The following sections provide sample output of show commands to verify the BGP EVPN VXLAN over IPsec configuration on the devices in the preceeding topology.
Outputs to Verify the Configuration on VTEP1
VTEP1# show nve peers
'M' - MAC entry download flag 'A' - Adjacency download flag
'4' - IPv4 flag '6' - IPv6 flag
Interface VNI Type Peer-IP RMAC/Num_RTs eVNI state flags UP time
nve1 50000 L3CP 172.16.254.2 34ed.1b7e.44d0 50000 UP A/M/4 00:18:51
nve1 11500 L2CP 172.16.254.2 3 11500 UP N/A 00:18:51
nve1 11501 L2CP 172.16.254.2 3 11501 UP N/A 00:18:51
VTEP1# show l2vpn evpn evi detail
EVPN instance: 1500 (VLAN Based)
RD: 172.16.254.1:1500 (auto)
Import-RTs: 1:1500
Export-RTs: 1:1500
Per-EVI Label: none
State: Established
Replication Type: Ingress
Encapsulation: vxlan
IP Local Learn: Enabled (global)
Adv. Def. Gateway: Disabled (global)
Re-originate RT5: Disabled
Adv. Multicast: Disabled (global)
Vlan: 1500
Protected: False
Ethernet-Tag: 0
State: Established
Flood Suppress: Attached
Core If: Vlan500
Access If: Vlan1500
NVE If: nve1
RMAC: 34ed.1b7e.4350
Core Vlan: 500
L2 VNI: 11500
L3 VNI: 50000
VTEP IP: 172.16.254.1
VRF: red
IPv4 IRB: Enabled
IPv6 IRB: Disabled
Pseudoports:
TwentyFiveGigE1/0/16 service instance 1500
Routes: 1 MAC, 1 MAC/IP
Peers:
172.16.254.2
Routes: 1 MAC, 1 MAC/IP, 1 IMET, 0 EAD
EVPN instance: 1501 (VLAN Based)
RD: 172.16.254.1:1501 (auto)
Import-RTs: 1:1501
Export-RTs: 1:1501
Per-EVI Label: none
State: Established
Replication Type: Ingress
Encapsulation: vxlan
IP Local Learn: Enabled (global)
Adv. Def. Gateway: Disabled (global)
Re-originate RT5: Disabled
Adv. Multicast: Disabled (global)
Vlan: 1501
Protected: False
Ethernet-Tag: 0
State: Established
Flood Suppress: Attached
Core If: Vlan500
Access If: Vlan1501
NVE If: nve1
RMAC: 34ed.1b7e.4350
Core Vlan: 500
L2 VNI: 11501
L3 VNI: 50000
VTEP IP: 172.16.254.1
VRF: red
IPv4 IRB: Enabled
IPv6 IRB: Disabled
Pseudoports:
TwentyFiveGigE1/0/16 service instance 1501
Routes: 1 MAC, 1 MAC/IP
Peers:
172.16.254.2
Routes: 1 MAC, 1 MAC/IP, 1 IMET, 0 EAD
VTEP1# show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
H - NHRP, G - NHRP registered, g - NHRP registration summary
o - ODR, P - periodic downloaded static route, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
& - replicated local route overrides by connected
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 2 subnets, 3 masks
C 10.3.1.0/24 is directly connected, TwentyFiveGigE1/0/3
L 10.3.1.1/32 is directly connected, TwentyFiveGigE1/0/3
172.16.0.0/16 is variably subnetted, 9 subnets, 2 masks
C 172.16.10.0/24 is directly connected, Loopback10
L 172.16.10.1/32 is directly connected, Loopback10
O 172.16.10.2/32 [110/2] via 10.3.1.2, 00:35:52, TwentyFiveGigE1/0/3
C 172.16.12.0/24 is directly connected, Tunnel10
L 172.16.12.1/32 is directly connected, Tunnel10
C 172.16.254.1/32 is directly connected, Loopback1
O 172.16.254.2/32 [110/1001] via 172.16.12.2, 00:29:07, Tunnel10
C 172.16.255.1/32 is directly connected, Loopback0
O 172.16.255.2/32 [110/1001] via 172.16.12.2, 00:29:07, Tunnel10
VTEP1# show ip route vrf red
Routing Table: red
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
H - NHRP, G - NHRP registered, g - NHRP registration summary
o - ODR, P - periodic downloaded static route, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
& - replicated local route overrides by connected
Gateway of last resort is not set
192.168.1.0/24 is variably subnetted, 4 subnets, 2 masks
C 192.168.1.0/24 is directly connected, Vlan1500
L 192.168.1.1/32 is directly connected, Vlan1500
S 192.168.1.100/32 is directly connected, Vlan1500
B 192.168.1.200/32 [200/0] via 172.16.254.2, 00:33:05, Vlan500
192.168.2.0/24 is variably subnetted, 4 subnets, 2 masks
C 192.168.2.0/24 is directly connected, Vlan1501
L 192.168.2.1/32 is directly connected, Vlan1501
S 192.168.2.100/32 is directly connected, Vlan1501
B 192.168.2.200/32 [200/0] via 172.16.254.2, 00:01:39, Vlan500
VTEP1# show bgp l2vpn evpn all
BGP table version is 249, local router ID is 172.16.255.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
t secondary path, L long-lived-stale,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 172.16.254.1:1500
*>i [2][172.16.254.1:1500][0][48][001201000001][0][*]/20
172.16.254.2 0 100 0 ?
*>i [2][172.16.254.1:1500][0][48][001201000001][32][192.168.1.200]/24
172.16.254.2 0 100 0 ?
*> [2][172.16.254.1:1500][0][48][001501000001][0][*]/20
0.0.0.0 32768 ?
*> [2][172.16.254.1:1500][0][48][001501000001][32][192.168.1.100]/24
0.0.0.0 32768 ?
Route Distinguisher: 172.16.254.1:1501
*>i [2][172.16.254.1:1501][0][48][001201000002][0][*]/20
172.16.254.2 0 100 0 ?
*>i [2][172.16.254.1:1501][0][48][001201000002][32][192.168.2.200]/24
Network Next Hop Metric LocPrf Weight Path
172.16.254.2 0 100 0 ?
*> [2][172.16.254.1:1501][0][48][001501000002][0][*]/20
0.0.0.0 32768 ?
*> [2][172.16.254.1:1501][0][48][001501000002][32][192.168.2.100]/24
0.0.0.0 32768 ?
Route Distinguisher: 172.16.254.2:1500
*>i [2][172.16.254.2:1500][0][48][001201000001][0][*]/20
172.16.254.2 0 100 0 ?
*>i [2][172.16.254.2:1500][0][48][001201000001][32][192.168.1.200]/24
172.16.254.2 0 100 0 ?
Route Distinguisher: 172.16.254.2:1501
*>i [2][172.16.254.2:1501][0][48][001201000002][0][*]/20
172.16.254.2 0 100 0 ?
*>i [2][172.16.254.2:1501][0][48][001201000002][32][192.168.2.200]/24
172.16.254.2 0 100 0 ?
Route Distinguisher: 172.16.254.1:1500
*> [3][172.16.254.1:1500][0][32][172.16.254.1]/17
0.0.0.0 32768 ?
*>i [3][172.16.254.1:1500][0][32][172.16.254.2]/17
172.16.254.2 0 100 0 ?
Route Distinguisher: 172.16.254.1:1501
*> [3][172.16.254.1:1501][0][32][172.16.254.1]/17
Network Next Hop Metric LocPrf Weight Path
0.0.0.0 32768 ?
*>i [3][172.16.254.1:1501][0][32][172.16.254.2]/17
172.16.254.2 0 100 0 ?
Route Distinguisher: 172.16.254.2:1500
*>i [3][172.16.254.2:1500][0][32][172.16.254.2]/17
172.16.254.2 0 100 0 ?
Route Distinguisher: 172.16.254.2:1501
*>i [3][172.16.254.2:1501][0][32][172.16.254.2]/17
172.16.254.2 0 100 0 ?
Route Distinguisher: 1:100 (default for vrf red)
* i [5][1:100][0][24][192.168.1.0]/17
172.16.254.2 0 100 0 ?
*> 0.0.0.0 0 32768 ?
* i [5][1:100][0][24][192.168.2.0]/17
172.16.254.2 0 100 0 ?
*> 0.0.0.0 0 32768 ?
VTEP1# show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
R - IKE Auto Reconnect, U - IKE Dynamic Route Update
S - SIP VPN
Interface: Tunnel10
Profile: ikev2_prof10
Uptime: 00:16:58
Session status: UP-ACTIVE
Peer: 172.16.10.2 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 172.16.10.2
Desc: (none)
Session ID: 3
IKEv2 SA: local 172.16.10.1/500 remote 172.16.10.2/500 Active
Capabilities:DU connid:1 lifetime:23:43:02
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 1016508 drop 0 life (KB/Sec) 1058011/2581
Outbound: #pkts enc'ed 239 drop 0 life (KB/Sec) 36/2581
VTEP1# show int tunnel10 stats
Tunnel10
Switching path Pkts In Chars In Pkts Out Chars Out
Processor 0 0 2 64
Route cache 0 0 0 0
Distributed cache 1056533 1092057464 484 56333
Total 1056533 1092057464 486 56397
Outputs to Verify the Configuration on VTEP2
VTEP2# show nve peers
'M' - MAC entry download flag 'A' - Adjacency download flag
'4' - IPv4 flag '6' - IPv6 flag
Interface VNI Type Peer-IP RMAC/Num_RTs eVNI state flags UP time
nve1 50000 L3CP 172.16.254.1 34ed.1b7e.4350 50000 UP A/M/4 00:20:04
nve1 11500 L2CP 172.16.254.1 3 11500 UP N/A 00:20:04
nve1 11501 L2CP 172.16.254.1 3 11501 UP N/A 00:20:04
VTEP2# show l2vpn evpn evi detail
EVPN instance: 1500 (VLAN Based)
RD: 172.16.254.2:1500 (auto)
Import-RTs: 1:1500
Export-RTs: 1:1500
Per-EVI Label: none
State: Established
Replication Type: Ingress
Encapsulation: vxlan
IP Local Learn: Enabled (global)
Adv. Def. Gateway: Disabled (global)
Re-originate RT5: Disabled
Adv. Multicast: Disabled (global)
Vlan: 1500
Protected: False
Ethernet-Tag: 0
State: Established
Flood Suppress: Attached
Core If: Vlan500
Access If: Vlan1500
NVE If: nve1
RMAC: 34ed.1b7e.44d0
Core Vlan: 500
L2 VNI: 11500
L3 VNI: 50000
VTEP IP: 172.16.254.2
VRF: red
IPv4 IRB: Enabled
IPv6 IRB: Disabled
Pseudoports:
TwentyFiveGigE1/0/1 service instance 1500
Routes: 1 MAC, 1 MAC/IP
Peers:
172.16.254.1
Routes: 1 MAC, 1 MAC/IP, 1 IMET, 0 EAD
EVPN instance: 1501 (VLAN Based)
RD: 172.16.254.2:1501 (auto)
Import-RTs: 1:1501
Export-RTs: 1:1501
Per-EVI Label: none
State: Established
Replication Type: Ingress
Encapsulation: vxlan
IP Local Learn: Enabled (global)
Adv. Def. Gateway: Disabled (global)
Re-originate RT5: Disabled
Adv. Multicast: Disabled (global)
Vlan: 1501
Protected: False
Ethernet-Tag: 0
State: Established
Flood Suppress: Attached
Core If: Vlan500
Access If: Vlan1501
NVE If: nve1
RMAC: 34ed.1b7e.44d0
Core Vlan: 500
L2 VNI: 11501
L3 VNI: 50000
VTEP IP: 172.16.254.2
VRF: red
IPv4 IRB: Enabled
IPv6 IRB: Disabled
Pseudoports:
TwentyFiveGigE1/0/1 service instance 1501
Routes: 1 MAC, 1 MAC/IP
Peers:
172.16.254.1
Routes: 1 MAC, 1 MAC/IP, 1 IMET, 0 EAD
VTEP2# show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
H - NHRP, G - NHRP registered, g - NHRP registration summary
o - ODR, P - periodic downloaded static route, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
& - replicated local route overrides by connected
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 2 subnets, 3 masks
C 10.3.1.0/24 is directly connected, TwentyFiveGigE1/0/3
L 10.3.1.2/32 is directly connected, TwentyFiveGigE1/0/3
172.16.0.0/16 is variably subnetted, 9 subnets, 2 masks
B 172.16.10.0/24 [200/0] via 172.16.255.1, 00:30:42
O 172.16.10.1/32 [110/2] via 10.3.1.1, 00:33:32, TwentyFiveGigE1/0/3
C 172.16.10.2/32 is directly connected, Loopback10
C 172.16.12.0/24 is directly connected, Tunnel10
L 172.16.12.2/32 is directly connected, Tunnel10
O 172.16.254.1/32 [110/1001] via 172.16.12.1, 00:26:48, Tunnel10
C 172.16.254.2/32 is directly connected, Loopback1
O 172.16.255.1/32 [110/1001] via 172.16.12.1, 00:26:48, Tunnel10
C 172.16.255.2/32 is directly connected, Loopback0
VTEP2# show ip route vrf red
Routing Table: red
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
H - NHRP, G - NHRP registered, g - NHRP registration summary
o - ODR, P - periodic downloaded static route, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
& - replicated local route overrides by connected
Gateway of last resort is not set
192.168.1.0/24 is variably subnetted, 4 subnets, 2 masks
C 192.168.1.0/24 is directly connected, Vlan1500
L 192.168.1.1/32 is directly connected, Vlan1500
B 192.168.1.100/32 [200/0] via 172.16.254.1, 00:00:41, Vlan500
S 192.168.1.200/32 is directly connected, Vlan1500
192.168.2.0/24 is variably subnetted, 4 subnets, 2 masks
C 192.168.2.0/24 is directly connected, Vlan1501
L 192.168.2.1/32 is directly connected, Vlan1501
B 192.168.2.100/32 [200/0] via 172.16.254.1, 00:00:35, Vlan500
S 192.168.2.200/32 is directly connected, Vlan1501
VTEP2# show bgp l2vpn evpn all
BGP table version is 309, local router ID is 172.16.255.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
t secondary path, L long-lived-stale,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 172.16.254.1:1500
*>i [2][172.16.254.1:1500][0][48][001501000001][0][*]/20
172.16.254.1 0 100 0 ?
*>i [2][172.16.254.1:1500][0][48][001501000001][32][192.168.1.100]/24
172.16.254.1 0 100 0 ?
Route Distinguisher: 172.16.254.1:1501
*>i [2][172.16.254.1:1501][0][48][001501000002][0][*]/20
172.16.254.1 0 100 0 ?
*>i [2][172.16.254.1:1501][0][48][001501000002][32][192.168.2.100]/24
172.16.254.1 0 100 0 ?
Route Distinguisher: 172.16.254.2:1500
*> [2][172.16.254.2:1500][0][48][001201000001][0][*]/20
0.0.0.0 32768 ?
Network Next Hop Metric LocPrf Weight Path
*> [2][172.16.254.2:1500][0][48][001201000001][32][192.168.1.200]/24
0.0.0.0 32768 ?
*>i [2][172.16.254.2:1500][0][48][001501000001][0][*]/20
172.16.254.1 0 100 0 ?
*>i [2][172.16.254.2:1500][0][48][001501000001][32][192.168.1.100]/24
172.16.254.1 0 100 0 ?
Route Distinguisher: 172.16.254.2:1501
*> [2][172.16.254.2:1501][0][48][001201000002][0][*]/20
0.0.0.0 32768 ?
*> [2][172.16.254.2:1501][0][48][001201000002][32][192.168.2.200]/24
0.0.0.0 32768 ?
*>i [2][172.16.254.2:1501][0][48][001501000002][0][*]/20
172.16.254.1 0 100 0 ?
*>i [2][172.16.254.2:1501][0][48][001501000002][32][192.168.2.100]/24
172.16.254.1 0 100 0 ?
Route Distinguisher: 172.16.254.1:1500
*>i [3][172.16.254.1:1500][0][32][172.16.254.1]/17
172.16.254.1 0 100 0 ?
Route Distinguisher: 172.16.254.1:1501
*>i [3][172.16.254.1:1501][0][32][172.16.254.1]/17
172.16.254.1 0 100 0 ?
Route Distinguisher: 172.16.254.2:1500
Network Next Hop Metric LocPrf Weight Path
*>i [3][172.16.254.2:1500][0][32][172.16.254.1]/17
172.16.254.1 0 100 0 ?
*> [3][172.16.254.2:1500][0][32][172.16.254.2]/17
0.0.0.0 32768 ?
Route Distinguisher: 172.16.254.2:1501
*>i [3][172.16.254.2:1501][0][32][172.16.254.1]/17
172.16.254.1 0 100 0 ?
*> [3][172.16.254.2:1501][0][32][172.16.254.2]/17
0.0.0.0 32768 ?
Route Distinguisher: 1:100 (default for vrf red)
* i [5][1:100][0][24][192.168.1.0]/17
172.16.254.1 0 100 0 ?
*> 0.0.0.0 0 32768 ?
* i [5][1:100][0][24][192.168.2.0]/17
172.16.254.1 0 100 0 ?
*> 0.0.0.0 0 32768 ?
VTEP2# show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
R - IKE Auto Reconnect, U - IKE Dynamic Route Update
S - SIP VPN
Interface: Tunnel10
Profile: ikev2_prof10
Uptime: 00:17:28
Session status: UP-ACTIVE
Peer: 172.16.10.1 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 172.16.10.1
Desc: (none)
Session ID: 4
IKEv2 SA: local 172.16.10.2/500 remote 172.16.10.1/500 Active
Capabilities:DU connid:1 lifetime:23:42:32
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 245 drop 0 life (KB/Sec) 30/2552
Outbound: #pkts enc'ed 1043067 drop 0 life (KB/Sec) 1118249/2552
VTEP2# show int tunnel10 stats
Tunnel10
Switching path Pkts In Chars In Pkts Out Chars Out
Processor 0 0 0 0
Route cache 0 0 0 0
Distributed cache 228 21855 1027163 1082443955
Total 228 21855 1027163 1082443955