
Leaf-1 Leaf-2

l2vpn evpn L2VNI Configuration L2VNI Configuration l2vpn evpn

replication-type static Spine Spine replication-type static
1 2
router-id Loopback0 router-id Loopback0
! Spine !
l2vpn evpn instance 10 vlan-based l2vpn evpn instance 10 vlan-based
encapsulation vxlan RR RR encapsulation vxlan
! !
vlan configuration 10 vlan configuration 10
member evpn-instance 10 vni 101000 member evpn-instance 10 vni 101000
! !
vlan configuration 102 vlan configuration 102
Intermediate
member vni 102102 member vni 102102
! !
interface Vlan10 interface Vlan10
mac-address 0010.0010.0010 mac-address 0010.0010.0010
vrf forwarding S1-EVPN vrf forwarding S1-EVPN
ip address 172.16.10.1 255.255.255.0 ip address 172.16.10.1 255.255.255.0
! !
interface Vlan102
Leaf interface Vlan102
vrf forwarding S1-EVPN vrf forwarding S1-EVPN
ip unnumbered Loopback0 VTEP VTEP ip unnumbered Loopback0

Vlan 10 Vlan 10
-
BRKENS-2092 © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
 VNI Configuration
Leaf-1 Leaf-2

l2vpn evpn L2VNI Configuration L2VNI Configuration l2vpn evpn

replication-type static Spine Spine replication-type static
1 2
router-id Loopback0 router-id Loopback0
! Spine !
l2vpn evpn instance 10 vlan-based l2vpn evpn instance 10 vlan-based
encapsulation vxlan RR RR encapsulation vxlan
! !
vlan configuration 10 L3VNI Configuration L3VNI Configuration vlan configuration 10
member evpn-instance 10 vni 101000 member evpn-instance 10 vni 101000
! !
vlan configuration 102 vlan configuration 102
Intermediate
member vni 102102 member vni 102102
! !
interface Vlan10 interface Vlan10
mac-address 0010.0010.0010 mac-address 0010.0010.0010
vrf forwarding S1-EVPN vrf forwarding S1-EVPN
ip address 172.16.10.1 255.255.255.0 ip address 172.16.10.1 255.255.255.0
! !
interface Vlan102
Leaf interface Vlan102
vrf forwarding S1-EVPN vrf forwarding S1-EVPN
ip unnumbered Loopback0 VTEP VTEP ip unnumbered Loopback0

Vlan 10 Vlan 10
-
BRKENS-2092 © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
 VNI Configuration
Leaf-1 Leaf-2

l2vpn evpn L2VNI Configuration L2VNI Configuration l2vpn evpn

replication-type static Spine Spine replication-type static
1 2
router-id Loopback0 router-id Loopback0
! Spine !
l2vpn evpn instance 10 vlan-based l2vpn evpn instance 10 vlan-based
encapsulation vxlan RR RR encapsulation vxlan
! !
vlan configuration 10 L3VNI Configuration L3VNI Configuration vlan configuration 10
member evpn-instance 10 vni 101000 member evpn-instance 10 vni 101000
! !
vlan configuration 102 vlan configuration 102
Intermediate
member vni 102102 member vni 102102
! Gateway SVI Gateway SVI !
interface Vlan10 interface Vlan10
mac-address 0010.0010.0010 mac-address 0010.0010.0010
vrf forwarding S1-EVPN vrf forwarding S1-EVPN
ip address 172.16.10.1 255.255.255.0 ip address 172.16.10.1 255.255.255.0
! !
interface Vlan102
Leaf interface Vlan102
vrf forwarding S1-EVPN vrf forwarding S1-EVPN
ip unnumbered Loopback0 VTEP VTEP ip unnumbered Loopback0

Vlan 10 Vlan 10
-
BRKENS-2092 © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
 VNI Configuration
Leaf-1 Leaf-2

l2vpn evpn L2VNI Configuration L2VNI Configuration l2vpn evpn

replication-type static Spine Spine replication-type static
1 2
router-id Loopback0 router-id Loopback0
! Spine !
l2vpn evpn instance 10 vlan-based l2vpn evpn instance 10 vlan-based
encapsulation vxlan RR RR encapsulation vxlan
! !
vlan configuration 10 L3VNI Configuration L3VNI Configuration vlan configuration 10
member evpn-instance 10 vni 101000 member evpn-instance 10 vni 101000
! !
vlan configuration 102 vlan configuration 102
Intermediate
member vni 102102 member vni 102102
! Gateway SVI Gateway SVI !
interface Vlan10 interface Vlan10
mac-address 0010.0010.0010 mac-address 0010.0010.0010
vrf forwarding S1-EVPN vrf forwarding S1-EVPN
ip address 172.16.10.1 255.255.255.0 ip address 172.16.10.1 255.255.255.0
! L3VNI Core SVI L3VNI Core SVI !
interface Vlan102
Leaf interface Vlan102
vrf forwarding S1-EVPN vrf forwarding S1-EVPN
ip unnumbered Loopback0 VTEP VTEP ip unnumbered Loopback0

Vlan 10 Vlan 10
-
BRKENS-2092 © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
 NVE Configuration

Spine Spine
1 2

Spine

RR RR

Leaf-1
Leaf-1
interface nve1
no ip address
interface nve1
Intermediate no ip address
source-interface Loopback0
host-reachability protocol bgp source-interface Loopback0
host-reachability protocol bgp
member vni 102102 vrf S1-EVPN
member vni 101000 ingress-replication member vni 102102 vrf S1-EVPN
member vni 101000 ingress-replication

Leaf

VTEP VTEP

Vlan 10 Vlan 10

-
BRKENS-2092 © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
 Efficient Layer 2 Broadcast domain
Ingress Replication Multicast Replication

1 x Broadcast Packet 1 x Broadcast Packet

Source
No Multicast in Underlay

4 x Unicast Packets 1 x Multicast Packet

interface nve1 interface nve1

no ip address no ip address
source-interface Loopback0 source-interface Loopback0
host-reachability protocol bgp host-reachability protocol bgp
member vni 10103 vrf green member vni 10104 vrf blue
member vni 10102 ingress-replication member vni 10101 mcast-group 225.0.0.1

-
BRKENS-2092 © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
 Underlay Network

-
 Underlay Design Considerations
Routed Access StackWise-Virtual Layer 2 | Layer 3 Distribution

Spine Spine
Spine
Layer 3

Leaf Leaf
SVL

Layer 2

Layer 2
Leaf

Layer 2 Layer 3

• Routed Access environment • Access – Traditional Layer 2 • Access – Traditional Layer 2

• Leaf Layer – Routed Access • Leaf Layer – Distribution • Leaf Layer – Distribution
• Spine/RR – Direct | Multi-hop • Spine/RR – Direct | Multi-hop • Spine/RR – Direct | Multi-hop
• ECMP | Non-Blocking ports • MEC | ECMP | Active/Active forwarding • FHRP | ECMP | Multicast
• Underlay | Overlay IP Gateway • Underlay | Overlay IP Gateway • Underlay | Overlay IP Gateway
• L2 | L3 Overlay Support • L2 | L3 Overlay Support • L3 Overlay Support. No L2 Extension
-

• Multicast Support • Multicast Support BRKENS-2092 © 2025 • Multicast

Cisco and/or its affiliates. AllSupport
rights reserved. Cisco Public
 EVPN ESI Dual-Home
(Ethernet Segment Identifier)
ESI Dual-Home ESI Single-Home

Spine Spine

Leaf Leaf

ESI ESI ESI ESI

Layer 2

Layer 2
Active Standby

• Access – Traditional Layer 2 • Access – Traditional Layer 2

• Leaf Layer – Distribution • Leaf Layer – Distribution
• Spine/RR – Direct | Multi-hop • Spine/RR – Direct | Multi-hop
• Per-ESI Anycast Gateway • Per-ESI Anycast Gateway
• Per-VLAN | FHRP | ECMP | Multicast • Per-VLAN | FHRP | ECMP | Multicast
• Active / Standby load-balancing • Active / Standby load-balancing
• L2 | L3 Overlay support • L2 | L3 Overlay support
• Multicast Support Multicast
•© 2025 Support
-
BRKENS-2092 Cisco and/or its affiliates. All rights reserved. Layer 2
Cisco Public Layer 3
 Underlay Unicast Routing Design Alternatives
IGP BGP

RR RR
AF: L2VPN | mVPN
AF: L2VPN | mVPN
65001
65003
IPv4 | IPv6

65002
IPv4 | IPv6

AF: L2VPN | mVPN RRC RRC AF: L2VPN | mVPN

65001 65001
IPv4 | IPv6
IPv4 | IPv6

EIGRP | OSPF | IS-IS

• Flexible Underlay Unicast alternatives – IGP (EIGRP/OSPF/IS-IS) or BGP

• Physical/Virtual Spine RR support – IOS-XE | NXOS | XR
• Secure link-layer underlay network encryption using MACSEC
• Underlay MTU size consideration. TCP MSS adjust supported.
-
BRKENS-2092 © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
 Local Mode Wireless FlexConnect Mode Wireless
Central Switching Local Switching

EVPN

Leaf

802.1Q EVPN

Central Switching SSID

IPv4 | IPv6
Leaf

IPv4 | IPv6

CAPWAP 802.1Q Local Switching SSID

CAPWAP

Over the Top Wireless. Intact WLC and AP communication in Underlay

Wireless
Flexible SSID alternatives – Central Switching, Local Switching, Central + Local Switching
Fabric boundary initiates from Wireless Client IP gateway.
-
© 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
 Vxlan with BGP EVPN
Wireless Options

Central Switching Flex Connect Mode

CAPWAP CAPWAP
Control and Data Control

WLC WLC

Fabric Site Fabric Site

AP’s AP’s

Over the Top Wireless. Intact WLC and AP communication in Underlay

Wireless Flexible SSID alternatives – Central Switching, Local Switching, Central + Local Switching
Fabric boundary initiates from Wireless Client IP gateway.
-
© 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
 Overlay Network
Design

-
 Flexible Routing and Bridging Overlay Types
Layer 3 Overlay

Leaf-1 Leaf-2 L3 VNI

L3 VNI Spine
vlan configuration 901 RR RR vlan configuration 901 Core
member vni 50901 Core member vni 50901 Interface
Interface !
!
interface Vlan901 interface Vlan901
vrf forwarding S1-EVPN vrf forwarding S1-EVPN
ip unnumbered Loopback0 ip unnumbered Loopback0
! !
interface nve1 interface nve1
no ip address L3 VNI no ip address L3 VNI
source-interface Loopback0 source-interface Loopback0
host-reachability protocol bgp host-reachability protocol bgp
member vni 50901 vrf S1-EVPN L3 Overlay member vni 50901 vrf S1-EVPN
! ! Edge Vlan
Edge Vlan int vlan 20
int vlan 10
vrf forwarding VRF-A Leaf vrf forwarding VRF-A
ip add 10.10.10.1 255.255.255.0 ip add 20.20.20.1 255.255.255.0

VTEP-1 VTEP-2

Vlan 10 Vlan 20

• Layer 3 overlay network allows host devices in different Layer 2 networks to send Layer 3 or routed traffic to
each other
• The network forwards the routed traffic using a Layer 3 virtual network instance (VNI) and an IP VRF.
-
BRKENS-2092 © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
 Flexible Routing and Bridging Overlay Types
Layer 2 only Overlay

Leaf-1 Leaf-2 L2VNI

L2VNI Spine
l2vpn evpn instance 10 vlan-based RR RR l2vpn evpn instance 10 vlan-based
encapsulation vxlan BUM Replication encapsulation vxlan BUM Replication
replication-type static replication-type static
VNI to VLAN VNI to VLAN
! ! mapping
mapping
vlan configuration 10 vlan configuration 10
member evpn-instance 10 vni 10010 member evpn-instance 10 vni 10010
! !
interface nve1 L2VNI BUM interface nve1 L2VNI BUM
no ip address Group no ip address Group
source-interface Loopback0 source-interface Loopback0
host-reachability protocol bgp host-reachability protocol bgp
member vni 10010 mcast-group 225.0.0.1 member vni 10010 mcast-group 225.0.0.1

Leaf
L2 Overlay
VTEP-1 VTEP-2

Vlan Vlan
10 10

• L2 only stretch across the EVPN domain

• Flexible workload placement, host mobility, and optimal traffic forwarding across the BGP EVPN VXLAN
fabric.
-
BRKENS-2092 © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
 Flexible Routing and Bridging Overlay Types
Leaf-1 Distributed Anycast Gateway Leaf-2

l2vpn evpn instance 10 vlan-based l2vpn evpn instance 10 vlan-based

encapsulation vxlan encapsulation vxlan
replication-type ingress
L2VN Spine replication-type ingress L2VN
! !
vlan configuration 10 RR RR vlan configuration 10
member evpn-instance 10 vni 101000 member evpn-instance 10 vni 101000
! !
vlan configuration 102 vlan configuration 102
member vni 102102 L3VN member vni 102102 L3VN
! !
interface Vlan102 interface Vlan102
vrf forwarding S1-EVPN vrf forwarding S1-EVPN
ip unnumbered Loopback0 ip unnumbered Loopback0
! !
interface Vlan10 interface Vlan10
DAG L3 Overlay DAG
mac-address 0001.0001.0001 mac-address 0001.0001.0001
vrf forwarding S1-EVPN vrf forwarding S1-EVPN
ip address 10.10.10.1 255.255.255.0 ip address 10.10.10.1 255.255.255.0
! Leaf !
interface nve1 L2 Overlay interface nve1
no ip address NVE VTEP-1
no ip address NVE
VTEP-2
source-interface Loopback0 source-interface Loopback0
host-reachability protocol bgp host-reachability protocol bgp
member vni 102102 vrf S1-EVPN member vni 102102 vrf S1-EVPN
member vni 101000 ingress-replication member vni 101000 ingress-replication
Vlan Vlan
10 10

• The same anycast gateway virtual IP address and MAC address are configured on all VTEPs.
• Flexible workload placement, host mobility, and optimal traffic forwarding across the BGP EVPN VXLAN fabric.
-
BRKENS-2092 © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
 Flexible Routing and Bridging Overlay Types
Centralized Gateway

Spine
RR RR
Border/Leaf

Inter-Subnet Traffic routed

through Centralized Gateway Centralized Gateway

L2 Overlay

Intra-Subnet Traffic Bridged Leaf

through Layer 2 VNI
VTEP-1 VTEP-2

Vlan
10

-
BRKENS-2092 © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
 Flexible Routing and Bridging Overlay Types
Centralized Gateway Centralized Gateway

l2vpn evpn instance 101 vlan-based

encapsulation vxlan
replication-type ingress Spine
default-gateway advertise enable
! RR RR
l2vpn evpn instance 102 vlan-based Border/Leaf
encapsulation vxlan
replication-type ingress
default-gateway advertise enable
!
vlan configuration 101
member evpn-instance 101 vni 10101
vlan configuration 102
member evpn-instance 102 vni 10102 Centralized Gateway

interface Vlan101
vrf forwarding green L2 Overlay
ip address 10.1.101.1 255.255.255.0
! Leaf
interface Vlan102
vrf forwarding green
VTEP-1 VTEP-2
ip address 10.1.102.1 255.255.255.0

interface nve1
no ip address
source-interface Loopback0
host-reachability protocol bgp
member vni 10101 ingress-replication
member vni 10102 ingress-replication
!

-
BRKENS-2092 © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
 Proxy – Layer 2 without flooding
Routed Layer 2 Overlay

L3 Overlay

B 10.1.1.2/32 B 10.1.1.1/32

Anycast Gateway 10.1.1.254/24 | 0001.0101.0101

ip local-proxy-arp ip local-proxy-arp

Leaf-1 10.1.1.254 0001.0101.0101 Leaf-2 10.1.1.254 0001.0101.0101

PC-2 10.1.1.2 0001.0101.0101 PC- 1 PC- 2 PC-1 10.1.1.1 0001.0101.0101

Layer 2 network stretch without Layer 2 overlay extensions ( Bridging )

Routed Manual override building dynamic Layer 2 VXLAN tunnel peer across fabric
Layer 2 Dynamic local host discovery and MAC/IP (RT-2) prefix advertisement following IP VRF routing policy
Local proxy function for remote IPv4 ARP and IPv6 ND discovery Leaf local AnyCast MAC address
-
BRKENS-2092 © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
 Overlay Topologies – Hub-n-Spoke
Border:
vrf definition S1-EVPN
rd 1:1
!
address-family ipv4
route-target export 100:65121 stitching
route-target import 65121:100 stitching
Border exit-address-family

Spine
Leaf-1-Spoke: Leaf-3-Spoke:
vrf definition S1-EVPN vrf definition S1-EVPN
rd 2:2 rd 4:4
! !
address-family ipv4 address-family ipv4
route-target import 100:65121 stitching Intermediate route-target import 100:65121stitching
route-target export 65121:100 stitching route-target export 5121:100 stitching
exit-address-family exit-address-family

Leaf-1 Leaf-2
Leaf-3
Vlan20 Leaf-4
Leaf-2-Spoke: Leaf-4-Spoke:
vrf definition S1-EVPN vrf definition S1-EVPN
rd 3:3 rd 5:5
! VTEP !
VTEP VTEP VTEP
address-family ipv4 address-family ipv4
route-target import 100:65121 stitching route-target import 100:65121 stitching
route-target export 5121:100 stitching route-target export 5121:100 stitching
exit-address-family exit-address-family

-
BRKENS-2092 © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
 Overlay Topologies – Hub-n-Spoke

B 21.101.15.0/28
B 21.101.15.16/28
Border VRF-A
B 21.101.15.32/28
B 21.101.15.48/28

Spine

Intermediate

Leaf-1 Leaf-2 Leaf-3 Leaf-4

Vlan20

B* B*
0.0.0.0/0 VTEP
0.0.0.0/0
VTEP VTEP VTEP

-
BRKENS-2092 © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
 Single Cluster Fabric Architecture
DC– EVPN DC – ACI WAN Shared-Services DMZ

IP | MPLS | EVPN SD-WAN Internet

ACI ACI ACI ACI ACI ACI

APIC
ACI ACI ACI ACI

• Small/mid size fabric design alternative

Shared Spine
Spine • Single fabric domain with shared Spine system
across all network block
• Direct or multi-hop away iBGP or eBGP L2VPN
peer support
• Flexible overlay IPv4/v6 ECMP multipath
support

Leaf

-
BRKENS-2092 © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
 Non-Hierarchical Fabric Design
DC– EVPN DC – ACI WAN Shared-Services DMZ

IP | MPLS | EVPN SD-WAN Internet

ACI ACI ACI ACI ACI ACI

APIC
ACI ACI ACI ACI

Layer 3 Overlay VXLAN Tunnels

Layer 2 Overlay VXLAN Tunnels

Leaf

Non-hierarchical dynamic overlay VXLAN tunnels

Non-
Layer 2 / 3 overlay topologies based on route-target policies
Hierarchical
Fabric Linear VN & Leaf growth may impact overall fabric domain scale L3 VXLAN Tunnel

Limited Layer 2 flood control support L2 VXLAN Tunnel

-
BRKENS-2092 © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
 Multi Cluster Fabric Architecture
DC – EVPN DC – ACI WAN Shared - Services DMZ

IP | MPLS | EVPN SD-WAN

I n ternet

Border-Leaf ACI ACI ACI ACI

APIC

Leaf Leaf Border Border Border

Super Spine ASN : 65100

Cluster-1 Cluster-2 Cluster-3

ASN : 65101 ASN : 65102 ASN : 65103
Border Spine

Leaf

Mid to large size fabric design alternative

Distributed Reduce fault-domain with distributed RR & RRC clusters for high scale fabric
Spine Structured fabric control-plane architecture between distributed Spine and Super-Spine
Optimized fabric and system scale, performance and resiliency

-
BRKENS-2092 © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
 Scalable Multi Cluster Fabric Architecture
DC – EVPN DC – ACI WAN Shared - Services DMZ

IP | MPLS | EVPN SD-WAN

Internet

Border-Leaf ACI ACI ACI ACI

APIC

Leaf Leaf Border Border Border

Layer 3 Overlay VXLAN Tunnels

Cluster-1 Cluster-2 Cluster-3

Border Spine

Layer 3 Overlay VXLAN Tunnels Layer 3 Overlay VXLAN Tunnels Layer 3 Overlay VXLAN Tunnels
Layer 2 Overlay VXLAN Tunnels Layer 2 Overlay VXLAN Tunnels Layer 2 Overlay VXLAN Tunnels

Leaf

L2 L2 L2

L3

Increase fabric domain scale with hierarchical dynamic overlay VXLAN tunnels per fabric cluster

Scalable Consistent Layer 2 domain scale size as traditional non-fabric networks

Fabric Scalable overlay routing with per-VN prefix summarization and re-origination by each Border Spine cluster
Cluster
End-to-End Unicast IPv4/IPv6 support. Layer 2 Mobility and overlay Multicast limited per cluster

-
BRKENS-2092 © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
 SITE-1

Leaf

ACI APIC

Spine

Multi-Site Fabric
SITE-2
Architecture
Spine

WAN
Internet

Leaf

Well-structured fabric overlay solution for large EN/DC networks

Multisite Single fabric site representation enables scalable overlay network hierarchy
Fabric Granular control of Layer 2 and Layer 3 overlay flood and routing control
Seamless integration between Catalyst and Nexus 9K (Border-GW)

-
BRKENS-2092 © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
 SITE-1

ACI APIC
Leaf
Layer 3 Overlay VXLAN Tunnels

Layer 2 Overlay VXLAN Tunnels

Spine

Layer 3 Overlay VXLAN Tunnels

Layer 2 Overlay VXLAN Tunnels Multi-Site Fabric
SITE-2
Architecture
Spine

Layer 3 Overlay VXLAN Tunnels

WAN
Layer 2 Overlay VXLAN Tunnels Internet

Leaf

Well-structured fabric overlay solution for large EN/DC networks

Multisite Single fabric site representation enables scalable overlay network hierarchy
Fabric Granular control of Layer 2 and Layer 3 overlay flood and routing control L3 VXLAN Tunnel

Seamless integration between Catalyst and Nexus 9K (Border-GW) L2 VXLAN Tunnel

-
BRKENS-2092 © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
 Segmentation Macro-Segmentation Micro-Segmentation
Logical Local Grouping Extended Group with EVPN Policy-Plane enforced fabric
11

15 12
11
VRF
15 12
VRF VRF

14 13
14 13

21 51 21
51

55 52 25 22
VRF VRF VRF VRF
55 52 EVPN 25 22
EVPN
VLAN VRF
VXLAN
VRF 54 53
VXLAN GBP
24 23

54 53

VLAN
VRF
EVPN
VXLANVXLANGBP

VRF
24 23

45

44
41

VRF

43
42 35
31

VRF

34
32

33

41 31

45 42 35 32
VRF VRF

44 43 34 33

-
BRKENS-2092 © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
 Micro Segmentation

Identity Service Engine

10

Finance

20
VXLAN GBP
Engineering Fabric Edge/
Leaf

Ethernet Frame
Underlay Transport Encapsulation Overlay Unicast Payload
30
UDP IP
Building
MAC IPv4
D PO RT : 4789
VXLAN MAC v4 | v6
Payload FCS
Management
VXLAN GBP Header
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 0 1 2 3 4 5 6 7 8 9 0 0 1 2 3 4 5 6 7 8 9 0 1

G R R R I R R R R D R R A R R R Group Policy ID

VXLAN Network Identifier ( VNI ) Reserved

Classification

Enforcement

-
BRKENS-2092 © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
 Multicast over VXLAN

-
 Layer 3 Overlay Layer 3 Overlay
Distributed Anycast RP Fabric Border RP
RP
Border

SVL

Spine Spine
mVPN mVPN
65001 65001

RP RP RP RP RP RP
Leaf Leaf

VRF RP IP MDT VRF RP IP MDT

Blue Anycast Lo1: 10.1.1.101 239.1.1.101 Blue Anycast Lo1: 10.1.1.101 239.1.1.101
Yellow Anycast Lo2: 10.2.1.101 239.2.1.101 Yellow Anycast Lo2: 10.2.1.101 239.2.1.101
Green Anycast Lo3: 10.3.1.101 239.3.1.101 Green Anycast Lo3: 10.3.1.101 239.3.1.101

Standard-based Multicast overlay network design support

Overlay Flexible Multicast RP design alternatives to address scale, performance, resiliency

RP AnyCast RP at Leaf or Border enables distributed Multicast administrative domains supporting unified routing policies
Design Unified Multicast RP between Underlay and Overlay RP supporting existing brownfield deployment models
-
BRKENS-2092 © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public
 Layer 3 Overlay
External Domain RP
RP MSDP RP

IP

Global Overlay RP Design

Border
EVPN
Standard-based Multicast overlay network design support
Flexible Multicast RP design alternatives to address scale, performance,
Spine
resiliency
mVPN
65001 AnyCast RP at Leaf or Border enables distributed Multicast administrative
domains supporting unified routing policies
Unified Multicast RP between Underlay and Overlay RP supporting
existing brownfield deployment models
Leaf

VRF RP IP MDT
Blue Anycast Lo1: 10.1.1.101 239.1.1.101
Yellow Anycast Lo2: 10.2.1.101 239.2.1.101
Green Anycast Lo3: 10.3.1.101 239.3.1.101

-
BRKENS-2092 © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
 TRM Default MDT
Border
🗑 🗑 🗑 🗑
DROP DROP DROP DROP

vrf definition S1-EVPN

rd 10:10
!
address-family ipv4
EVPN TRM mdt auto-discovery vxlan inter-as
Multicast Network mdt default vxlan 239.1.1.1 → MDT Default
mdt overlay use-bgp spt-only

Blue VRF Default MDT : 239.1.1.1

🗑 🗑 🗑 🗑
DROP DROP DROP DROP

Leaf

Challenges

Non-selective overlay Multicast replication

Source Source Receiver Receiver
239.101.1.1 239.101.1.2 239.101.1.1 239.101.1.1 Inessential core network bandwidth utilization
Redundant system resources utilization
Limited scale for dense network environment

-
BRKENS-2092 © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
 TRM Data MDT
Border 🗑 🗑 🗑 🗑 vrf definition S1-EVPN
DROP DROP DROP DROP
rd 10:10
!
address-family ipv4
mdt auto-discovery vxlan inter-as
mdt default vxlan 239.1.1.1
EVPN TRM
mdt data vxlan 239.1.2.0 0.0.0.255 → MDT Data
Multicast Network
mdt data threshold 1
mdt overlay use-bgp spt-only

Blue VRF Default MDT : 239.1.1.1

Blue VRF Data MDT : 239.1.2.1
Blue VRF Data MDT : 239.1.2.2

🗑 🗑 🗑 🗑
DROP DROP DROP DROP

Key Benefits
Leaf
Stateful L2 Multicast Overlay network
Industry-standard based control-plane
Applicable to Centralized Gateway or Cross-Connect
Overlay networks
Source Source Receiver Receiver
239.101.1.1 239.101.1.2 239.101.1.1 239.101.1.1 Scale. Performance. Security.

-
BRKENS-2092 © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
 EVPN Fabric
Interworking

-
 Layer – 2 Handoffs Options
L2 VLAN Handoff VPLS Handoff EVPN Fabric
Terminate Bridge Domain Interworking Bridge Domain Multi-Site L2 Extension

PE
EV PN
L2 L2
VPLS
L2 Border GW

Border
Border GW

EVPN EVPN EVPN

Spine Spine

Leaf Leaf

L2 L2 L2

Multiple end-to-end seamless Layer 2 extensions supports across fabric and beyond
Seamless Terminate L2 overlays and perform simple Layer 2 trunk handoff to non-fabric devices, i.e., Firewalls
Layer 2
Handoff Integrated EVPN Border and VPLS PE function to extend multi-domain L2 for seamless migrations
Extendable Layer 2 EVPN domains with highly scalable Catalyst and Nexus 9000 Multisite Border Gateway
-
BRKENS-2092 © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
 Layer – 3 Handoffs Options
IP VRF Handoff MPLS VPN Handoff EVPN Fabric
Terminating Routing Domain Interworking Overlay Domain Re-originating Fabric Domain

MPLS EVPN
L2 L2 L2 L3
L3 L3 L3

Border

EVPN EVPN EVPN

Spine

Leaf

L3 L3 L3

Transparent EVPN handoff to Layer 2 or Layer 3 to traditional underlay segmented networks

Integrated Seamless multi-domain interworking at Border – IP, MPLS VPN, EoMPLS/VPLS, SD-WAN, etc.
Extranet Extendable Unicast | Multicast support for IPv4 and IPv6 between EVPN to external domain
Dedicated or collapsed system-role – Leaf, Spine, Border, Border-Leaf, Border-Spine

-
BRKENS-2092 © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
 Fabric Deployment
Options

-
 Cisco Enterprise BGP EVPN Solution

Do-It-Yourself Programmable Intent-Based

Q1CY25

Intent

EV PN

Intent Based Network

Infrastructure

-
BRKENS-2092 © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
 Feature + Solution
BGP EVPN Automation – Ansible & Terraform
playbooks Inputs processing validation
EVPN Terraform Provider
Playbooks

S
❑ underlay ❑ inventory.yml S
❑ overlay ❑ group/all.yml H
❑ hosts/<node>.yml Modules Templates Preview
❑ access Commit

Day 0: Leaf/Spine/Border Design, DAG, VRF’s, VN

Day 1: Incremental changes – add/delete IP/MAC VRF/VTEP/Access int
Day N: L3TRM, IPv6 etc
Solution Playbooks

Same playbook to add L3/L2 VNI’s

Eg: Add one or multiple L3/l2vni using same playbook
L3 + L2vni add Framework for post-check
Eg: BGP status up/down, overlay ping checks
Post Checks
Solution level deployment
Overlay config Eg: Ipv4 + Ipv6 + TRM in a single playbook
Framework for pre-checks
Pre-checks Eg: License check, underlay reachability check

-
BRKENS-2092 © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
 Q1CY25

Choose SD-Access
Your Fabric Control-Plane
Zero-Trust Workplace (LISP or BGP EVPN)

With Wireless LISP BGP EVPN

IBN based
workflows

Automation
Single Data-Plane
Vxlan
SD-Access for Assurance
Zero Trust
Macro/Micro
Segmentation

Seamless experience irrespective of choice of protocol

- • Either LISP or BGP EVPN Control Plane BRKENS-2092 © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
 Underlay Provisioning

LAN Automation
DIY
Build your Underlay

DNAC Template
Programmable CLI
Editor

EIGRP | OSPF | ISIS

-
SDA with EVPN: BGP underlay is not supported BRKENS-2092 © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
 Leaf-Group Leaf-Group

Fabric Roles & Fabric Groups 1 2

s
Leaf Group
Leaf-Group Leaf-Group
3 4

Border

Spine Group

Spine

Border-Group Border-Group
1 2

Leaf s
Border Group
Border-Group Border-Group
3 4

Fabric Groups

Border Spine Group

- Spine Group: 1 per fabric site

 SD-Access with BGP EVPN: Supported Underlay’s
Layer 3 Access Cisco StackWise-Virtual

Border Spine

Spine Leaf SVL

Leaf

Leaf Layer – Access Leaf Layer – Access

Spine/RR – Direct | Multi-hop Spine/RR – Direct | Multi-hop
Overlay IP gateway Overlay IP gateway
L2 | L3 Overlay support | Multicast L2 | L3 Overlay support | Multicast

TECENS-2680 © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
-
73
 SD-Access with BGP EVPN: Overlay Topologies
Layer 3 Overlays Distributed Anycast Gateway

Spine Spine
Group Group

Leaf Leaf
Group Group

L3 Overlay L3 Overlay L3 Overlay L2 Overlay

Spine Group Border Spine or Spine Group Spine

Border Group
Ingress Replication
Multicast Replication
Micro-Segmentation

Leaf Group-1 Leaf Group-2 Leaf Group Leaf Group-1 Leaf Group-2 Leaf Group

-
TECENS-2680 © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
 SD-Access with BGP EVPN: TRM & Border Handoff
Tenant Routed Multicast Border Handoff BGP

Spine Spine
Spine Border
Group orGroup
Border
Group

Leaf Leaf
Group Group

L3 Overlay L2 Overlay L3 Overlay L2 Overlay

Default MDT | Data MDT Border

Group
R
Spine Group Spine Group Spine / Border Group Spine Border Group
P
R Spine
P Group
VRF-Lite

R R R R R R
P P P P P P

Leaf Group-1 Leaf Group-2 Leaf Group-1 Leaf Group-2 Leaf Group-1 Leaf Group-2 Leaf Group-1 Leaf Group-2
Leaf Group-1 Leaf Group-2

Anycast RP Fabric RP External RP Handoff at Spine Border

Handoff at Border

-
TECENS-2680 © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
 SD-Access with BGP EVPN: Wireless
Deployments
Spine
Spine group
group

• Transparent Wireless support in fabric. Intact WLC and AP

communication in Underlay
• Flexible SSID alternatives – Central Switching, Local Switching, Central
Leaf + Local Switching
group
• Fabric boundary initiates from Wireless Client IP gateway. Flex Local
seamless roaming up to 300 AP.
Central Switching CAPWAP 802.1Q Local Switching
• Consistent Wired and Wireless network access control policy
enforcement

Spine Border group Spine Border group

Supported Wireless Modes

Leaf group-1 Leaf group-2 Leaf group-1 Leaf group-2
802.1Q 802.1Q 802.1Q 802.1Q

Central Switching SSID Local Switching SSID

CAPW CAPWAP
AP

-
BRKENS-2092 © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
 SD-Access with BGP EVPN: Assurance
Cisco Catalyst Center

Device Mgmt | 360 0. | Topology | Fabric Infrastructure | Fabric Site Connectivity | Base Automation | Network Profiles | SWIM

VNI Status

NVE peer detection

AAA Server Status

L3 VN Topology View L2 VN Topology View BGP peer monitoring to Spine

BGP peer monitoring to Non Fabric peer

-
BRKENS-2092 © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
 Webex App
Questions?
Use the Webex app to chat with the speaker
after the session

How
1 Find this session in the Cisco Events mobile app

2 Click “Join the Discussion”

3 Install the Webex app or go directly to the Webex space

4 Enter messages/questions in the Webex space

Webex spaces will be moderated

by the speaker until February 28, 2025.

-
BRKENS-2092 © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
 Fill Out Your Session Surveys

Participants who fill out a minimum of 4 session

surveys and the overall event survey will get a
unique Cisco Live t-shirt.
(from 11:30 on Thursday, while supplies last)

All surveys can be taken in the Cisco Events

mobile app or by logging in to the Session Catalog
and clicking the ‘Participant Dashboard’

Content Catalog

-
BRKENS-2092 © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
 • Visit the Cisco Showcase
for related demos

• Book your one-on-one

Meet the Engineer meeting

Continue • Attend the interactive education

with DevNet, Capture the Flag,
your education and Walk-in Labs

• Visit the On-Demand Library

for more sessions at
ciscolive.com/on-demand.
Sessions from this event will be
available from March 3.

Contact me at: ragoli@cisco.com

-
BRKENS-2092 © 2025 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
 Thank you

-
-