EVPN config Vs VRF config for L2VPN & L3VPN

-

 

Excellent question — this is a subtle but very important design point in EVPN VXLAN architecture on platforms like Cisco NX-OS (and also Juniper, Arista, etc.).
Let’s unpack it clearly 👇

1️⃣ Two Different Types of VNIs

VXLAN has two classes of VNIs in EVPN designs:

TypePurposeRoute TypeControl Plane Role
L2 VNIRepresents a broadcast domain (VLAN)EVPN Type-2 (MAC/IP routes)Part of EVI (Ethernet VPN Instance)
L3 VNIRepresents a tenant’s IP VRF / routing domainEVPN Type-5 (IP Prefix routes)Part of VRF (IP VPN Instance)

2️⃣ EVPN = Ethernet VPN

The “E” in EVPN literally stands for Ethernet — it’s fundamentally an L2 service that’s extended over BGP.
That’s why:

  • EVPN configuration (under BGP → address-family l2vpn evpn) manages L2 VNIs.

  • Each EVI represents an L2 broadcast domain (MAC learning, ARP suppression, etc.).

So, L2 VNI configs live under the EVPN context.

3️⃣ L3 VNI = Routed VRF

A Layer-3 VNI is not an Ethernet domain. It’s an IP routing domain (VRF) that uses VXLAN to interconnect distributed gateways.

Therefore:

  • The L3 VNI belongs under the VRF configuration, not under EVPN.

  • BGP VPNv4/VPNv6 or EVPN Type-5 is used to advertise prefixes, but the association happens through the VRF, not the EVPN EVI.

🔹 Cisco NX-OS Example

! --- Layer 2 EVPN configuration ---
evpn
  vni 1010 l2
    rd 1.1.1.1:1010
    route-target import 65001:1010
    route-target export 65001:1010
  vni 1020 l2
    rd 1.1.1.1:1020
    route-target import 65001:1020
    route-target export 65001:1020

! --- Layer 3 VNI under VRF ---
vrf context TENANT-A
  vni 50000
  rd 1.1.1.1:50000
  route-target import 65001:50000
  route-target export 65001:50000

✅ Notice:

  • vni 1010 and 1020 (L2 VNIs) live under evpn.

  • vni 50000 (L3 VNI) lives under vrf context TENANT-A.

4️⃣ Why They’re Separated

ReasonExplanation
Different forwarding planesL2 VNIs perform MAC learning (bridge domain); L3 VNIs perform IP routing (VRF).
Different route typesEVPN Type-2 (MAC/IP) vs Type-5 (IP Prefix).
Different associationsL2 VNI → VLAN / bridge domain; L3 VNI → VRF.
Operational flexibilityYou can have multiple L2 VNIs mapped into one L3 VNI (many VLANs, one VRF).

Summary

  • L2 VNI = under EVPN, part of EVI (Ethernet VPN instance).

  • L3 VNI = under VRF, part of IP VPN instance.

  • They are both advertised via BGP EVPN, but managed in different parts of the config because they belong to different layers (L2 vs L3).

Comments

Post a Comment

Popular posts from this blog

gNMI_with_grafana on containerlabs

-
Image
  root@digi-oss:/home/labadmin/mohan/2jan26_grafana# cat sr_lab.clab.yml name: sr_lab topology:   nodes:     sr1 : {kind: nokia_srlinux, image: ghcr.io/nokia/srlinux:latest, startup-config: sr1.cfg}     sr2 : {kind: nokia_srlinux, image: ghcr.io/nokia/srlinux:latest, startup-config: sr2.cfg}     # gNMIc Collector     gnmic:       kind: linux       image: ghcr.io/openconfig/gnmic:latest       binds: [gnmic-config.yml:/app/gnmic-config.yml:ro]       cmd: "--config /app/gnmic-config.yml subscribe"     # Prometheus TSDB     prometheus:       kind: linux       image: prom/prometheus:latest       binds: [prometheus.yml:/etc/prometheus/prometheus.yml:ro]       ports: ["9090:9090"]     # Grafana Visualization     grafana:       kind: linux       image: grafa...
Read more

EVPN Route type-1 & type-4 in action

-
Image
 Route Type 1: Ethernet Auto-Discovery (A-D) A Type 1 route is advertised by a PE router on a per-Ethernet Segment Identifier (ESI) basis. It is triggered by the presence of a multihomed connection.  Purpose of Type 1 routes Aliasing:  In an all-active multihoming setup, a Type 1 route informs remote PE routers that an Ethernet segment is reachable via multiple PEs. This allows for load-balancing traffic to the same customer device over multiple paths. Fast convergence (Mass MAC Withdrawal):  If a local link to a multihomed customer device fails, the PE sends a withdrawal message for the Type 1 route. Remote PEs can then withdraw all MAC addresses associated with that Ethernet segment, instead of waiting for individual MAC withdrawals, which speeds up convergence. Split-horizon filtering:   The route carries an ESI label to prevent traffic loops in all-active mode. A PE router won't forward broadcast, unknown unicast, and multicast (BUM) traffic back to its sour...
Read more

Network Automation with ROBOT Framework

-
Image
  Folder-structure Scripts testcase_with_keywordsLibrary.robot *** Settings *** Documentation    Test Case With Keyword Resource         Resources/Keywords/common.robot Resource          Resources/Keywords/vxlanInstance.robot Test Setup        Open Connection Test Teardown    Close Connection *** Test Cases *** [Documentation] Step 1: Verify VXLAN Interface Status     VXLAN Interface Status [Documentation] Step 2: Verify VXLAN VNI to VLAN Mapping     VXLAN VNI to VLAN Mapping Resources/Keywords/common.robot *** Settings *** Documentation    Common Keyword Library Library          ../../Libraries/commonLib.py Variables        ../Variables/veosLeaf01.yaml *** Variables *** ${devType}         ${virtualBox}[vmType] ${ipAddr}          ${virtualBox}[vmManagement][hostIp] ${po...
Read more