Modernising Data Centre Fabrics with BGP EVPN VXLAN - Part 1

Building a Scalable, Multi-Tenant Proof of Concept Aligned with Arista Validated Designs

Oct 16, 2025

Objective

This proof of concept validates a modern data centre fabric built around BGP EVPN VXLAN with Symmetric IRB, The goal was to prove that this architecture delivers predictable scalability, clean multi-tenancy, and a strong foundation for automation.

developed using Arista vEOS-lab version 4.33.1F, a major feature release that includes several EVPN/VXLAN and control-plane enhancements. Part of the reason for revisiting this build was to validate those improvements and assess how they impact large-scale EVPN fabrics.

The design remains aligned with Arista Validated Designs (AVD) and Cisco’s equivalent EVPN VXLAN model focused on scalable multi-tenancy and automation readiness.

Design Overview

The fabric design uses a structured three-plane model to separate responsibility and simplify automation.
Underlay uses OSPF area 0 to provide fast, deterministic IP reachability between VTEPs. Overlay connectivity is handled via VXLAN, and the control plane runs BGP EVPN with route reflectors. Each tenant is represented by a dedicated VRF and L3VNI for scalable inter-VLAN routing.

Fabric Design Summary

Underlay: OSPF area 0. Provides fast convergence and ECMP-based IP reachability. Overlay: VXLAN. Extends Layer 2 segments logically over the IP underlay.

Control Plane: BGP EVPN (iBGP with Route Reflectors). Distributes MAC and IP reachability information across the fabric.

Routing Model: Symmetric IRB. Isolates tenants using VRFs and L3VNIs, enabling scalable inter-VLAN routing.

MTU: 9150 underlay / 1500 overlay. Ensures headroom for VXLAN encapsulation.

Anycast Gateway: 192.168.X.1 (MAC 00:1c:73:00:00:99). Supports seamless host mobility and efficient ARP suppression.
Spines act purely as route reflectors and IP transit; leaves perform all routing and encapsulation as VTEPs.
The next stage will move toward an eBGP fabric using BFD for sub-second convergence and simplified fault isolation.

BGP EVPN VXLAN topology used for validation. Spines operate as route reflectors, while leaf nodes serve as VTEPs for Tenant A and Tenant B, connected via OSPF underlay and Anycast gateways.

Control Plane - BGP EVPN

Each leaf peers with both spines using loopback interfaces. BGP advertises Type-2 (MAC/IP), Type-3 (multicast), and Type-5 (prefix) routes to distribute reachability and routing information across the fabric.

SW-2#sh run | sec bgp
router bgp 65000
   router-id 2.2.2.2
   neighbor EVPN-SPINES peer group
   neighbor EVPN-SPINES remote-as 65000
   neighbor EVPN-SPINES update-source Loopback0
   neighbor EVPN-SPINES send-community extended
   neighbor 10.0.0.14 peer group EVPN-SPINES
   neighbor 10.0.0.15 peer group EVPN-SPINES
   !
   vlan 10
      rd 65000:100010
      route-target both 65000:100010
      redistribute learned
   !
   vlan 20
      rd 65000:100020
      route-target both 65000:100020
      redistribute learned
   !
   address-family evpn
      neighbor EVPN-SPINES activate
   !
   vrf TENANT_A
      route-target import evpn 65000:100000
      route-target export evpn 65000:100000
      redistribute connected
   !
   vrf TENANT_B
      route-target import evpn 65000:200000
      route-target export evpn 65000:200000
      redistribute connected
SW-2#

Underlay Design

The underlay uses OSPF area 0 for loopback and point-to-point reachability. ECMP provides multiple parallel paths, making the fabric resilient and predictable.

SW-2#sh run | sec ospf 
interface Ethernet2
   ip ospf network point-to-point
   ip ospf area 0.0.0.0
interface Ethernet3
   ip ospf network point-to-point
   ip ospf area 0.0.0.0
interface Loopback0
   ip ospf area 0.0.0.0
router ospf 10
   max-lsa 12000
SW-2#

VXLAN Overview

VXLAN forms the overlay transport between VTEPs. Each leaf acts as a VTEP, encapsulating traffic from locally attached hosts and decapsulating traffic from remote leaves.
The outer IP header carries the VTEP loopbacks, and the inner Ethernet frame remains untouched, preserving original VLAN tags.

SW-1#sh run int vxlan1
interface Vxlan1
   vxlan source-interface Loopback0
   vxlan udp-port 4789
   vxlan vlan 10 vni 100010
   vxlan vrf TENNANT_A vni 100000
SW-1#

SW-2#sh run int vxlan1
interface Vxlan1
   vxlan source-interface Loopback0
   vxlan udp-port 4789
   vxlan vlan 10 vni 100010
   vxlan vlan 20 vni 100020
   vxlan vrf TENANT_A vni 100000
   vxlan vrf TENANT_B vni 200000
SW-2#
SW-3#sh run int vxlan1
interface Vxlan1
   vxlan source-interface Loopback0
   vxlan udp-port 4789
   vxlan vlan 20 vni 100020
   vxlan vrf TENANT_B vni 20000
SW-3#

SW-1#sh vxlan vni
VNI to VLAN Mapping for Vxlan1
VNI          VLAN       Source       Interface       802.1Q Tag
------------ ---------- ------------ --------------- ----------
100010       10         static       Ethernet3       untagged  
                                     Ethernet4       untagged  
                                     Vxlan1          10        

VNI to dynamic VLAN Mapping for Vxlan1
VNI          VLAN       VRF             Source       
------------ ---------- --------------- ------------ 
100000       4097       TENANT_A       evpn         
!
SW-2#sh vxlan vni
VNI to VLAN Mapping for Vxlan1
VNI          VLAN       Source       Interface       802.1Q Tag
------------ ---------- ------------ --------------- ----------
100010       10         static       Ethernet1       untagged  
                                     Vxlan1          10        
100020       20         static       Ethernet4       untagged  
                                     Vxlan1          20        

VNI to dynamic VLAN Mapping for Vxlan1
VNI          VLAN       VRF             Source       
------------ ---------- --------------- ------------ 
20000        4094                       evpn         
100000       4097       TENANT_A       evpn         
200000       4098       TENANT_B       evpn         

SW-2#
!
SW-3#show vxlan vni
VNI to VLAN Mapping for Vxlan1
VNI          VLAN       Source       Interface       802.1Q Tag
------------ ---------- ------------ --------------- ----------
100020       20         static       Ethernet1       untagged  
                                     Vxlan1          20        

VNI to dynamic VLAN Mapping for Vxlan1
VNI         VLAN       VRF             Source       
----------- ---------- --------------- ------------ 
20000       4097       TENANT_B       evpn         

SW-3#

displays **EVPN Route Type 2** entries the **MAC/IP Advertisement routes**.

0050.0000.0600 = Server6
0050.0000.0700 = Server7
0050.0000.0800 = Server8

**EVPN Route Type 5** entries (IP Prefix routes) that carry **IPv4 prefixes** inside BGP EVPN..

Why Symmetric IRB

Asymmetric IRB forces each leaf to know every subnet in every tenant. That scales poorly as VLAN count grows.

Symmetric IRB solves this by introducing a dedicated VRF and L3VNI per tenant. Each leaf advertises only its locally attached prefixes using Type-5 routes, dramatically reducing control-plane load and making routing predictable.

It also aligns perfectly with multi-tenant use cases and automation workflows.

Next Steps

The next iteration will focus on:

Migrating from iBGP with route reflectors to eBGP with BFD for sub-second convergence.
Extending to a dual-site EVPN fabric with firewalls providing north-south traffic control.
Orchestrating configuration and verification through Ansible and CloudVision Studios.
Integrating streaming telemetry for continuous fabric health and visibility.

This proof of concept demonstrates how a modern EVPN VXLAN fabric can be modular, scalable, and automation-ready.

It aligns with production best practices and provides a reproducible baseline for the next phase: dual-site orchestration and operational automation.

PacketNinjaLabs

Discussion about this post