The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
If there's an EVPN configuration already associated with a VLAN, you can't directly configure the PVLAN associations for this
VLAN. First disassociate the EVPN configuration from the VLAN. Next, configure the PVLAN association. Then reconfigure EVPN
in each of the newly configured primary, community, and isolated VLANs.
Information About Private VLANs in a BGP EVPN VXLAN Fabric
A private VLAN (PVLAN) divides a regular VLAN into logical partitions, allowing limited broadcast boundaries among selected
port-groups on a single Layer 2 Ethernet switch. The single Ethernet switch's PVLAN capabilities can be extended over the
BGP EVPN VXLAN enabled network to build partitioned bridge-domain between port-groups across multiple Ethernet switches in
the BGP EVPN VXLAN VTEP mode. The integration of PVLAN with a BGP EVPN VXLAN network enables the following benefits:
Microsegmented Layer 2 network segregation across one or more BGP EVPN VXLAN switches.
Partitioned and secured user-group Layer 2 network that limits the communication with dynamic or static port configuration
assignments.
IP subnet pool conservation across BGP EVPN VXLAN network while extending segregated Layer 2 network across the fabric.
Conservation of Layer 2 overlay tunnels and peer networks with a single virtual network identifier (VNI) mapped to Primary
VLAN.
Primary and Secondary VLANs
Each subdomain in a PVLAN is represented by a pair of VLANs: a primary VLAN and a secondary VLAN. A PVLAN can have multiple
VLAN pairs, one pair for each subdomain. All VLAN pairs in a PVLAN share the same primary VLAN. The secondary VLAN ID differentiates
one subdomain from another. A secondary VLAN can either be an isolated VLAN or a community VLAN. Primary and secondary VLANs
have the following characteristics:
Primary VLAN: A PVLAN has only one primary VLAN. Every port in a PVLAN is a member of the primary VLAN. The primary VLAN carries
unidirectional traffic downstream from the promiscuous ports to the host (isolated and community) ports and to other promiscuous
ports.
Isolated VLAN: A PVLAN has only one isolated VLAN. An isolated VLAN is a secondary VLAN that carries unidirectional traffic
upstream from the hosts towards the promiscuous ports and the gateway.
Community VLAN: A community VLAN is a secondary VLAN that carries upstream traffic from the community ports to the promiscuous
port gateways and to other host ports in the same community. You can configure multiple community VLANs in a PVLAN.
Private VLAN Ports
PVLAN ports are access ports that are one of these types:
Promiscuous: A promiscuous port belongs to the primary VLAN. It can communicate with all interfaces, including the community
and isolated host ports that belong to the secondary VLANs associated with the primary VLAN.
Isolated: An isolated port is a host port that belongs to an isolated secondary VLAN. It has complete Layer 2 separation from
other ports within the same PVLAN, except for the promiscuous ports. PVLANs block all traffic to isolated ports except traffic
from promiscuous ports. Likewise, PVLANs forward the traffic from an isolated port only to promiscuous ports.
Community: A community port is a host port that belongs to a community secondary VLAN. Community ports communicate with other
ports in the same community VLAN and with promiscuous ports. Community ports are isolated at Layer 2 from all other interfaces
in external communities and also from isolated ports within their private VLAN.
For more information about PVLANs and the steps to configure PVLANs, see "Configuring Private VLANs" module in the VLAN Configuration Guide for the applicable release.
Extension of Private VLANs in a BGP EVPN VXLAN Fabric
Private VLANs (PVLANs) partition a regular VLAN domain into subdomains and provide Layer 2 isolation between ports within
the same PVLAN. Like a regular VLAN, a private VLAN can span multiple Layer 2 switches. In a private VLAN that spans across
multiple devices, traffic from an isolated port in Switch A does not reach an isolated port on Switch B. This is achieved
by the trunk port carrying the primary VLAN and secondary VLANs to neighboring switches with dot1q tag in a traditional Layer
2 network. With BGP EVPN VXLAN enabled in the PVLANs on the VTEPs, the L2VNI segment preserves the PVLAN semantics and provides
the Layer 2 isolation for the stretched PVLAN segment across the VTEPs in the overlay fabric. PVLAN extension with BGP EVPN
VXLAN allows you to:
Seamlessly migrate and join (or stretch) the PVLAN domain like any regular VLAN.
Access to centralized common services such as printer or DHCP through the promiscuous port on any VTEP in the EVPN overlay.
Maintain community and isolated VLAN semantics in the overlay fabric across all the VTEPs. The EVPN fabric provides a logical
single switch view for the respective Layer 2 domain.
The following image shows PVLAN extension in a BGP EVPN VXLAN fabric with two VTEPs:
Traffic Forwarding for Private VLANs in a BGP EVPN VXLAN Fabric
You can forward known unicast and broadcast, unknown unicast, and multicast (BUM) traffic between PVLANs in a BGP EVPN VXLAN
fabric. On the Source VTEP, the forwarding process on the access PVLAN ports (promiscuous, isolated, community) adheres to
the baseline PVLAN forwarding. With BGP EVPN VXLAN enabled in the PVLAN domain, the remote host routes are learned and programmed
in the hardware of the respective PVLANs. The following sections illustrate the forwarding scenarios for unicast and BUM traffic
between local and remote hosts for each of the secondary VLANs.
Known Unicast Traffic Forwarding
The sending VTEP bridges a known unicast packet with the corresponding secondary VLAN’s virtual network identifier (VNI) ID.
The packet arrives on the receiving VTEP. After decapsulation, receiving VTEP processes the packet in the same way as a packet
from a local PVLAN host port. The packet gets mapped to the respective community, isolated, or primary VLAN.
The following images illustrate the known unicast traffic forwarding scenarios for PVLANs in a BGP EVPN VXLAN fabric:
Broadcast, Unknown Unicast, and Multicast Traffic Forwarding
In a regular VLAN, broadcasts are forwarded to all ports in that VLAN. Private VLAN broadcast forwarding depends on the port
sending the broadcast:
An isolated port sends a broadcast only to the promiscuous ports or trunk ports.
A community port sends a broadcast to all promiscuous ports, trunk ports, and ports in the same community VLAN.
A promiscuous port sends a broadcast to all ports in the private VLAN (other promiscuous ports, trunk ports, isolated ports,
and community ports).
In addition to the above, a copy of the flood packet is sent to the remote VTEPs with the respective L2VNI. (See BUM traffic handling in the L2VNI). On the remote VTEP, the flood copy is again replicated towards the access as per the PVLAN broadcast rules mentioned above.
Flood packets received from the fabric are not sent back to fabric with split-horizon check.
During forwarding, if a packet's MAC address isn't available in the lookup, the VTEP replicates the packet with the VNI ID
of the forwarding (or incoming) VLAN. The VTEP forwards the BUM packets with the VNI ID of the corresponding VLAN. The receiving
VTEP decapsulates the BUM packet and maps the VNI ID to the corresponding secondary VLAN. This mapping ensures that the flood
rules remain local. The VTEP then processes the packet in the same way as a packet from a local host port.
For isolated VLANs, after the destination MAC address lookup results in an unknown unicast from the source port, it's not
locally known whether the destination MAC address belongs to the remote isolated VLAN host or the remote primary VLAN host.
Hence, the BUM packet copy is allowed to go the egress VTEPs with the isolated VLAN VNI ID. On egress VTEPs, this BUM copy
gets flooded on local isolated ports and local promiscuous ports. As a result, BUM traffic from remote isolated ports to local
isolated ports is unavoidable.
Note
Forwarding of unknown unicast traffic from an isolated port to a remote promiscuous port isn't supported.
The following images illustrate the BUM traffic forwarding scenarios for PVLANs in a BGP EVPN VXLAN fabric:
Routed Traffic Forwarding
Routed traffic between the hosts in a microsegmented VLAN is through the associated Primary VLAN SVI on the Local VTEP (For
more information, see "Configuring Private VLANs" module in the VLAN Configuration Guide for the applicable release). When the source and destination hosts are across the EVPN VXLAN fabric, the routed traffic between
the microsegmented VLAN hosts follows the Symmetric Integrated Routing and Bridging (IRB) method to cross the fabric (For
more information, see Configuring EVPN VXLAN Integrated Routing and Bridging). On the destination VTEP, traffic is routed from the core VLAN SVI to the associated Primary VLAN SVI interface and then
bridged in the microsegmented local destination Secondary VLAN.
How to Configure Private VLANs in a BGP EVPN VXLAN Fabric
When you configure PVLANs in a BGP EVPN VXLAN fabric, the existing PVLAN configuration is preserved and the Layer 2 VNI configuration
is added to the PVLAN. By adding the Layer 2 VNI configuration, you expand the PVLAN and stretch it over the fabric across
the VTEPs in the fabric.
In a BGP EVPN VXLAN fabric, the EVPN control plane distributes the MAC and MAC-IP routes. In addition, PVLANs handle BUM and
unicast traffic forwarding differently compared to regular VLANs. Due to these two reasons, you can create and delete PVLANs
strictly in the following ways:
To create a PVLAN, first configure the VLAN with primary and secondary associations. Next, enable EVPN separately in each
of the primary, community, and isolated VLANs.
Note
If there's an EVPN configuration already associated with a VLAN, you can't directly configure the PVLAN associations for this
VLAN. First, use the member vni command in VLAN configuration mode to disassociate the EVPN configuration from the VLAN. Next, configure the PVLAN association.
Now reconfigure EVPN in each of the newly configured primary, community, and isolated VLANs.
To delete a PVLAN, ensure that you unconfigure EVPN in the respective VLAN before you modify the PVLAN configuration.
Configuring the Primary and Secondary VLANs for a Private VLAN
To configure the primary and secondary VLANs for a private VLAN, perform the following steps:
Procedure
Command or Action
Purpose
Step 1
enable
Example:
Device> enable
Enters privileged EXEC mode.
Enter password, if prompted.
Step 2
configure terminal
Example:
Device# configure terminal
Enters global configuration mode.
Step 3
vlan vlan-id
Example:
Device(config)# vlan 101
Enters VLAN configuration mode for the specified VLAN ID.
Associates a PVLAN host port or maps a PVLAN promiscuous port to a primary VLAN.
Note
If you configure a port as a PVLAN host port and you do not configure a valid PVLAN association with the switchport private-vlan host-association command, the interface becomes inactive.
Note
If you configure a port as a PVLAN promiscuous port and you do not configure a valid PVLAN mapping with the switchport private-vlan mapping command, the interface becomes inactive.
Step 6
end
Example:
Device(config-if)# end
Exits interface configuration mode and enters privileged EXEC mode.
Enabling EVPN in a Private VLAN
To enable EVPN in a PVLAN, perform the following steps:
Note
Enable EVPN separately in each of the primary, community, and isolated VLANs.
Procedure
Command or Action
Purpose
Step 1
enable
Example:
Device> enable
Enters privileged EXEC mode.
Enter password, if prompted.
Step 2
configure terminal
Example:
Device# configure terminal
Enters global configuration mode.
Step 3
vlan configuration vlan-id
Example:
Device(config)# vlan configuration 101
Enters VLAN configuration mode for the specified PVLAN interface.
Step 4
member evpn-instance evpn-instance-id vni layer2-vni-id
Example:
Device(config-vlan)# member evpn-instance 1 vni 6000
Adds EVPN instance as a member of the PVLAN configuration.
The VNI here is used as a Layer 2 VNI.
Step 5
end
Example:
Device(config-vlan)# end
Exits VLAN configuration mode and enters privileged EXEC mode.
Configuration Examples for Private VLANs in a BGP EVPN VXLAN Fabric
This section provides a configuration example for PVLANs in a BGP EVPN VXLAN fabric using the following topology:
The topology shows an EVPN VXLAN network with two spine switches (Spine Switch 1 and Spine Switch 2) and three VTEPs (VTEP
1, VTEP 2, and VTEP 3). The network has an extended PVLAN with VLAN 101 as the primary VLAN. VLAN 102, VLAN 103, and VLAN
104 are the secondary VLANs. The following tables provide the sample configurations for the devices in this topology:
Table 1. Configuring VTEP 1, VTEP 2, and VTEP 3 for PVLAN Extension in a BGP EVPN VXLAN Fabric
!
l2vpn evpn instance 203 vlan-based
encapsulation vxlan
!
l2vpn evpn instance 204 vlan-based
encapsulation vxlan
!
system mtu 9198
!
vlan configuration 101
member evpn-instance 101 vni 10101
vlan configuration 102
member evpn-instance 102 vni 10102
vlan configuration 103
member evpn-instance 103 vni 10103
vlan configuration 104
member evpn-instance 104 vni 10104
vlan configuration 201
member evpn-instance 201 vni 10201
vlan configuration 202
member evpn-instance 202 vni 10202
vlan configuration 203
member evpn-instance 203 vni 10203
vlan configuration 204
member evpn-instance 204 vni 10204
vlan configuration 901
member vni 50901
!
vlan 101
private-vlan primary
private-vlan association 102-104
!
vlan 102
private-vlan community
!
vlan 103
private-vlan community
!
vlan 104
private-vlan isolated
!
vlan 201
private-vlan primary
private-vlan association 202-204
!
vlan 202
private-vlan community
!
!
l2vpn evpn instance 203 vlan-based
encapsulation vxlan
!
l2vpn evpn instance 204 vlan-based
encapsulation vxlan
!
system mtu 9198
!
vlan configuration 101
member evpn-instance 101 vni 10101
vlan configuration 102
member evpn-instance 102 vni 10102
vlan configuration 103
member evpn-instance 103 vni 10103
vlan configuration 104
member evpn-instance 104 vni 10104
vlan configuration 201
member evpn-instance 201 vni 10201
vlan configuration 202
member evpn-instance 202 vni 10202
vlan configuration 203
member evpn-instance 203 vni 10203
vlan configuration 204
member evpn-instance 204 vni 10204
vlan configuration 901
member vni 50901
!
vlan 101
private-vlan primary
private-vlan association 102-104
!
vlan 102
private-vlan community
!
vlan 103
private-vlan community
!
vlan 104
private-vlan isolated
!
vlan 201
private-vlan primary
private-vlan association 202-204
!
vlan 202
private-vlan community
!
!
l2vpn evpn instance 203 vlan-based
encapsulation vxlan
!
l2vpn evpn instance 204 vlan-based
encapsulation vxlan
!
system mtu 9198
!
vlan configuration 101
member evpn-instance 101 vni 10101
vlan configuration 102
member evpn-instance 102 vni 10102
vlan configuration 103
member evpn-instance 103 vni 10103
vlan configuration 104
member evpn-instance 104 vni 10104
vlan configuration 201
member evpn-instance 201 vni 10201
vlan configuration 202
member evpn-instance 202 vni 10202
vlan configuration 203
member evpn-instance 203 vni 10203
vlan configuration 204
member evpn-instance 204 vni 10204
vlan configuration 901
member vni 50901
!
vlan 101
private-vlan primary
private-vlan association 102-104
!
vlan 102
private-vlan community
!
vlan 103
private-vlan community
!
vlan 104
private-vlan isolated
!
vlan 201
private-vlan primary
private-vlan association 202-204
!
vlan 202
private-vlan community
!
vlan 203
private-vlan community
!
vlan 204
private-vlan isolated
!
vlan 901
!
interface Loopback0
ip address 172.16.255.3 255.255.255.255
ip pim sparse-mode
ip ospf 1 area 0
!
interface Loopback1
ip address 172.16.254.3 255.255.255.255
ip pim sparse-mode
ip ospf 1 area 0
!
interface GigabitEthernet1/0/1
no switchport
ip address 172.16.13.3 255.255.255.0
ip pim sparse-mode
ip ospf network point-to-point
ip ospf 1 area 0
!
interface GigabitEthernet1/0/2
no switchport
ip address 172.16.23.3 255.255.255.0
ip pim sparse-mode
ip ospf network point-to-point
ip ospf 1 area 0
!
interface GigabitEthernet1/0/3
switchport access vlan 102
switchport private-vlan host-association 101 102
switchport mode private-vlan host
spanning-tree portfast
!
interface GigabitEthernet1/0/4
switchport access vlan 103
switchport private-vlan host-association 101 103
switchport mode private-vlan host
spanning-tree portfast
!
vlan 203
private-vlan community
!
vlan 204
private-vlan isolated
!
vlan 901
!
interface Loopback0
ip address 172.16.255.4 255.255.255.255
ip pim sparse-mode
ip ospf 1 area 0
!
interface Loopback1
ip address 172.16.254.4 255.255.255.255
ip pim sparse-mode
ip ospf 1 area 0
!
interface GigabitEthernet1/0/1
no switchport
ip address 172.16.14.4 255.255.255.0
ip pim sparse-mode
ip ospf network point-to-point
ip ospf 1 area 0
!
interface GigabitEthernet1/0/2
no switchport
ip address 172.16.24.4 255.255.255.0
ip pim sparse-mode
ip ospf network point-to-point
ip ospf 1 area 0
!
interface GigabitEthernet1/0/11
switchport access vlan 102
switchport private-vlan host-association 101 102
switchport mode private-vlan host
spanning-tree portfast
!
interface GigabitEthernet1/0/12
switchport access vlan 103
switchport private-vlan host-association 101 103
switchport mode private-vlan host
spanning-tree portfast
!
vlan 203
private-vlan community
!
vlan 204
private-vlan isolated
!
vlan 901
!
interface Loopback0
ip address 172.16.255.5 255.255.255.255
ip pim sparse-mode
ip ospf 1 area 0
!
interface Loopback1
ip address 172.16.254.5 255.255.255.255
ip pim sparse-mode
ip ospf 1 area 0
!
interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
ip address 10.62.149.183 255.255.255.0
negotiation auto
!
interface GigabitEthernet1/0/1
no switchport
ip address 172.16.15.5 255.255.255.0
ip pim sparse-mode
ip ospf network point-to-point
ip ospf 1 area 0
!
interface GigabitEthernet1/0/2
no switchport
ip address 172.16.25.5 255.255.255.0
ip pim sparse-mode
ip ospf network point-to-point
ip ospf 1 area 0
!
interface GigabitEthernet1/0/16
switchport access vlan 202
switchport private-vlan host-association 201 202
switchport mode private-vlan host
spanning-tree portfast
!
interface GigabitEthernet1/0/5
switchport access vlan 104
switchport private-vlan host-association 101 104
switchport mode private-vlan host
spanning-tree portfast
!
interface Vlan101
vrf forwarding green
ip address 10.1.101.1 255.255.255.0
private-vlan mapping 102-104
!
interface Vlan201
vrf forwarding green
ip address 10.1.201.1 255.255.255.0
private-vlan mapping 202-204
!
interface Vlan901
vrf forwarding green
ip unnumbered Loopback1
ipv6 enable
no autostate
!
interface nve1
no ip address
source-interface Loopback1
host-reachability protocol bgp
member vni 10101 mcast-group 225.1.1.1
member vni 10102 mcast-group 225.1.1.1
member vni 10103 mcast-group 225.1.1.1
member vni 10104 mcast-group 225.1.1.1
member vni 10201 mcast-group 225.1.1.1
member vni 10202 mcast-group 225.1.1.1
member vni 10203 mcast-group 225.1.1.1
member vni 10204 mcast-group 225.1.1.1
member vni 50901 vrf green
!
router ospf 1
router-id 172.16.255.3
!
interface GigabitEthernet1/0/13
switchport access vlan 104
switchport private-vlan host-association 101 104
switchport mode private-vlan host
spanning-tree portfast
!
interface Vlan101
vrf forwarding green
ip address 10.1.101.1 255.255.255.0
private-vlan mapping 102-104
!
interface Vlan201
vrf forwarding green
ip address 10.1.201.1 255.255.255.0
private-vlan mapping 202-204
!
interface Vlan901
vrf forwarding green
ip unnumbered Loopback1
ipv6 enable
no autostate
!
interface nve1
no ip address
source-interface Loopback1
host-reachability protocol bgp
member vni 10101 mcast-group 225.1.1.1
member vni 10102 mcast-group 225.1.1.1
member vni 10103 mcast-group 225.1.1.1
member vni 10104 mcast-group 225.1.1.1
member vni 10201 mcast-group 225.1.1.1
member vni 10202 mcast-group 225.1.1.1
member vni 10203 mcast-group 225.1.1.1
member vni 10204 mcast-group 225.1.1.1
member vni 50901 vrf green
!
router ospf 1
router-id 172.16.255.4
!
interface GigabitEthernet1/0/17
switchport access vlan 203
switchport private-vlan host-association 201 203
switchport mode private-vlan host
spanning-tree portfast
!
interface GigabitEthernet1/0/18
switchport access vlan 204
switchport private-vlan host-association 201 204
switchport mode private-vlan host
spanning-tree portfast
!
interface Vlan101
vrf forwarding green
ip address 10.1.101.1 255.255.255.0
private-vlan mapping 102-104
!
interface Vlan201
vrf forwarding green
ip address 10.1.201.1 255.255.255.0
private-vlan mapping 202-204
!
interface Vlan901
vrf forwarding green
ip unnumbered Loopback1
ipv6 enable
no autostate
!
interface nve1
no ip address
source-interface Loopback1
host-reachability protocol bgp
member vni 10101 mcast-group 225.1.1.1
member vni 10102 mcast-group 225.1.1.1
member vni 10103 mcast-group 225.1.1.1
member vni 10104 mcast-group 225.1.1.1
member vni 10201 mcast-group 225.1.1.1
member vni 10202 mcast-group 225.1.1.1
member vni 10203 mcast-group 225.1.1.1
member vni 10204 mcast-group 225.1.1.1
member vni 50901 vrf green
!
Table 2. Configuring Spine Switch 1 and Spine Switch 2 for PVLAN Extension in a BGP EVPN VXLAN Fabric
Spine Switch 1
Spine Switch 2
Spine-01# show running-config
hostname Spine-01
!
ip routing
!
ip multicast-routing
!
system mtu 9198
!
interface Loopback0
ip address 172.16.255.1 255.255.255.255
ip ospf 1 area 0
!
interface Loopback1
ip address 172.16.254.1 255.255.255.255
ip ospf 1 area 0
!
interface Loopback2
ip address 172.16.255.255 255.255.255.255
ip pim sparse-mode
ip ospf 1 area 0
!
interface GigabitEthernet1/0/1
no switchport
ip address 172.16.13.1 255.255.255.0
ip pim sparse-mode
ip ospf network point-to-point
ip ospf 1 area 0
!
interface GigabitEthernet1/0/2
no switchport
ip address 172.16.14.1 255.255.255.0
ip pim sparse-mode
ip ospf network point-to-point
ip ospf 1 area 0
!
interface GigabitEthernet1/0/3
no switchport
ip address 172.16.15.1 255.255.255.0
ip pim sparse-mode
ip ospf network point-to-point
ip ospf 1 area 0
!
router ospf 1
router-id 172.16.255.1
!
router bgp 65001
bgp router-id 172.16.255.1
bgp log-neighbor-changes
no bgp default ipv4-unicast
neighbor 172.16.255.2 remote-as 65001
neighbor 172.16.255.2 update-source Loopback0
neighbor 172.16.255.3 remote-as 65001
neighbor 172.16.255.3 update-source Loopback0
neighbor 172.16.255.4 remote-as 65001
neighbor 172.16.255.4 update-source Loopback0
neighbor 172.16.255.5 remote-as 65001
neighbor 172.16.255.5 update-source Loopback0
!
Spine-02# show running-config
hostname Spine-02
!
ip routing
!
ip multicast-routing
!
system mtu 9198
!
interface Loopback0
ip address 172.16.255.2 255.255.255.255
ip ospf 1 area 0
!
interface Loopback1
ip address 172.16.254.2 255.255.255.255
ip ospf 1 area 0
!
interface Loopback2
ip address 172.16.255.255 255.255.255.255
ip pim sparse-mode
ip ospf 1 area 0
!
interface GigabitEthernet1/0/1
no switchport
ip address 172.16.23.2 255.255.255.0
ip pim sparse-mode
ip ospf network point-to-point
ip ospf 1 area 0
!
interface GigabitEthernet1/0/2
no switchport
ip address 172.16.24.2 255.255.255.0
ip pim sparse-mode
ip ospf network point-to-point
ip ospf 1 area 0
!
interface GigabitEthernet1/0/3
no switchport
ip address 172.16.25.2 255.255.255.0
ip pim sparse-mode
ip ospf network point-to-point
ip ospf 1 area 0
!
router ospf 1
router-id 172.16.255.2
!
router bgp 65001
bgp router-id 172.16.255.2
bgp log-neighbor-changes
no bgp default ipv4-unicast
neighbor 172.16.255.1 remote-as 65001
neighbor 172.16.255.1 update-source Loopback0
neighbor 172.16.255.3 remote-as 65001
neighbor 172.16.255.3 update-source Loopback0
neighbor 172.16.255.4 remote-as 65001
neighbor 172.16.255.4 update-source Loopback0
neighbor 172.16.255.5 remote-as 65001
neighbor 172.16.255.5 update-source Loopback0
!
address-family ipv4
exit-address-family
!
address-family l2vpn evpn
neighbor 172.16.255.2 activate
neighbor 172.16.255.2 send-community both
neighbor 172.16.255.2 route-reflector-client
neighbor 172.16.255.3 activate
neighbor 172.16.255.3 send-community both
neighbor 172.16.255.3 route-reflector-client
neighbor 172.16.255.4 activate
neighbor 172.16.255.4 send-community both
neighbor 172.16.255.4 route-reflector-client
neighbor 172.16.255.5 activate
neighbor 172.16.255.5 send-community both
neighbor 172.16.255.5 route-reflector-client
exit-address-family
!
ip pim rp-address 172.16.255.255
ip msdp peer 172.16.254.2 connect-source Loopback1 remote-as 65001
ip msdp cache-sa-state
!
end
Spine-01#
address-family ipv4
exit-address-family
!
address-family l2vpn evpn
neighbor 172.16.255.1 activate
neighbor 172.16.255.1 send-community both
neighbor 172.16.255.1 route-reflector-client
neighbor 172.16.255.3 activate
neighbor 172.16.255.3 send-community both
neighbor 172.16.255.3 route-reflector-client
neighbor 172.16.255.4 activate
neighbor 172.16.255.4 send-community both
neighbor 172.16.255.4 route-reflector-client
neighbor 172.16.255.5 activate
neighbor 172.16.255.5 send-community both
neighbor 172.16.255.5 route-reflector-client
exit-address-family
!
ip pim rp-address 172.16.255.255
ip msdp peer 172.16.254.1 connect-source Loopback1 remote-as 65001
ip msdp cache-sa-state
!
end
Spine-02#
Verifying PVLAN Extension in a BGP EVPN VXLAN Fabric
The following sections provide sample outputs for show commands to verify the PVLAN extension on the devices in the topology configured above:
The following example shows the output for the show bgp l2vpn evpn command on VTEP 2:
Leaf-02# show bgp l2vpn evpn
BGP table version is 65, local router ID is 172.16.255.4
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
t secondary path, L long-lived-stale,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 172.16.255.3:101
* i [2][172.16.255.3:101][0][48][10B3D56A8FC1][32][10.1.101.1]/24
172.16.254.3 0 100 0 ?
*>i 172.16.254.3 0 100 0 ?
* i [2][172.16.255.3:101][0][48][F4CFE24334C2][32][10.1.101.3]/24
172.16.254.3 0 100 0 ?
*>i 172.16.254.3 0 100 0 ?
* i [2][172.16.255.3:101][0][48][F4CFE24334C3][32][10.1.101.4]/24
172.16.254.3 0 100 0 ?
*>i 172.16.254.3 0 100 0 ?
* i [2][172.16.255.3:101][0][48][F4CFE24334C4][32][10.1.101.5]/24
172.16.254.3 0 100 0 ?
*>i 172.16.254.3 0 100 0 ?
Route Distinguisher: 172.16.255.3:102
* i [2][172.16.255.3:102][0][48][F4CFE24334C2][0][*]/20
172.16.254.3 0 100 0 ?
*>i 172.16.254.3 0 100 0 ?
Route Distinguisher: 172.16.255.3:103
* i [2][172.16.255.3:103][0][48][F4CFE24334C3][0][*]/20
172.16.254.3 0 100 0 ?
*>i 172.16.254.3 0 100 0 ?
Route Distinguisher: 172.16.255.3:104
*>i [2][172.16.255.3:104][0][48][F4CFE24334C4][0][*]/20
172.16.254.3 0 100 0 ?
* i 172.16.254.3 0 100 0 ?
Route Distinguisher: 172.16.255.4:101
*>i [2][172.16.255.4:101][0][48][10B3D56A8FC1][32][10.1.101.1]/24
172.16.254.3 0 100 0 ?
*> [2][172.16.255.4:101][0][48][44D3CA286CC3][32][10.1.101.13]/24
:: 32768 ?
*> [2][172.16.255.4:101][0][48][44D3CA286CC4][32][10.1.101.14]/24
:: 32768 ?
*> [2][172.16.255.4:101][0][48][44D3CA286CC5][32][10.1.101.15]/24
:: 32768 ?
*> [2][172.16.255.4:101][0][48][7C210DBD9541][32][10.1.101.1]/24
:: 32768 ?
*>i [2][172.16.255.4:101][0][48][F4CFE24334C2][32][10.1.101.3]/24
172.16.254.3 0 100 0 ?
*>i [2][172.16.255.4:101][0][48][F4CFE24334C3][32][10.1.101.4]/24
Network Next Hop Metric LocPrf Weight Path
172.16.254.3 0 100 0 ?
*>i [2][172.16.255.4:101][0][48][F4CFE24334C4][32][10.1.101.5]/24
172.16.254.3 0 100 0 ?
Route Distinguisher: 172.16.255.4:102
*> [2][172.16.255.4:102][0][48][44D3CA286CC3][0][*]/20
:: 32768 ?
*>i [2][172.16.255.4:102][0][48][F4CFE24334C2][0][*]/20
172.16.254.3 0 100 0 ?
Route Distinguisher: 172.16.255.4:103
*> [2][172.16.255.4:103][0][48][44D3CA286CC4][0][*]/20
:: 32768 ?
*>i [2][172.16.255.4:103][0][48][F4CFE24334C3][0][*]/20
172.16.254.3 0 100 0 ?
Route Distinguisher: 172.16.255.4:104
*> [2][172.16.255.4:104][0][48][44D3CA286CC5][0][*]/20
:: 32768 ?
*>i [2][172.16.255.4:104][0][48][F4CFE24334C4][0][*]/20
172.16.254.3 0 100 0 ?
Route Distinguisher: 172.16.255.4:201
*>i [2][172.16.255.4:201][0][48][44D3CA286CC6][32][10.1.102.3]/24
172.16.254.5 0 100 0 ?
*>i [2][172.16.255.4:201][0][48][44D3CA286CC7][32][10.1.102.4]/24
172.16.254.5 0 100 0 ?
*>i [2][172.16.255.4:201][0][48][44D3CA286CC8][32][10.1.102.5]/24
172.16.254.5 0 100 0 ?
*>i [2][172.16.255.4:201][0][48][7C210DBD274C][32][10.1.201.1]/24
172.16.254.5 0 100 0 ?
Route Distinguisher: 172.16.255.4:202
*>i [2][172.16.255.4:202][0][48][44D3CA286CC6][0][*]/20
172.16.254.5 0 100 0 ?
Route Distinguisher: 172.16.255.4:203
*>i [2][172.16.255.4:203][0][48][44D3CA286CC7][0][*]/20
172.16.254.5 0 100 0 ?
Route Distinguisher: 172.16.255.4:204
*>i [2][172.16.255.4:204][0][48][44D3CA286CC8][0][*]/20
172.16.254.5 0 100 0 ?
Route Distinguisher: 172.16.255.5:201
*>i [2][172.16.255.5:201][0][48][44D3CA286CC6][32][10.1.102.3]/24
172.16.254.5 0 100 0 ?
* i 172.16.254.5 0 100 0 ?
*>i [2][172.16.255.5:201][0][48][44D3CA286CC7][32][10.1.102.4]/24
172.16.254.5 0 100 0 ?
* i 172.16.254.5 0 100 0 ?
*>i [2][172.16.255.5:201][0][48][44D3CA286CC8][32][10.1.102.5]/24
172.16.254.5 0 100 0 ?
* i 172.16.254.5 0 100 0 ?
*>i [2][172.16.255.5:201][0][48][7C210DBD274C][32][10.1.201.1]/24
172.16.254.5 0 100 0 ?
Network Next Hop Metric LocPrf Weight Path
* i 172.16.254.5 0 100 0 ?
Route Distinguisher: 172.16.255.5:202
*>i [2][172.16.255.5:202][0][48][44D3CA286CC6][0][*]/20
172.16.254.5 0 100 0 ?
* i 172.16.254.5 0 100 0 ?
Route Distinguisher: 172.16.255.5:203
*>i [2][172.16.255.5:203][0][48][44D3CA286CC7][0][*]/20
172.16.254.5 0 100 0 ?
* i 172.16.254.5 0 100 0 ?
Route Distinguisher: 172.16.255.5:204
*>i [2][172.16.255.5:204][0][48][44D3CA286CC8][0][*]/20
172.16.254.5 0 100 0 ?
* i 172.16.254.5 0 100 0 ?
Route Distinguisher: 1:1 (default for vrf green)
* i [5][1:1][0][24][10.1.101.0]/17
172.16.254.3 0 100 0 ?
* i 172.16.254.3 0 100 0 ?
*> 0.0.0.0 0 32768 ?
*>i [5][1:1][0][24][10.1.201.0]/17
172.16.254.5 0 100 0 ?
* i 172.16.254.5 0 100 0 ?
Leaf-02#
Outputs to Verify the Configuration on VTEP 3
The following example shows the output for the show vlan private-vlan command on VTEP 3:
Leaf-03# show vlan private-vlan
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
101 102 community
101 103 community
101 104 isolated
201 202 community Gi1/0/16
201 203 community Gi1/0/17
201 204 isolated Gi1/0/18
Leaf-03#
The following example shows the output for the show ip arp vrf green command on VTEP 3:
Leaf-03# show ip arp vrf green
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.1.101.1 - 7c21.0dbd.2741 ARPA Vlan101
Internet 10.1.201.1 - 7c21.0dbd.274c ARPA Vlan201
Internet 172.16.254.5 - 7c21.0dbd.2748 ARPA Vlan901
Leaf-03#
The following example shows the output for the show mac address-table vlan vlan-id command on VTEP 3:
Leaf-03# show mac address-table vlan 101
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
101 7c21.0dbd.2741 STATIC Vl101
Total Mac Addresses for this criterion: 1
Leaf-03#
The following example shows the output for the show l2vpn evpn peers vxlan command on VTEP 3:
Leaf-03# show l2vpn evpn peers vxlan
Leaf-03#
The following example shows the output for the show nve peer command on VTEP 3:
Leaf-03# show nve peer
Interface VNI Type Peer-IP RMAC/Num_RTs eVNI state flags UP time
nve1 50901 L3CP 172.16.254.3 10b3.d56a.8fc8 50901 UP A/M/4 01:34:51
nve1 50901 L3CP 172.16.254.4 7c21.0dbd.9548 50901 UP A/M/4 01:34:51
Leaf-03#
The following example shows the output for the show l2vpn evpn mac local command on VTEP 3:
Leaf-03# show l2vpn evpn mac local
MAC Address EVI VLAN ESI Ether Tag Next Hop(s)
-------------- ----- ----- ------------------------ ---------- ---------------
44d3.ca28.6cc6 201 201 0000.0000.0000.0000.0000 0 Gi1/0/16:201
44d3.ca28.6cc7 201 201 0000.0000.0000.0000.0000 0 Gi1/0/17:201
44d3.ca28.6cc8 201 201 0000.0000.0000.0000.0000 0 Gi1/0/18:201
44d3.ca28.6cc6 202 202 0000.0000.0000.0000.0000 0 Gi1/0/16:202
44d3.ca28.6cc7 203 203 0000.0000.0000.0000.0000 0 Gi1/0/17:203
44d3.ca28.6cc8 204 204 0000.0000.0000.0000.0000 0 Gi1/0/18:204
Leaf-03#
The following example shows the output for the show l2vpn evpn mac remote command on VTEP 3: