Multi-Site VXLAN Lab With BGP EVPN

6/28/24, 7:55 AM (1) Multi-Site VXLAN Lab with BGP EVPN | LinkedIn
Home My Network Jobs Messaging Notifications Me For Business Get Premium f
Multi-Site VXLAN Lab with BGP

EVPN
Vishel Han Zaw Tun
Network Engineer| Network Security Engineer | CCNP
Enterprise
June 9, 2024
1. Overview
This lab is designed to explore complex multi-site VXLAN (Virtual
Extensible LAN) using EVE-NG. I will be providing you with sample
configurations and steps so that you can also setup and explore.
I used EVE-NG bare metal for this lab. The actual EVE-NG topology is quite
messy, and it is a good idea to create your own diagram with either Visio
or Draw.io. Then, you can map all the nodes with the diagram in EVE-NG
and accessed nodes by clicking on the nodes. Another reason why I prefer
EVE-NG is that it provides faster and easier packet capturing capabilities.
All of this information can be found at www.eve-ng.net. This lab can
consume significant amount of CPU and RAM. I will not get into details
about the requirements. I suggest you use Cisco documentation to figure
out the resources. It is also a good idea to throw more resources if you
can.
Figure 1 - Multi-Site VXLAN Lab with BGP EVPN Topology
https://www.linkedin.com/pulse/multi-site-vxlan-lab-bgp-evpn-part-1-henry-thompson-m3yme/ 1/75
Note: The diagram that I posted here is somehow blurry. I believe it is the
limitation of the LinkedIn. You can download from here by my one-drive
link Multi-Site VxLan Lab with BGP EVPN.png.
Figure 2 - Actual EVE-NG Topology
Before we go deeper, I want to show you the packet capture from ISP-1
router interface Gi3.
Figure 3 - vMotion VNI-10000 Packet Capture from Server 3 to Server 1
As you can see in Figure 3, the traffic from Server 3 to Server 1 is passed
over VXLAN and you can clearly see the VXLAN headers. The standard
MTU size for Ethernet is 1500. Unless you use direct fiber cable between
two DCs or have some arrangements with ISPs, I believe it is impossible to
run jumbo frames between two DCs. Fort that reason, MTU of all the
network devices are adjusted to 1500 and the servers are set with MTU
1370 bytes. In this capture, L2 VNI-10000 is extended from DC 1 to DC 2.
This is a demonstration that the VXLAN over the Internet can work
properly. For production environment, you might consider using CloudSec
to securely encrypt the VXLAN. You can refer to Cisco documentation
about how CloudSec. We will not be exploring CloudSec in this lab.
I hope you have good understanding of BGP. At least you have good
understanding of how BGP works in normal Cisco routers so that you can
catch up with the Nexus and Palo Alto BGP configurations. I used the
following KVM images in this lab.
Spine Switches - Cisco Nexus 9500 KVM images
Leaf Switches - Cisco Nexus 9300 KVM images

WAN Routers & ISP Routers - Cisco Catalyst 8000 Virtual KVM
images
F5 Load Balancers - F5 Big IP Virtual Edition KVM images
Palo Alto Firewalls - Palo Alto VM Firewalls KVM images
Servers - Cisco IOSv Router images

ToR Switches - Cisco IOSvL2 Switch images
Developer PCs - Windows 10 Enterprise Evaluation images
You should set up the identical lab and make VXLAN works in your own
lab. It is important to have hand-on experience so that you have clear
pictures of VXLAN configurations, and you can troubleshoot when
something does not work.
I also run vPC between all the Leaf Switch pairs. You should also disable
the links between two ToR switches if you encounter mac flapping as this
is not important for the purpose of learning VXLAN.
Data Center 1 is setup using Multi-AS Model with eBGP Underlay. This
model is better as you do not need to use any other routing protocol
rather than BGP. BGP is more stable and scalable as the network grows. All
routing devices are running their own AS in this model. During underlay
configuration eBGP peering is achieved using physical interface IP
addresses and it is used to advertise Loopback interfaces which will be
used for overlay eBGP peering used by VTEPs. For leaf switches running
vPC, it is important to advertise both primary and secondary loopback
addresses. vPC will not be functional without secondary loopback IP
address.
Data Center 2 is setup using a Single AS model with OSPF Underlay. OSPF
will be used to achieve underlay reachability. For overlay, we will use iBGP
and the spine switches will be configured as route reflectors. During data
center inter-connect, you may need to perform redistribution between
iBGP and OSPF so that we have full reachability between DC 1 and DC 2
loopback interfaces from Nexus Switches.
As for the VNIs, VNI 5000 is L2 VNI and which will terminate at the Palo
Alto Firewalls. VNI 15000 is L3 VNI on border leaf switches and both
switches can be configured using the same IP using Anycast Gateway. VNI
10000 is used for vMotion LAN, and the VXLAN fabric is extended from DC
1 to DC 2 via layer 3 core. This is to satisfy the vMotion requirements of L2
adjacency between two VMs.
If you want to learn more about VXLAN and EVPN, you can refer to RFC
7348 (Virtual eXtensible Local Area Network (VXLAN): A Framework for
Overlaying Virtualized Layer 2 Networks over Layer 3 Networks) and RFC
8365 (A Network Virtualization Overlay Solution Using Ethernet VPN
(EVPN)).
2. Underlay Configurations
The purpose of underlay network is to provide reachability between
loopback interfaces which will be used as source interface for VTEPs
(VXLAN Tunnel End Point). After completing the configuration of all the
switches, please make sure to test the reachability between loopback
interfaces.
2.1. Data Center 1

NX9K-Spine-1 Underlay Configuration
hostname NX9K-Spine-1
!
feature bgp
!
system jumbomtu 1500
!
interface Ethernet1/1
description CONNECT-TO-NX9K-Leaf-1
ip address 10.0.0.1/30
no shutdown
!
no shutdown
!
description CONNECT-TO-Border-Leaf-1
no shutdown
!
no shutdown
!
interface loopback0
!
router bgp 65501
router-id 1.1.1.1
address-family ipv4 unicast
network 1.1.1.1/32
!
neighbor 10.0.0.2
remote-as 64611
description BGP-Underlay-To-NX9K-Leaf-1
!
neighbor 10.0.2.2
remote-as 64622
!
neighbor 10.0.4.2
remote-as 64633
description BGP-Underlay-To-NX9K-Border-Leaf-1
!
neighbor 10.0.6.2
remote-as 64644
!
feature bgp
!
!
no shutdown
!
no shutdown
!
no shutdown
!
description CONNECT-TO-NX9K-Border-Leaf-1
no shutdown
!
interface loopback0
!
router bgp 65502
router-id 2.2.2.2
network 2.2.2.2/32
!
neighbor 10.0.1.2
remote-as 64611
!
neighbor 10.0.3.2
remote-as 64622
!
neighbor 10.0.5.2
remote-as 64633
!
neighbor 10.0.7.2
remote-as 64644
NX9K-Leaf-1 Underlay Configuration
hostname NX9K-Leaf-1
!
feature bgp
feature lacp
feature vpc
feature interface-vlan
!
!
vlan 1,500,1000
!
vlan 500
name DC-1-SERVER-TENANT
!
vlan 1000
name V-MOTION
!
vrf context VPC-KEEPALIVE
!
vpc domain 10
role priority 10
peer-keepalive destination 10.0.8.2 source
10.0.8.1 vrf VPC-KEEPALIVE
ip arp synchronize
!
interface Vlan500
description SERVER-TENANT
no shutdown
!
interface Vlan1000
description V-MOTION
no shutdown
!
interface port-channel10
switchport mode trunk
switchport trunk allowed vlan 1,500,1000
spanning-tree port type network
vpc peer-link
!
description CONNECT-TO-NX9K-Spine-1
no switchport
no shutdown
!
no switchport
no shutdown
!
description CONNECT-TO-F5-LTM-1
switchport access vlan 500
!
description V-Motion
switchport trunk allowed vlan 1000
!
description VPC-PEER-KEEPALIVE
no switchport
vrf member VPC-KEEPALIVE
no shutdown
!
channel-group 10 mode active
!
!
interface loopback0
ip address 11.11.11.11/32
ip address 1.0.0.1/32 secondary
!
# The secondary IP address of the Loopback0 must be
the same for vPC peer leaf switch.
!
router bgp 64611
router-id 11.11.11.11
network 1.0.0.1/32
network 11.11.11.11/32
!
neighbor 10.0.0.1
remote-as 65501
description BGP-Underlay-To-NX9K-Spine-1
!
neighbor 10.0.1.1
remote-as 65502
NX9K-Leaf-2 Underlay Configuration
hostname NX9K-Leaf-2
!
feature bgp
feature lacp
feature vpc
!
!
vlan 1,500,1000
!
vlan 500
!
vlan 1000
name V-MOTION
!
!
vpc domain 10
role priority 10
ip arp synchronize
!
interface Vlan500
no shutdown
!
interface Vlan1000
no shutdown
!
vpc peer-link
!
no switchport
no shutdown
no switchport
no shutdown
!
no switchport
no shutdown
!
!
!
interface loopback0
ip address 22.22.22.22/32
!
!
router bgp 64622
router-id 22.22.22.22
network 1.0.0.1/32
network 22.22.22.22/32
!
neighbor 10.0.2.1
remote-as 65501
!
neighbor 10.0.3.1
remote-as 65502
NX9K-Border-Leaf-1 Underlay Configuration
hostname NX9K-Border-Leaf-1
!
feature lacp
feature vpc
feature bgp
!
!
fabric forwarding anycast-gateway-mac 000a.000b.000c
!
vlan 1,10,126,150,500
!
vlan 10
name DC-INTERCONNECT
!
vlan 126
name LINK-L3-VNI-TO-PA-FW
!
vn-segment 12600
vlan 150
name DC-1-Developer-Network
!
vlan 500
!
!
vpc domain 10
role priority 10
ip arp synchronize
!
interface Vlan10
description DC-INTERCONNECT
no shutdown
ip address 10.0.30.3/29
!
interface Vlan126
description LINK-L3-VNI-TO-PA-FW
no shutdown
vrf member L3-VNI-LINK-TO-PA-FW
!
interface Vlan150
no shutdown
vrf member DC-1-Developer-Network
!
interface Vlan500
no shutdown
ip forward
!
switchport trunk allowed vlan 1,10,126,150,500
vpc peer-link
!
description CONNECT-TO-PA-FW-1
no switchport
no shutdown
!
no switchport
no shutdown
!
no switchport
no shutdown
!
!
interface loopback0
ip address 33.33.33.33/32
!
!
router bgp 64633
router-id 33.33.33.33
network 1.0.0.3/32
network 33.33.33.33/32
!
neighbor 10.0.4.1
remote-as 65501
!
neighbor 10.0.5.1
remote-as 65502
!
neighbor 10.0.30.1
remote-as 64512
description PEERING-TO-PA-FW
!
feature lacp
feature vpc
feature bgp
!
!
!
vlan 1,10,126,150,500
!
vlan 10
name DC-INTERCONNECT
!
vlan 126
!
vn-segment 12600
vlan 150
!
vlan 500
!
!
vpc domain 10
role priority 10
ip arp synchronize
!
interface Vlan10
no shutdown
ip address 10.0.30.4/29
!
interface Vlan126
no shutdown
!
interface Vlan150
no shutdown
!
interface Vlan500
no shutdown
ip forward
!
vpc peer-link
!
!
!
no switchport
no shutdown
!
no switchport
no shutdown
!
no switchport
no shutdown
!
!
!
interface loopback0
ip address 44.44.44.44/32
!
!
router bgp 64644
router-id 44.44.44.44
network 1.0.0.3/32
network 44.44.44.44/32
!
neighbor 10.0.6.1
remote-as 65501
neighbor 10.0.7.1
remote-as 65502
neighbor 10.0.30.1
remote-as 64512
description PEERING-TO-PA-FW
PA-FW-1&2 HA Configuration
I will briefly provide the Palo Alto firewall configuration with screen shots.
If you are familiar with Palo Alto firewall configuration, it should be easy
for you to setup by looking at the screenshots. The first step is to
configure HA for both firewall since the firewalls will be running Active-
Passive mode. In the production environment using physical firewall, you
might want to do Active-Active Cluster with vPC port channel.
Unfortunately, the port-channel feature is not supported for Palo Alto VM
series firewalls. As the first step of HA configuration set the HA interfaces
as you can see in Figure 3.
Figure 3 - Setting Interface to HA Interface Type
Then, configure the basic HA Pair Settings for each firewall as shown in
Figure 4. Refer to the IP addressing from the Figure 1 Topology and Use
"1" for PA-FW-1 and "2" for PA-FW-2.
Figure 4 - Setting HA Pair Settings
The next step will be configuring Control Links. Make sure you use the
right IP address for each firewall.
Figure 5 - HA Control Links Configuration
Once the HA setup is completed, verify the HA status quickly from

Dashboard.
Figure 6 - HA Status
PA-FW L2 VLAN Configuration
The next step will be configuring the Layer 2 VLAN. There are four ways
you can configure VLANs in Palo Alto firewalls. Here, we will use the L2
VLANs with L3 VLAN Interfaces.
Figure 7 - HA Status
PA-FW L3 VLAN Interface Configuration
You can map here with the L2 VLANs that you configured in the previous
steps at the VLAN tab.
Figure 8 - L3 VLAN Interface Configuration.
The next step would be configuring ethernet interfaces and sub-interfaces.

Make sure to tag the right VLAN for sub interfaces. I am also attaching
PING profiles in case if it is required for troubleshooting.
Figure 9 - Ethernet Interfaces and Sub Interfaces Configuration
You might also want to create zones and assigned the L3 interfaces in the
right zones.
Figure 10 - L3 Zones
Since we are just testing VXLAN here, I am going to allow all the traffic.
You might want to configure more secure rules in the production
environment. Remember, the first step is not to troubleshoot firewall rules,
but to get the VXLAN working. Then, you can tidy up the rules later on.
Figure 11 - ALLOW-ALL-Rule
We will create a new "Virtual Router" called "VxLAN-LAB" and all the
interfaces will be assigned to this virtual router.
Figure 12 - VxLAN Virtual Routers
Figure 13 - Static Routes toward Developer PC Network
Then, we will create redistribute profiles to redistribute static and conned

routes
Figure 14 - Redistribute Profiles to Redistribute Routes into BGP
Palo Alto BGP configuration is also the same as you would configure on a
Cisco Router.
Figure 15 - BGP General Settings
We configure BGP neighbors at the Peer Group tab in Palo Alto. It is just
the GUI
Figure 16 - Configuring BGP Neighbors
This is pretty much the same concept with normal Cisco switch BGP
configuration and if you understand Cisco switch BGP configuration, you
know what it is going on here.
Figure 17 - BGP Peer Group/Peer Configuration
Figure 18 - BGP Peer Configuration
We will be configuring Redist Rules from Redistribution Profiles that we

configured earlier.
Figure 19 - BGP Redistribution Profile
We will set the ORIGIN type as IGP.
Figure 20 - BGP Redistribution Rule
WAN-R-1 Configuration
The configuration here is self-explanatory. I would not get into much

detail.
hostname WAN-R-1
!
vrf definition ISP-1
rd 64613:1
!
address-family ipv4
exit-address-family
!
rd 64613:2
!
address-family ipv4
exit-address-family
!
interface GigabitEthernet1
description CONNECT-TO-PA-FW-E1/3
vrf forwarding ISP-1
ip address 172.0.0.1 255.255.255.252
negotiation auto
!
ip address 172.0.1.1 255.255.255.252
negotiation auto
!
ip address 121.1.33.2 255.255.255.252
negotiation auto
!
ip address 121.1.44.2 255.255.255.252
negotiation auto
!
router bgp 64513
bgp router-id 13.13.13.13
bgp log-neighbor-changes
!
address-family ipv4 vrf ISP-1
neighbor 121.1.33.1 remote-as 1000
neighbor 121.1.33.1 activate
neighbor 172.0.0.2 default-originate
exit-address-family
!
exit-address-family

detail.
hostname WAN-R-2
!
boot-start-marker
boot-end-marker
!
!
rd 64613:1
!
address-family ipv4
exit-address-family
!
rd 64613:2
!
address-family ipv4
exit-address-family
!
ip address 172.0.0.1 255.255.255.252
negotiation auto
!
ip address 172.0.1.1 255.255.255.252
negotiation auto
!
ip address 121.2.33.2 255.255.255.252
negotiation auto
!
ip address 121.2.44.2 255.255.255.252
negotiation auto
!
router bgp 64513
!
exit-address-family
!
exit-address-family
Server-1 Configuration

detail. I am using Cisco vIOS routers as servers to save resources.
hostname Server-1
!
interface GigabitEthernet0/0
mtu 1370
ip address 192.168.22.10 255.255.255.0
no shutdown
!
enable secret Secure123
!
username admin privilege 15 secret Secure123
!
ip route 0.0.0.0 0.0.0.0 192.168.22.1
!
line vty 0 4
login local
transport input telnet
hostname Server-2
!
mtu 1370
ip address 192.168.22.20 255.255.255.0
no shutdown
!
!
!
ip route 0.0.0.0 0.0.0.0 192.168.22.1
!
line vty 0 4
login local
ToR-SW-1 Configuration
hostname ToR-SW-1
!
vlan 1000
name VMotion-LAN
!
switchport mode access
!
shutdown
!
!
switchport trunk encapsulation dot1q
negotiation auto
hostname ToR-SW-2
!
vlan 1000
name VMotion-LAN
!
!
shutdown
!
!
negotiation auto
F5-LTM-1 & 2 Configuration
You can follow the initial F5 setup wizard to activate trial license, setup HA,
and configure internal and external interfaces. For IP addressing, you can
refer to the initial topology. This is pretty straight forward. Adding F5 to
this VXLAN Lab is just for fun. I will not add more detail as the lab is too
much already. I will create a new article about F5 LTM configuration with
more step-by-step details in the future.
Figure 21 - F5 General Configuration
Figure 22 - HA VLAN Configurations
Figure 23 - F5 External VLAN Configuration
Figure 24 - F5 Internal VLAN Configuration
Figure 25 - F5 Self IP List
Figure 26 - F5 Node List
Figure 27 - F5 Pool List Server Pool Members
Figure 28 - F5 Virtual Servers List
Figure 29 - F5 Virtual Address List
Figure 30 - F5 Virtual Server Telnet
Once, the F5 has been successfully setup, you can try to access the servers
using virtual server IP address. Since, we are running quite a lot of Nexus
switches, the response may be slow sometimes.
Figure 31 - Accessing Servers using F5 Virtual IP address To Test Load Balancing from
Developer-PC-1
2.2. Data Center 2

I would not be going into details here as most of the configuration here is
self-explanatory.
!
feature ospf
!
!
ip address 10.0.20.1/30
ip ospf network point-to-point
ip router ospf 1 area 0.0.0.0
no shutdown
!
ip address 10.0.18.1/30
no shutdown
!
ip address 10.0.14.1/30
no shutdown
!
ip address 10.0.16.1/30
no shutdown
!
interface loopback0
!
router ospf 1
!
feature ospf
!
!
ip address 10.0.19.1/30
no shutdown
ip address 10.0.21.1/30
no shutdown
ip address 10.0.17.1/30
no shutdown
ip address 10.0.15.1/30
no shutdown
!
interface loopback0
!
router ospf 1
!
feature ospf
feature lacp
feature vpc
!
!
vlan 1,10,126,150,500,1000
!
vlan 126
!
vlan 150
!
vlan 500
!
vlan 1000
name V-MOTION
!
!
vpc domain 10
role priority 10
ip arp synchronize
!
interface Vlan10
no shutdown
no ip redirects
ip address 10.0.31.2/29
!
interface Vlan126
no shutdown
!
interface Vlan150
description DC-1-Developer-Network
no shutdown
!
interface Vlan500
no shutdown
!
vpc peer-link
!
description CONNECT-TO-PA-FW
!
!
no switchport
ip address 10.0.17.2/30
no shutdown
no switchport
ip address 10.0.16.2/30
no shutdown
!
no switchport
ip address 10.0.22.2/30
no shutdown
!
!
!
interface loopback0
ip address 66.66.66.66/32
!
router ospf 1
!
feature ospf
feature lacp
feature vpc
!
!
vlan 1,10,126,150,500,1000
!
vlan 126
!
vlan 150
!
vlan 500
!
vlan 1000
name V-MOTION
!
!
vpc domain 10
role priority 10
ip arp synchronize
!
interface Vlan10
no shutdown
no ip redirects
ip address 10.0.31.2/29
!
interface Vlan126
no shutdown
!
interface Vlan150
description DC-1-Developer-Network
no shutdown
!
interface Vlan500
no shutdown
!
vpc peer-link
!
!
!
no switchport
ip address 10.0.14.2/30
no shutdown
!
no switchport
ip address 10.0.15.2/30
no shutdown
!
description CONNECT-TO-DEVELOPER-PC-2
!
no switchport
ip address 10.0.22.1/30
no shutdown
!
!
!
interface loopback0
ip address 55.55.55.55/32
!
router ospf 1
NX9k-Leaf-3 Underlay Configuration
hostname NX9k-Leaf-3
!
feature ospf
feature lacp
feature vpc
!
!
vlan 1,500,1000
!
vlan 500
!
vlan 1000
name V-MOTION
!
!
vpc domain 10
role priority 10
ip arp synchronize
!
interface Vlan500
no shutdown
!
interface Vlan1000
no shutdown
!
vpc peer-link
!
no switchport
ip address 10.0.19.2/30
no shutdown
!
no switchport
ip address 10.0.18.2/30
no shutdown
!
!
!
no switchport
ip address 10.0.23.1/30
no shutdown
!
!
!
interface loopback0
ip address 77.77.77.77/32
!
router ospf 1
PA-FW-3 and PA-FW-4 Configuration
Since we have already seen how to configure from GUI, we will use CLI
here.
#Both PA-FW-3&4
set deviceconfig system dns-setting servers primary
192.168.1.168 secondary 8.8.8.8
set deviceconfig system domain ht.local
set deviceconfig system timezone America/New_York
set deviceconfig system ntp-servers primary-ntp-
server ntp-server-address pool.ntp.org
!
set ethernet ethernet1/7 ha
set ethernet ethernet1/7 comment HA-1
set ethernet ethernet1/8 comment HA-1-BACKUP
set ethernet ethernet1/9 comment HA-2
set ethernet ethernet1/10 comment HA-2-BACKUP
# FOR PA-FW-3
set deviceconfig system hostname PA-FW-3
set deviceconfig high-availability enabled yes
set deviceconfig high-availability group mode
active-passive
set deviceconfig high-availability group group-id 10
set deviceconfig high-availability group description
HA-AP-Pair
set deviceconfig high-availability group peer-ip
10.0.24.2
set deviceconfig high-availability group peer-ip-
backup 10.0.25.2
set deviceconfig high-availability group election-
option device-priority 100
option preemptive
option heartbeat-backup yes
option timers recommended
set deviceconfig high-availability group
configuration-synchronization enabled yes
set deviceconfig high-availability group state-
synchronization enabled yes transport ethernet ha2-
keep-alive enabled yes action log-only
!
set deviceconfig high-availability interface ha1
port ethernet1/3 ip-address 10.0.24.1 netmask
255.255.255.252
set deviceconfig high-availability interface ha1-
backup port ethernet1/4 ip-address 10.0.25.1 netmask
255.255.255.252
255.255.255.252
255.255.255.252
# FOR PA-FW-4
set deviceconfig system hostname PA-FW-4
set deviceconfig high-availability enabled yes
set deviceconfig high-availability group mode
active-passive
set deviceconfig high-availability group group-id 10
set deviceconfig high-availability group description
HA-AP-Pair
set deviceconfig high-availability group peer-ip
10.0.24.1
set deviceconfig high-availability group peer-ip-
backup 10.0.25.1
option device-priority 200
option preemptive
option heartbeat-backup yes
option timers recommended
set deviceconfig high-availability group
configuration-synchronization enabled yes
set deviceconfig high-availability group state-
synchronization enabled yes transport ethernet ha2-
keep-alive enabled yes action log-only
!
255.255.255.252
255.255.255.252
255.255.255.252
255.255.255.252
# At Primary Active Firewall

# Configure L2 VLAN
set network vlan "VLAN 500" virtual-interface
interface vlan.500
set network vlan "VLAN 500" interface [
ethernet1/1.500 ethernet1/2.500 ]
interface vlan.126
interface vlan.10
!
# Configure L3 VLAN
set network interface vlan units vlan.126 comment
L3-LINK-TO-BORDER-LEAF
set network interface vlan units vlan.126 ip
30.0.126.1/29
set network interface vlan units vlan.126 interface-
management-profile PING
50.0.0.1/24
set network interface vlan units vlan.500 comment
SERVER-TENANT
10.0.31.1/29
# Configure Security Zones
set zone INSIDE network layer3 [ vlan.126 vlan.500
vlan.10 ]
set zone OUTSIDE network layer3 [ ethernet1/3
ethernet1/4 ]
# Configure Interfaces
set network interface ethernet ethernet1/1 comment
CONNECT-TO-N9K-Border-Leaf
!
set network interface ethernet ethernet1/1 layer2
units ethernet1/1.126 tag 126
!
!
units ethernet1/1.10 comment DC-INTERCONNECT
!
CONNECT-TO-N9K-Border-Leaf
!
!
!
units ethernet1/2.10 comment DC-INTERCONNECT
!
CONNECT-ISP-1&2
set network interface ethernet ethernet1/3 layer3 ip
172.0.2.2/30
interface-management-profile PING
!
set network interface ethernet ethernet1/4 layer3 ip
172.0.3.2/30
interface-management-profile PING
lldp enable no
# Configure Virtual Router VxLAN-LAB

# BGP
set network virtual-router VxLAN-LAB protocol bgp
routing-options graceful-restart enable yes
enable yes
peer-group WAN-Routers type ibgp export-nexthop use-
self
peer-group WAN-Routers peer WAN-R-VRF-ISP-1 peer-
address ip 172.0.2.1
peer-group WAN-Routers peer WAN-R-VRF-ISP-1
subsequent-address-family-identifier unicast yes
peer-group WAN-Routers peer WAN-R-VRF-ISP-1 local-
address ip 172.0.2.2/30
address interface ethernet1/3
peer-group WAN-Routers peer WAN-R-VRF-ISP-1 enable
yes
peer-group WAN-Routers peer WAN-R-VRF-ISP-1 peer-as
65000
peer-group WAN-Routers peer WAN-R-VRF-ISP-1 enable-
mp-bgp yes
peer-group WAN-Routers peer WAN-R-VRF-ISP-1 address-
family-identifier ipv4
reflector-client non-client
peer-group WAN-Routers peer WAN-R-VRF-ISP-2 peer-
address ip 172.0.3.1
address ip 172.0.3.2/30
address interface ethernet1/4
peer-group WAN-Routers peer WAN-R-VRF-ISP-2 enable
yes
peer-group WAN-Routers peer WAN-R-VRF-ISP-2 peer-as
65000
peer-group WAN-Routers peer WAN-R-VRF-ISP-2 enable-
mp-bgp yes
peer-group WAN-Routers peer WAN-R-VRF-ISP-2 address-
family-identifier ipv4
reflector-client non-client
peer-group WAN-Routers soft-reset-with-stored-info
yes
peer-group WAN-Routers enable yes
peer-group Border-Leaf-Switches type ibgp export-
nexthop use-self
peer-group Border-Leaf-Switches peer Border-Leaf-3
peer-address ip 10.0.31.2
local-address ip 10.0.31.1/29
local-address interface vlan.10
enable yes
peer-as 65000
enable-mp-bgp yes
address-family-identifier ipv4
reflector-client client
peer-address ip 10.0.31.3
local-address ip 10.0.31.1/29
local-address interface vlan.10
enable yes
peer-as 65000
enable-mp-bgp yes
address-family-identifier ipv4
reflector-client client
peer-group Border-Leaf-Switches soft-reset-with-
stored-info yes
peer-group Border-Leaf-Switches enable yes
reject-default-route no
allow-redist-default-route yes
router-id 17.17.17.17
local-as 65000
install-route yes
policy export rules Export-to-iBGP-Neighbor action
allow update nexthop 10.0.31.1
policy export rules Export-to-iBGP-Neighbor match
route-table unicast
policy export rules Export-to-iBGP-Neighbor used-by
Border-Leaf-Switches
policy export rules Export-to-iBGP-Neighbor enable
yes
policy export rules EXPORT-TO-WAN-Routers action
allow update nexthop 172.0.2.2
policy export rules EXPORT-TO-WAN-Routers match
route-table unicast
policy export rules EXPORT-TO-WAN-Routers used-by
WAN-Routers
policy export rules EXPORT-TO-WAN-Routers enable yes
redist-rules Red-Static address-family-identifier
ipv4
redist-rules Red-Static enable yes
redist-rules Red-Static set-origin igp
redist-rules Red-Connected address-family-identifier
ipv4
redist-rules Red-Connected enable yes
redist-rules Red-Connected set-origin igp
# Redistribution Static & Connected

set network virtual-router VxLAN-LAB protocol
redist-profile Red-Static filter type static
redist-profile Red-Static filter destination
30.200.200.0/24
redist-profile Red-Static filter nexthop 30.0.126.2
redist-profile Red-Static filter interface vlan.126
redist-profile Red-Static priority 1
redist-profile Red-Static action redist
redist-profile Red-Connected filter type connect
redist-profile Red-Connected filter interface
vlan.500
redist-profile Red-Connected priority 1
redist-profile Red-Connected action redist
!
set network virtual-router VxLAN-LAB interface [
ethernet1/3 ethernet1/4 vlan.10 vlan.126 vlan.500 ]
!
# Static Routes
set network virtual-router VxLAN-LAB routing-table
ip static-route VNI-15000 nexthop ip-address
30.0.126.2
ip static-route VNI-15000 interface vlan.126
!
ip static-route VNI-15000 metric 10
ip static-route VNI-15000 destination
30.200.200.0/24
ip static-route VNI-15000 route-table unicast
Always remember to commit after you have configured something on Palo

Alto firewalls.
commit
hostname WAN-R-3
!
rd 65000:1
!
address-family ipv4
exit-address-family
!
rd 65000:2
!
address-family ipv4
exit-address-family
!
ip address 172.0.2.1 255.255.255.252
negotiation auto
!
ip address 172.0.3.1 255.255.255.252
negotiation auto
!
ip address 121.13.55.2 255.255.255.252
negotiation auto
!
ip address 121.23.66.2 255.255.255.252
negotiation auto
!
router bgp 65000
!
neighbor 172.0.2.2 next-hop-self
exit-address-family
!
exit-address-family
hostname WAN-R-4
!
rd 65000:1
!
address-family ipv4
exit-address-family
!
rd 65000:2
!
address-family ipv4
exit-address-family
!
ip address 172.0.2.1 255.255.255.252
negotiation auto
!
ip address 172.0.3.1 255.255.255.252
negotiation auto
!
ip address 121.24.55.2 255.255.255.252
negotiation auto
!
ip address 121.14.66.2 255.255.255.252
negotiation auto
!
router bgp 65000
!
exit-address-family
!
exit-address-family
hostname ToR-SW-3
!
vlan 1000
name VMotion-LAN
!
!
shutdown
!
!
hostname ToR-SW-4
!
vlan 1000
name VMotion-LAN
!
!
shutdown
!
!
hostname Server-3
!
mtu 1370
ip address 192.168.22.30 255.255.255.0
no shutdown
!
!
!
ip route 0.0.0.0 0.0.0.0 192.168.22.254
!
line vty 0 4
login local
hostname Server-4
!
mtu 1370
ip address 192.168.22.40 255.255.255.0
no shutdown
!
!
!
ip route 0.0.0.0 0.0.0.0 192.168.22.254
!
line vty 0 4
login local
F5-LTM-3 & 4 Configuration
As I explained earlier during F5-LTM-1&2 Configuration, follow the initial

F5 setup wizard.
Figure 32 - F5 General Configuration
Figure 33 - HA VLAN Configurations
Figure 34 - F5 External VLAN Configuration
Figure 35 - F5 Internal VLAN Configuration
Figure 36 -F5 Self IP List
Figure 37 - F5 Node List
Figure 38 - F5 Pool List Server Pool Members
Figure 39 - F5 Virtual Servers List
Figure 40 - F5 Virtual Address List
Figure 41 - F5 Virtual Server Telnet
Once, the F5 has been successfully setup, you can try to access the servers
using virtual server IP address. Since, we are running quite a lot of Nexus
switches and devices with the EVE-NG, the response may be slow
sometimes.
Figure 42 - Accessing Servers using F5 Virtual IP address To Test Load Balancing from
Developer-PC-2
2.3. ISP-1 & ISP-2 Configuration
hostname ISP-1
!
description CONNECT-TO-WAN-R-1-Gi-3
ip address 121.1.33.1 255.255.255.252
negotiation auto
!
ip address 121.2.44.1 255.255.255.252
negotiation auto
!
ip address 121.13.55.1 255.255.255.252
negotiation auto
!
ip address 121.14.66.1 255.255.255.252
negotiation auto
!
router bgp 1000
bgp router-id 101.101.101.101
!
address-family ipv4
exit-address-family
hostname ISP-2
!
ip address 121.2.33.1 255.255.255.252
negotiation auto
!
ip address 121.1.44.1 255.255.255.252
negotiation auto
!
ip address 121.24.55.1 255.255.255.252
negotiation auto
!
ip address 121.23.66.1 255.255.255.252
negotiation auto
!
router bgp 2000
bgp router-id 202.202.202.202
!
address-family ipv4
exit-address-family
3. Overlay Configurations
As I explained during the overview, this is where actual BGP EVPN
configuration begin.
3.1. Data Center 1

NX9K-Spine-1 Overlay Configuration
feature nv overlay
feature vn-segment-vlan-based
nv overlay evpn
!
route-map NEXTHOP-PERMIT permit 10
set ip next-hop unchanged
!
router bgp 65501
address-family l2vpn evpn
nexthop route-map NEXTHOP-PERMIT
retain route-target all
!
neighbor 11.11.11.11
remote-as 64611
description BGP-Overlay-To-NX9k-Leaf-1
update-source loopback0
ebgp-multihop 2
disable-peer-as-check
send-community
send-community extended
route-map NEXTHOP-PERMIT out
rewrite-evpn-rt-asn
!
remote-as 64622
ebgp-multihop 2
send-community
rewrite-evpn-rt-asn
!
remote-as 64633
description BGP-Overlay-To-NX9k-Border-Leaf-1
ebgp-multihop 2
send-community
rewrite-evpn-rt-asn
!
remote-as 64644
ebgp-multihop 2
send-community
rewrite-evpn-rt-asn
feature nv overlay
nv overlay evpn
!
route-map NEXTHOP-PERMIT permit 10
set ip next-hop unchanged
!
router bgp 65502
nexthop route-map NEXTHOP-PERMIT
retain route-target all
!
remote-as 64611
ebgp-multihop 2
send-community
rewrite-evpn-rt-asn
!
remote-as 64622
ebgp-multihop 2
send-community
rewrite-evpn-rt-asn
!
remote-as 64633
ebgp-multihop 2
send-community
rewrite-evpn-rt-asn
!
remote-as 64644
ebgp-multihop 2
send-community
rewrite-evpn-rt-asn
NX9K-Leaf-1 Overlay Configuration
nv overlay evpn
feature nv overlay
!
!
vlan 500
vn-segment 5000
!
vlan 1000
vn-segment 10000
!
interface Vlan500
ip forward
!
interface Vlan1000
ip forward
!
interface nve1
no shutdown
host-reachability protocol bgp
source-interface loopback0
member vni 5000
ingress-replication protocol bgp
member vni 10000
!
router bgp 64611
neighbor 1.1.1.1
remote-as 65501
description BGP-Overlay-To-Spine-1
ebgp-multihop 2
send-community
rewrite-evpn-rt-asn
neighbor 2.2.2.2
remote-as 65502
ebgp-multihop 2
send-community
rewrite-evpn-rt-asn
!
# This is DC Inter-Connect-Configuration. There are
so many ways to achieve this.
!
router bgp 64611
remote-as 65000
description DC-VxLAN-Inter-Connect
ebgp-multihop 20
send-community
rewrite-evpn-rt-asn
!
remote-as 65000
ebgp-multihop 20
send-community
rewrite-evpn-rt-asn
!
evpn
vni 5000 l2
rd auto
route-target import auto
route-target export auto
vni 10000 l2
rd auto
NX9K-Leaf-2 Overlay Configuration
nv overlay evpn
feature nv overlay
!
!
vlan 500
vn-segment 5000
!
vlan 1000
vn-segment 10000
!
interface Vlan500
ip forward
!
interface Vlan1000
ip forward
!
interface nve1
no shutdown
member vni 5000
member vni 10000
!
router bgp 64622
neighbor 1.1.1.1
remote-as 65501
ebgp-multihop 2
send-community
rewrite-evpn-rt-asn
!
neighbor 2.2.2.2
remote-as 65502
ebgp-multihop 2
send-community
rewrite-evpn-rt-asn
!
!
remote-as 65000
ebgp-multihop 20
send-community
rewrite-evpn-rt-asn
!
remote-as 65000
ebgp-multihop 20
send-community
rewrite-evpn-rt-asn
!
evpn
vni 5000 l2
rd auto
vni 10000 l2
rd auto
NX9K-Border-Leaf-1 Overlay Configuration
nv overlay evpn
feature nv overlay
!
vlan 126
vn-segment 12600
!
vlan 150
vn-segment 15000
!
vlan 500
vn-segment 5000
!
ip prefix-list DC-1-Developer-Network seq 5 permit
30.100.100.0/24
ip prefix-list L3-VNI-LINK-TO-PA-FW seq 5 permit
30.126.126.0/29
!
route-map DC-1-Developer-Network permit 10
match ip address prefix-list DC-1-Developer-
Network
!
route-map L3-VNI-LINK-TO-PA-FW permit 10
match ip address prefix-list L3-VNI-LINK-TO-PA-FW
!
route-map STATIC permit 10
match route-type local
!
vrf context DC-1-Developer-Network
vni 15000
ip route 0.0.0.0/0 30.126.126.1
rd 64633:15000
route-target import 64633:12600
route-target import 64633:12600 evpn
route-target export 64633:12600
route-target export 64633:12600 evpn
vrf context L3-VNI-LINK-TO-PA-FW
vni 12600
ip route 0.0.0.0/0 30.126.126.1
rd 64633:12600
!
interface Vlan126
ip address 30.126.126.2/29
fabric forwarding mode anycast-gateway
!
interface Vlan150
ip address 30.100.100.1/24
!
interface Vlan500
ip forward
!
interface nve1
no shutdown
member vni 5000
member vni 12600 associate-vrf
!
router bgp 64633
neighbor 1.1.1.1
remote-as 65501
ebgp-multihop 2
send-community
rewrite-evpn-rt-asn
!
neighbor 2.2.2.2
remote-as 65502
ebgp-multihop 2
send-community
rewrite-evpn-rt-asn
vrf DC-1-Developer-Network
advertise l2vpn evpn
redistribute direct route-map DC-1-Developer-
Network
redistribute static route-map STATIC
vrf L3-VNI-LINK-TO-PA-FW
redistribute direct route-map L3-VNI-LINK-TO-
PA-FW
!
!
router bgp 64633
remote-as 65000
ebgp-multihop 20
send-community
rewrite-evpn-rt-asn
remote-as 65000
ebgp-multihop 20
send-community
rewrite-evpn-rt-asn
!
evpn
vni 5000 l2
rd auto
vni 12600 l2
rd auto
vni 15000 l2
rd auto
nv overlay evpn
feature nv overlay
!
vlan 126
vn-segment 12600
!
vlan 150
vn-segment 15000
!
vlan 500
vn-segment 5000
!
30.100.100.0/24
30.126.126.0/29
!
Network
!
!
!
vni 15000
ip route 0.0.0.0/0 30.126.126.1
rd 64644:15000
vni 12600
ip route 0.0.0.0/0 30.126.126.1
rd 64644:12600
!
interface Vlan126
ip address 30.126.126.2/29
!
interface Vlan150
ip address 30.100.100.1/24
!
interface Vlan500
ip forward
!
interface nve1
no shutdown
member vni 5000
!
router bgp 64633
neighbor 1.1.1.1
remote-as 65501
ebgp-multihop 2
send-community
rewrite-evpn-rt-asn
!
neighbor 2.2.2.2
remote-as 65502
ebgp-multihop 2
send-community
rewrite-evpn-rt-asn
!
Network
PA-FW
!
!
router bgp 64633
remote-as 65000
ebgp-multihop 20
send-community
rewrite-evpn-rt-asn
!
remote-as 65000
ebgp-multihop 20
send-community
rewrite-evpn-rt-asn
!
evpn
vni 5000 l2
rd auto
vni 12600 l2
rd auto
vni 15000 l2
rd auto
3.2. Data Center 2

nv overlay evpn
feature bgp
feature nv overlay
!
!
router bgp 65000
router-id 3.3.3.3
!
template peer iBGP-EVPN
remote-as 65000
send-community
route-reflector-client
!
inherit peer iBGP-EVPN
!
!
!
nv overlay evpn
feature bgp
feature nv overlay
!
!
router bgp 65000
router-id 4.4.4.4
!
remote-as 65000
send-community
route-reflector-client
!
!
!
!
feature nv overlay
feature bgp
nv overlay evpn
!
!
!
vlan 126
vn-segment 12600
!
vlan 150
vn-segment 15000
!
vlan 500
vn-segment 5000
!
vlan 1000
vn-segment 10000
!
30.200.200.0/24
30.0.126.0/29
ip prefix-list LOOPBACKS seq 5 permit 11.11.11.11/32
ip prefix-list LOOPBACKS seq 10 permit
22.22.22.22/32
33.33.33.33/32
44.44.44.44/32
ip prefix-list REDISTRIBUTION-OSPF-TO-BGP seq 5
permit 77.77.77.77/32
permit 88.88.88.88/32
permit 1.0.0.34/32
!
Network
route-map REDISTRIBUTE-LOOPBACKS-TO-BGP permit 10
match ip address prefix-list REDISTRIBUTION-OSPF-
TO-BGP
route-map REDISTRIBUTE-LOOPBACKS-TO-OSPF permit 10
match ip address prefix-list LOOPBACKS
match route-type internal
!
vni 15000
ip route 0.0.0.0/0 30.0.126.1
rd 65000:15000
vni 12600
ip route 0.0.0.0/0 30.0.126.1
rd 65000:126000
!
interface Vlan126
ip address 30.0.126.2/29
!
interface Vlan150
ip address 30.200.200.1/24
!
interface Vlan500
ip forward
!
interface nve1
no shutdown
member vni 5000
!
router ospf 1
redistribute bgp 65000 route-map REDISTRIBUTE-
LOOPBACKS-TO-OSPF
!
router bgp 65000
router-id 55.55.55.55
network 1.0.0.56/32
network 55.55.55.55/32
redistribute ospf 1 route-map REDISTRIBUTE-
LOOPBACKS-TO-BGP
!
remote-as 65000
send-community
!
neighbor 3.3.3.3
!
neighbor 4.4.4.4
!
neighbor 10.0.31.1
remote-as 65000
next-hop-self
!
Network
!
PA-FW
!
evpn
vni 5000 l2
rd auto
vni 12600 l2
rd auto
vni 15000 l2
rd auto
!
# DC-Inter-Connect
!
router bgp 65000
remote-as 64633
ebgp-multihop 20
send-community
rewrite-evpn-rt-asn
!
remote-as 64644
ebgp-multihop 20
send-community
rewrite-evpn-rt-asn
feature nv overlay
feature bgp
nv overlay evpn
!
!
!
vlan 126
vn-segment 12600
!
vlan 150
vn-segment 15000
!
vlan 500
vn-segment 5000
!
vlan 1000
vn-segment 10000
!
30.200.200.0/24
30.0.126.0/29
22.22.22.22/32
33.33.33.33/32
44.44.44.44/32
permit 77.77.77.77/32
permit 88.88.88.88/32
permit 1.0.0.34/32
!
Network
route-map REDISTRIBUTE-LOOPBACKS-TO-BGP permit 10
match ip address prefix-list REDISTRIBUTION-OSPF-
TO-BGP
route-map REDISTRIBUTE-LOOPBACKS-TO-OSPF permit 10
match ip address prefix-list LOOPBACKS
match route-type internal
!
vni 15000
ip route 0.0.0.0/0 30.0.126.1
rd 65000:15000
!
vni 12600
ip route 0.0.0.0/0 30.0.126.1
rd 65000:126000
!
interface Vlan126
ip address 30.0.126.2/29
!
interface Vlan150
ip address 30.200.200.1/24
!
interface Vlan500
ip forward
!
interface nve1
no shutdown
member vni 5000
!
router ospf 1
redistribute bgp 65000 route-map REDISTRIBUTE-
LOOPBACKS-TO-OSPF
!
router bgp 65000
router-id 66.66.66.66
network 1.0.0.56/32
network 66.66.66.66/32
redistribute ospf 1 route-map REDISTRIBUTE-
LOOPBACKS-TO-BGP
!
remote-as 65000
send-community
!
neighbor 3.3.3.3
!
neighbor 4.4.4.4
!
neighbor 10.0.31.1
remote-as 65000
next-hop-self
!
Network
!
PA-FW
!
evpn
vni 5000 l2
rd auto
vni 12600 l2
rd auto
vni 15000 l2
rd auto
!
# DC-Inter-Connect
!
router bgp 65000
remote-as 64633
ebgp-multihop 20
send-community
rewrite-evpn-rt-asn
!
remote-as 64644
ebgp-multihop 20
send-community
rewrite-evpn-rt-asn
NX9k-Leaf-3 Overlay Configuration
feature bgp
feature nv overlay
nv overlay evpn
!
!
vlan 500
vn-segment 5000
!
vlan 1000
vn-segment 10000
!
interface Vlan500
ip forward
!
interface Vlan1000
ip forward
!
interface nve1
no shutdown
member vni 5000
member vni 10000
!
!
router bgp 65000
router-id 77.77.77.77
!
remote-as 65000
next-hop-self
send-community
!
neighbor 3.3.3.3
!
neighbor 4.4.4.4
!
evpn
vni 5000 l2
rd auto
vni 10000 l2
rd auto
!
#DC-Inter-Connect
!
router bgp 65000
remote-as 64611
ebgp-multihop 20
send-community
rewrite-evpn-rt-asn
remote-as 64622
ebgp-multihop 20
send-community
rewrite-evpn-rt-asn
NX9k-Leaf-4 Overlay Configuration
feature bgp
feature nv overlay
nv overlay evpn
!
!
vlan 500
vn-segment 5000
!
vlan 1000
vn-segment 10000
!
interface Vlan500
ip forward
!
interface Vlan1000
ip forward
!
interface nve1
no shutdown
member vni 5000
member vni 10000
!
!
router bgp 65000
router-id 88.88.88.88
!
remote-as 65000
next-hop-self
send-community
!
neighbor 3.3.3.3
!
neighbor 4.4.4.4
!
evpn
vni 5000 l2
rd auto
vni 10000 l2
rd auto
!
#DC-Inter-Connect
!
router bgp 65000
remote-as 64611
ebgp-multihop 20
send-community
rewrite-evpn-rt-asn
remote-as 64622
ebgp-multihop 20
send-community
rewrite-evpn-rt-asn
4. Verifications
Verifications and packet capture is important to make sure the traffic is
actually encapsulated and VXLAN is actually being used as a transport.
Figure 43 shows how many EVPN paths was received from NX9K-Leaf-1.
Figure 43 - NX9K-Leaf-1 "show bgp l2vpn evpn summary"
Figure 44 shows the association between MAC addresses and L2 VNI

mappings. You can have a better understanding of how NX9K-Leaf-1
learns VNIs from other VTEP peers. To make VNI unique, it is associated
with MAC address and next hop is provided so that the NX9K-Leaf-1
knows where to forward the VXLAN packets.
Figure 44 - NX9K-Leaf-1 "show bgp l2vpn evpn vni-id 5000"
Figure 45 - NX9K-Leaf-1 "show bgp l2vpn evpn vni-id 10000"
Figure 46 - NX9K-Leaf-1 "NX9K-Leaf-1# show nve vni"
Figure 47 - NX9K-Leaf-1 "NX9K-Leaf-1# show nve peers"
Figure 48 - BGP Verification at PA-FW-1
This is the ultimate goal of this lab being able to extend L2 connectivity
across multiple DC.
Figure 49 - Testing VXLAN Across DC with VNI-100 from Server 1 using Broadcast
Ping
I want to add at least 2 more sites (total 4 sites) to become more realistic.
However, my server is reaching its capacity.
Figure 50 - EVE-NG Bare Metal Servers Reaching Its Capacity
Report this article
Comments
Rob Riker and 118 others · 7 comments
119
Like Comment Share
Add a comment…
Most relevant
Rob Riker • 1st 5d

Solutions Architect - Strategic Market, CCIE #50693, VMware VCIX-NV, CCNP SP
Very impressive lab!
Like · 1 Reply
Francisco M. Ruiz • 3rd+ 1d

Telecom & Enterprise Consultant | Technical Leader | IP and Optical Network
Engineer @ Logicalis NoLa
Noooooiiice!!!
Like Reply
Load more comments
Vishel Han Zaw Tun

Network Engineer| Network Security Engineer | CCNP Enterprise
Follow
More from Vishel Han Zaw Tun
MPLS LDP Lab using OSPF Cisco ISE Distributed

Underlay Deployment with
AnyConnect VPN and Postu…
Vishel Han Zaw Tun on Linke…
Vishel Han Zaw Tun on Linke…

Multi-Site VXLAN Lab With BGP EVPN

Uploaded by

Copyright:

Available Formats

Multi-Site VXLAN Lab With BGP EVPN

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Multi-Site VXLAN Lab With BGP EVPN

Uploaded by

Copyright:

Available Formats

6/28/24, 7:55 AM (1) Multi-Site VXLAN Lab with BGP EVPN | LinkedIn

Home My Network Jobs Messaging Notifications Me For Business Get Premium f

Multi-Site VXLAN Lab with BGP

Figure 1 - Multi-Site VXLAN Lab with BGP EVPN Topology

Figure 2 - Actual EVE-NG Topology

Figure 3 - vMotion VNI-10000 Packet Capture from Server 3 to Server 1

Spine Switches - Cisco Nexus 9500 KVM images

Leaf Switches - Cisco Nexus 9300 KVM images

F5 Load Balancers - F5 Big IP Virtual Edition KVM images

Servers - Cisco IOSv Router images

2.1. Data Center 1

NX9K-Spine-2 Underlay Configuration

NX9K-Leaf-1 Underlay Configuration

NX9K-Leaf-2 Underlay Configuration

NX9K-Border-Leaf-1 Underlay Configuration

NX9K-Border-Leaf-2 Underlay Configuration

Figure 3 - Setting Interface to HA Interface Type

Figure 4 - Setting HA Pair Settings

Figure 5 - HA Control Links Configuration

Once the HA setup is completed, verify the HA status quickly from

PA-FW L2 VLAN Configuration

PA-FW L3 VLAN Interface Configuration

Figure 8 - L3 VLAN Interface Configuration.

The next step would be configuring ethernet interfaces and sub-interfaces.

Figure 9 - Ethernet Interfaces and Sub Interfaces Configuration

Figure 12 - VxLAN Virtual Routers

Figure 13 - Static Routes toward Developer PC Network

Then, we will create redistribute profiles to redistribute static and conned

Figure 14 - Redistribute Profiles to Redistribute Routes into BGP

Figure 15 - BGP General Settings

Figure 16 - Configuring BGP Neighbors

Figure 17 - BGP Peer Group/Peer Configuration

Figure 18 - BGP Peer Configuration

We will be configuring Redist Rules from Redistribution Profiles that we

Figure 19 - BGP Redistribution Profile

We will set the ORIGIN type as IGP.

Figure 20 - BGP Redistribution Rule

The configuration here is self-explanatory. I would not get into much

The configuration here is self-explanatory. I would not get into much

The configuration here is self-explanatory. I would not get into much

F5-LTM-1 & 2 Configuration

Figure 21 - F5 General Configuration

Figure 22 - HA VLAN Configurations

Figure 23 - F5 External VLAN Configuration

Figure 24 - F5 Internal VLAN Configuration

Figure 25 - F5 Self IP List

Figure 26 - F5 Node List

Figure 27 - F5 Pool List Server Pool Members

Figure 28 - F5 Virtual Servers List

Figure 29 - F5 Virtual Address List

Figure 30 - F5 Virtual Server Telnet

2.2. Data Center 2

NX9K-Spine-3 Underlay Configuration

NX9K-Spine-4 Underlay Configuration

NX9K-Border-Leaf-3 Underlay Configuration

NX9K-Border-Leaf-4 Underlay Configuration

NX9k-Leaf-3 Underlay Configuration

PA-FW-3 and PA-FW-4 Configuration

# At Primary Active Firewall