Berik Ashimov
Senior IT Engineer

EVPN: Modern Control Plane for L2 and L3 Services

· 6 min read
#vyos #bgp #networking #overlay

VPLS floods unknown unicast. Every PE learns every MAC. Multi-homing is complicated. It works, but it’s showing its age.

EVPN (Ethernet VPN) fixes these problems. MAC addresses are distributed via BGP, not learned via data plane flooding. Multi-homing is first-class. Both L2 and L3 services use the same control plane. It works with MPLS or VXLAN underneath.

EVPN is the future of overlay networking.

EVPN vs VPLS

FeatureVPLSEVPN
MAC learningData plane (flooding)Control plane (BGP)
Unknown unicastFlood to all PEsOnly to destination PE
Multi-homingComplex (MC-LAG)Native (active-active)
IP routingSeparate (L3VPN)Integrated
ScalabilityLimitedBetter

EVPN Concepts

How EVPN Works

1. Host A connects to PE1
2. PE1 learns MAC-A locally
3. PE1 advertises MAC-A via BGP EVPN
4. All PEs install MAC-A → PE1
5. Traffic to MAC-A goes directly to PE1
   (no flooding!)

EVPN Route Types

TypeNamePurpose
1Ethernet Auto-DiscoveryMulti-homing, aliasing
2MAC/IP AdvertisementMAC and IP bindings
3Inclusive MulticastBUM traffic handling
4Ethernet SegmentMulti-homing ESI
5IP PrefixL3 routing (EVPN Type-5)

Type 2: MAC/IP Route

The most common route type:

Route Distinguisher: 10.255.0.1:100
MAC Address: aa:bb:cc:dd:ee:ff
IP Address: 192.168.1.10 (optional)
Label: 1001
Next-hop: 10.255.0.1


"MAC aa:bb:cc:dd:ee:ff (with IP 192.168.1.10) is behind PE 10.255.0.1"

Type 5: IP Prefix Route

For L3 routing in EVPN:

Route Distinguisher: 10.255.0.1:100
IP Prefix: 10.0.0.0/24
Gateway IP: 0.0.0.0 (optional)
Label: 2001


"Route to 10.0.0.0/24 is behind PE 10.255.0.1"

EVPN with VXLAN

Most common deployment: EVPN control plane + VXLAN data plane

[Host A] ─ [Leaf1/VTEP] ═══ VXLAN ═══ [Leaf2/VTEP] ─ [Host B]
              │     IP underlay      │
           EVPN learns MAC/IP     EVPN learns MAC/IP

VyOS VXLAN with EVPN

Terminal window
configure


# VXLAN interface
set interfaces vxlan vxlan100 vni 100
set interfaces vxlan vxlan100 source-address 10.255.0.1
set interfaces vxlan vxlan100 parameters nolearning


# nolearning: Don't use data plane learning (EVPN handles it)


# Bridge
set interfaces bridge br100 member interface vxlan100
set interfaces bridge br100 member interface eth1


commit

BGP EVPN Configuration

Terminal window
configure


# BGP with EVPN address family
set protocols bgp system-as 65000
set protocols bgp router-id 10.255.0.1


# EVPN neighbor
set protocols bgp neighbor 10.255.0.2 remote-as 65000
set protocols bgp neighbor 10.255.0.2 address-family l2vpn-evpn


# Advertise all VNIs
set protocols bgp address-family l2vpn-evpn advertise-all-vni


commit

EVPN Multi-Homing

Ethernet Segment (ES)

Multiple PEs connected to same host/switch:

                 [PE1] ─┐
[Server/Switch] ═══════┼═══ EVPN
                 [PE2] ─┘


ES (Ethernet Segment) = The dual-homed connection
ESI (ES Identifier) = Unique ID for the ES

Active-Active Multi-Homing

Terminal window
configure


# Define Ethernet Segment (both PEs)
set interfaces bonding bond0 member interface eth1
set interfaces bonding bond0 evpn ethernet-segment identifier 00:11:22:33:44:55:66:77:88


# Both PEs actively forward
# EVPN handles aliasing and split horizon


commit

Benefits

  • Active-active forwarding (both links used)
  • Fast failover (no waiting for MAC learning)
  • Loop prevention (DF election)

EVPN Integrated Routing and Bridging (IRB)

Same EVPN instance provides L2 and L3:

Terminal window
configure


# Bridge for L2
set interfaces bridge br100 member interface vxlan100


# IRB interface for L3
set interfaces bridge br100 address 192.168.100.1/24


# Host in VXLAN 100 can:
# - L2 switch to other hosts in same VXLAN
# - L3 route to other networks via 192.168.100.1


commit

Symmetric vs Asymmetric IRB

Asymmetric:
- Routing at ingress only
- Frame sent as L2 to egress PE
- Simpler but requires all VNIs everywhere


Symmetric:
- Routing at ingress and egress
- Uses L3 VNI for inter-subnet
- Better for large scale

EVPN Route Targets

Similar to L3VPN:

Terminal window
configure


# EVPN RT configuration
set vrf name TENANT-A protocols bgp address-family l2vpn-evpn rd 10.255.0.1:100
set vrf name TENANT-A protocols bgp address-family l2vpn-evpn route-target export 65000:100
set vrf name TENANT-A protocols bgp address-family l2vpn-evpn route-target import 65000:100


commit

Viewing EVPN State

Show EVPN Routes

Terminal window
# Show all EVPN routes
show bgp l2vpn evpn


# Show specific route types
show bgp l2vpn evpn route type macip
show bgp l2vpn evpn route type multicast
show bgp l2vpn evpn route type prefix


# Show VNI information
show evpn vni

Show MAC Table

Terminal window
# EVPN-learned MACs
show evpn mac vni 100


# Output:
# VNI    MAC              Type    Interface
# 100    aa:bb:cc:dd:ee:ff local   eth1
# 100    11:22:33:44:55:66 remote  10.255.0.2

EVPN Design Patterns

Leaf-Spine with EVPN

           [Spine1]   [Spine2]
              │ ╲     ╱ │
              │  ╲   ╱  │
              │   ╲ ╱   │
              │   ╱ ╲   │
              │  ╱   ╲  │
           [Leaf1]   [Leaf2]
              │         │
           [Host A] [Host B]


eBGP underlay: Spines as route reflectors
EVPN overlay: Leaf-to-leaf via spines

EVPN-VXLAN Fabric

Terminal window
# Leaf configuration
set protocols bgp neighbor <spine1> remote-as <spine-as>
set protocols bgp neighbor <spine1> address-family l2vpn-evpn


# Spines reflect EVPN routes
# VTEPs on leafs


# Underlay provides IP connectivity
# EVPN provides MAC/IP learning
# VXLAN provides encapsulation

Troubleshooting EVPN

No EVPN Routes

Terminal window
# Check BGP session
show bgp l2vpn evpn summary


# Verify EVPN address family negotiated
show bgp neighbor <ip> | grep -i evpn


# Check local VNI
show evpn vni

MAC Not Advertised

Terminal window
# Check local MAC learning
show bridge fdb


# Check EVPN advertisement
show bgp l2vpn evpn route type macip


# Verify VNI-to-VXLAN mapping

Traffic Not Flowing

Terminal window
# Verify VXLAN tunnel
ping <remote-vtep>


# Check encapsulation
sudo tcpdump -i eth0 udp port 4789


# Verify MAC in remote VNI
show evpn mac vni 100 mac <mac-address>

VyOS EVPN Status

VyOS EVPN support is evolving:

Terminal window
# Check current version capabilities
show version


# VyOS 1.4+ has improved EVPN support via FRRouting
# Test features in lab before production

Migration from VPLS to EVPN

Phase 1: Deploy EVPN parallel to VPLS
Phase 2: Migrate traffic gradually
Phase 3: Decommission VPLS


Key difference:
- VPLS: Flood and learn
- EVPN: Advertise and install


Can run both during migration

The Lesson

EVPN is the future of overlay networking.

EVPN advantages:

  • Control plane MAC learning (no flooding)
  • Native multi-homing support
  • Integrated L2 and L3
  • Works with MPLS or VXLAN
  • Scales better than VPLS

When to use EVPN:

  • Data center fabrics
  • Multi-tenant environments
  • Stretched L2 domains
  • Any new overlay deployment

VyOS EVPN support depends on version. For production, verify specific features work. For learning and smaller deployments, VyOS provides a good platform to understand EVPN concepts.

The concepts here apply regardless of platform. EVPN is the direction the industry is moving — understanding it is essential for modern network engineering.