Implementing and Troubleshooting Cisco EVPN VXLAN (ICT-EVPN)

Module 1: Network Evolution and EVPN Fundamentals

Lesson 1: Introduction to EVPN Concepts

• What is Ethernet VPN (EVPN)?
• Advantages of EVPN over traditional L2/L3 protocols
• EVPN as a scalable overlay network
• VXLAN header overview and role in fabric encapsulation
• Role of fabrics in solving traditional network problems
• Fabric architecture using VXLAN encapsulation
• Introduction to SD-Access fabric roles and operations
• Comparison of traditional 3-tier and BGP EVPN VXLAN networks
• Enterprise use case for BGP EVPN
• Flexible topology design with EVPN
• Why enterprises are adopting VXLAN
• Security enhancements with EVPN fabrics
• Overview of Cisco's BGP EVPN architecture

Lesson 2: Evolution of the Network Infrastructure

• Timeline of application architecture evolution
• Impact of cloud, mobility, and virtualization
• Transformation in data center design and networking needs
• Data center challenges and new design requirements
• The journey to Catalyst 9k EVPN adoption

Lesson 3: Catalyst 9000 Switch Family Overview

• Cisco Catalyst 9300, 9400, 9500, and 9600 Series
• Platform capabilities and scale considerations
• BGP EVPN scalability matrix across Catalyst models

Lesson 4: BGP EVPN Architecture Overview

• System role of BGP EVPN in campus networks
• Introduction to VXLAN fabric solutions with BGP EVPN
• Migration from traditional designs to BGP EVPN-based overlays
• Introduction to Network Device Fabric Controller (NDFC)
• Hardware and platform support for VXLAN/EVPN
• Role of automation with Ansible and Terraform

Lesson 5: SD-Access and BGP EVPN Integration

• Comparison of SD-Access and BGP EVPN technologies
• SDA-EVPN hardware support and access roles
• VXLAN with segment routing integration
• CLI simplification and fabric deployment models
• Use of Catalyst Center to orchestrate BGP EVPN
• Security and wireless integration in EVPN fabrics
• Evolution of Cisco’s campus EVPN solution

Module 2: EVPN VXLAN Fundamentals

Lesson 1: VXLAN Technology Overview

• What is VXLAN and why it's needed
• VXLAN packet structure and header format
• VTEP encapsulation and VXLAN constructs
• Overlay taxonomy and types of VXLAN fabrics
• MP-BGP EVPN route types and integration

Lesson 2: Underlay Network Foundations

• Underlay vs overlay network definitions
• MTU considerations in VXLAN environments
• IPv4/IPv6 underlay design with BGP and IS-IS
• BUM traffic replication strategies: multicast and ingress
• Seamless IPv6 integration and proxy mechanisms

Lesson 3: Control and Data Plane Operation

• Role of MP-BGP in EVPN
• Route Types 2 and 5: MAC/IP and subnet advertisements
• Distributed IP Anycast Gateway functionality
• Integrated Routing and Bridging (IRB) architecture
• Consistent configuration and symmetric IRB

Lesson 4: VXLAN Encapsulation and Transport

• Header details including SGT (Security Group Tag) integration
• VXLAN's multipath capability and transport independence
• VXLAN with BGP EVPN: synergy and deployment benefits

Lesson 5: Learning and Resolution Mechanisms

• VXLAN Flood and Learn behavior
• Static and dynamic MAC resolution
• LISP VXLAN integration overview

Lesson 6: Security in VXLAN EVPN

• VXLAN and Security Group Tag (SGT) integration
• Role-based access control using VXLAN encapsulation

Lesson 7: BUM Replication Mechanisms

• Requirements and options for BUM handling
• Ingress vs multicast replication configuration

Lesson 8: Fabric Concepts Recap

• Underlay and overlay definitions in VXLAN fabrics
• Introduction to fabric sites and modular deployment

Lab 1 : Designing and Building the VXLAN Underlay Network

• Exercise 1: VXLAN Constructs and Packet Format
• Exercise 2: Underlay and MTU Preparation
• Exercise 3: Configure MP-BGP EVPN Control Plane
• Exercise 4: VXLAN Bridging with L2VNI
• Exercise 5: VXLAN Packet Behavior and Route Types
• Exercise 6: VXLAN Encapsulation and Header Inspection

Module 3: Understanding Underlay Networks with VXLAN

Lesson 1: Underlay Network Architecture

• Definitions and taxonomy of underlay networks
• Transport models and VXLAN constructs
• MTU sizing and deployment considerations
• Routing protocols: OSPF, IS-IS, eBGP

Lesson 2: Design Models

• L3 routed access and StackWise Virtual
• L2 and L3 distribution models in the underlay

Lesson 3: Routing Protocol Options

• Comparison of IGP (OSPF/IS-IS) and eBGP
• BGP AS constructs and route advertisement
• Multicast routing and IPv6 underlay evolution

Lesson 4: Advanced Design Alternatives

• iBGP, MACSEC, IPSEC, and SD-WAN as underlay alternatives
• Seamless integration with EVPN overlay

Lab 2: Designing and Building the VXLAN Underlay Network

• Exercise 1: Underlay Network Architecture
• Exercise 2: Design Models – L3 Routed Access and StackWise Virtual
• Exercise 3: Routing Protocol Options
  • BGP
  • ISIS
  • OSPF
• Exercise 4: Advanced Design Alternatives
• Exercise 5: Creating the BGP Overlay

Module 4: VXLAN Overlay Network Design

Lesson 1: Overlay Concepts

• Services delivered by overlays
• Tunnel encapsulation and bridging vs routing
• Routing models: asymmetric and symmetric IRB

Lesson 2: Gateway and Topology Design

• Gateway types: distributed, centralized, and flexible IRB
• Topologies: Layer 2, Hub-and-Spoke, Full and Partial Mesh

Lesson 3: External Network Integration

• L2/L3 handoffs and interworking scenarios
• Multi-site EVPN and IEEE 802.1Q over VXLAN
• L3 handoff and VLAN termination approaches

Lab 3: VXLAN Overlay Network Design

• Exercise 1: Overlay Topology Planning
• Exercise 2: Layer 2 Bridging Overlay Configuration
• Exercise 3: Layer 3 Overlay Routing with Symmetric IRB
• Exercise 4: Host and Access Port Setup
• Exercise 5: Overlay Routing Verification

Module 5: BGP EVPN Architecture and Automation

Lesson 1: EVPN Fundamentals

• VLAN evolution to BGP EVPN
• EVPN instances and control/data plane separation
• Benefits and technical overview of EVPN

Lesson 2: Cisco Enterprise EVPN Solution

• EVI mapping and Ethernet Segment Identifier (ESI)
• EVPN multi-homing and route advertisement types
• Extended communities: ESI Label, MAC Mobility, Default Gateway

Lesson 3: Automation Technologies

• EVPN provisioning with Ansible and Terraform
• IOS XE programmability tools

Lab 4: Implementing and Automating BGP EVPN Architecture

• Exercise 1: Manual BGP EVPN Control Plane Configuration
• Exercise 2: Verification
• Exercise 3: Automating EVPN Configuration with Ansible
• Exercise 4: Automating with Terraform (Optional Advanced)

Module 6: Nexus 9000 Series Switches and EVPN VXLAN Configuration

Lesson 1: Overview of Nexus 9000 Series Platforms

• Introduction to Cisco Nexus 9k Series (9300, 9500, 9600 platforms)
• NX-OS vs ACI Modes: Use cases for each operating mode
• Nexus 9000 roles in EVPN VXLAN networks: leaf, spine, border, and services nodes
• Key features for VXLAN BGP EVPN:
  • High-scale VTEP capabilities
  • Deep buffer support
  • Programmability via NX-API, Python, and Bash shell
• Supported hardware features:
  • EVPN Multi-Homing (ESI-LAG)
  • Multicast replication and Data MDT
  • L2 and L3 VNI scaling
• Comparison with Catalyst 9000 platforms in EVPN deployments

Lesson 2: Underlay Configuration on Nexus 9000

• Interface and MTU setup (MTU = 9216 for VXLAN compatibility)
• Loopback interfaces for VTEP source and BGP router ID
• IP addressing strategy for underlay (point-to-point addressing)
• IGP or eBGP underlay protocol configuration
• Sample underlay eBGP configuration:

Lesson 3: Overlay BGP EVPN Control Plane

• MP-BGP configuration for EVPN address family
• Route-reflector design in the overlay
• Enabling route-target import/export per VNI
• Sample EVPN configuration:

Lesson 4: NVE and VNI Configuration

• NVE interface overview (VXLAN Tunnel Endpoint)
• Mapping VNIs to VLANs
• Distributed Anycast Gateway configuration
• Sample configuration:

Lesson 5: EVPN IRB Configuration for Layer 3 VNIs

• Creating VRFs for tenant segmentation
• Mapping VLANs to VRFs and VNIs
• Inter-VNI routing with symmetric IRB
• Sample configuration:

Lesson 6: Multicast Configuration for BUM Traffic (Optional)

• Multicast group mapping per VNI
• Underlay PIM-SM configuration
• Rendezvous Point (RP) design and distribution
• Sample multicast BUM setup:

Lesson 7: Verification and Troubleshooting on Nexus 9k

• Key commands:
• Packet capture and filtering on Nexus 9k
• Logging and event tracing for EVPN sessions
• NX-OS command equivalents for Catalyst CLI

Lesson 8: Day-0 and Day-2 Automation with NX-OS

• Using Python and Bash for automation
• NX-API for REST-based interaction
• Model-driven programmability with YANG and gNMI
• Example: Day-0 configuration with Ansible playbooks for Nexus switches

Lab 5: Nexus 9000 Series Switches and EVPN VXLAN Configuration

• Exercise 1: Underlay Network Configuration
• Exercise 2: Overlay - BGP EVPN Configuration
• Exercise 3: NVE and VNI Setup on Leaf Switches
• Exercise 4: Host Port Configuration
• Exercise 5: Validation

Module 7: Catalyst 9000 Series Switches and EVPN VXLAN Configuration

Lesson 1: Overview of Catalyst 9000 Series Platforms

• Introduction to Catalyst 9300, 9400, 9500, and 9600 switches
• Operating system: Cisco IOS XE and SD-Access readiness
• Role of Catalyst 9k in campus and branch fabrics with BGP EVPN
• Hardware support for VXLAN BGP EVPN, including platform scaling and VTEP roles
• Use cases for access, distribution, and border roles in the fabric
• Comparison with Nexus 9k platforms in terms of capability and design

Lesson 2: Underlay Network Configuration on Catalyst 9k

• Design of underlay routing for EVPN: point-to-point links, loopbacks, and routing protocol selection
• MTU configuration and path MTU discovery support
• Underlay protocol options: OSPF, IS-IS, and iBGP/eBGP
• Sample eBGP underlay configuration:

Lesson 3: Overlay EVPN Control Plane Configuration

• Enabling MP-BGP EVPN on Catalyst switches
• EVPN address-family activation and peer policies
• Use of route distinguishers and route targets for VRF separation
• Sample configuration for EVPN route advertisement:

Lesson 4: NVE and VNI Configuration

• Enabling the NVE interface on Catalyst platforms
• Mapping VLANs to VNIs
• VXLAN encapsulation for Layer 2 and Layer 3 VNIs
• Sample configuration:

Lesson 5: IRB and VRF Configuration for Layer 3 VNIs

• Creating VRF instances and mapping to VNIs
• Connecting L2VNIs and L3VNIs with symmetric IRB
• Anycast gateway IP configuration for distributed routing
• Sample VRF and interface setup:

Lesson 6: BUM Replication and Multicast Support

• Configuration options: ingress replication vs multicast
• Mapping VNIs to multicast groups for efficient broadcast and unknown unicast handling
• Sample multicast configuration:

Lesson 7: Verification and Troubleshooting on Catalyst 9k

• Key verification commands:
  • show l2vpn evpn peers
  • show nve peers
  • show bgp l2vpn evpn summary
  • show platform software vxlan control
  • show mac address-table dynamic
• Troubleshooting steps:
  • Validate VTEP reachability
  • Check BGP EVPN route types
  • Inspect ARP suppression and IRB behavior

Lesson 8: Automation and Orchestration Tools

• Ansible support for Catalyst-based EVPN deployments
• Template-based automation using Cisco Catalyst Center
• IOS XE programmability using RESTCONF and NETCONF
• Integration with Terraform for scalable configuration push

Lab 6: Catalyst 9000 Series Switches and EVPN VXLAN Configuration

• Exercise 1: Underlay Routing and Loopback Setup
• Exercise 2: Overlay BGP EVPN Control Plane
• Exercise 3: VLAN, VRF, and VNI Mapping
• Exercise 4: L2 and L3 Interfaces Configuration
• Exercise 5: Host Connectivity Configuration

Module 8: EVPN VXLAN L3 Tenant Routed Multicast on 9000 Series Switches

This module provides a comprehensive look at deploying Layer 3 Tenant Routed Multicast (TRM) within an EVPN VXLAN fabric using 9000 switches. It covers architecture, signaling, multicast routing, and integration with EVPN MVPN.

Lesson 1: TRM Architecture and Multicast Signaling

• Introduction to Tenant Routed Multicast (TRM)
• Underlay and overlay multicast trees: default MDT vs data MDT
• Control plane signaling using BGP MVPN route types (Type 3, 5, 6, 7)
• Multicast Source Discovery and Receiver Join workflows
• Key multicast roles: FHR, LHR, RP, and their placement in VXLAN

Lesson 2: Data MDT Operations

• Transition from default to data MDT for high-bandwidth flows
• Source-initiated and receiver-initiated triggers for switching trees
• VXLAN encapsulated multicast forwarding
• Nexus and Catalyst configuration differences
• Verification of data MDT transitions using CLI

Lesson 3: EVPN MVPN Interworking

• Overview of BGP MVPN and how it integrates with EVPN fabrics
• Translation between EVPN route types and MVPN route types
• Interoperability between multicast routing domains
• Signaling path walkthrough: RP to FHR to LHR

Lesson 4: Register-Source and RP Behavior

• Design and configuration for PIM Register-Source on leaf nodes
• Scenarios where RP is internal vs external
• Multicast registration signaling in EVPN fabrics
• Register-suppression and PIM encapsulation logic

Lesson 5: Distributed Anycast RP Configuration

• Role and deployment of Distributed RP in VXLAN overlays
• Anycast RP over loopback interfaces mapped to multicast group
• BGP signaling for Anycast RP advertisement
• Scalability and redundancy benefits
• Real-world validation and troubleshooting examples

Lesson 6: Troubleshooting VXLAN Multicast in Fabric

• Tools and techniques to isolate multicast issues:
  • BGP route inspection
  • MFIB/mroute table checks
  • RP/Join-Prune signal validation
• Common pitfalls:
  • Group mapping mismatch
  • PIM misconfigurations
  • Tunnel encapsulation issues

Lab 7: Underlay Multicast Configuration

• Exercise 1: Underlay Multicast Configuration
• Exercise 2: Underlay Routing Setup
• Exercise 3: MP-BGP EVPN Overlay Setup
• Exercise 4: Multicast in the Overlay (Tenant Routed Multicast)
• Exercise 5: Host Configuration and Traffic Simulation
• Exercise 6: Verification and Troubleshooting

Module 9: EVPN VXLAN Troubleshooting and Maintenance

This module teaches practical methods for diagnosing and resolving issues in EVPN VXLAN fabrics, helping network engineers isolate faults in control and data planes and maintain operational stability.

Lesson 1: Introduction to EVPN Troubleshooting

• Types of EVPN issues: provisioning, convergence, traffic drops
• Logical flow of troubleshooting: Layer 1 to Layer 3
• Importance of understanding control plane separation

Lesson 2: Control Plane vs Data Plane Validation

• Checking EVPN route advertisements (RT-2, RT-5, RT-3)
• Verifying NVE peer status and loopback reachability
• Inspecting MAC learning across VTEPs
• Tools: show l2vpn evpn, show nve,  show bgp l2vpn evpn

Lesson 3: Troubleshooting Broadcast, Multicast, and Unicast Flows

• Ingress replication vs multicast forwarding path
• Troubleshooting BUM traffic suppression or flooding
• Diagnosing ARP/GARP issues in VXLAN
• Silent host behavior and ARP suppression challenges

Lesson 4: Debugging Tools and Show Commands

• show platform software vxlan, show forwarding vxlan
• Packet tracing tools and CPU utilization monitoring
• EVPN Mgr, L2RIB, and L2FIB debug options
• Flow-based troubleshooting with traffic mirroring and NetFlow

Lesson 5: Packet Capture and Fabric Health Checks

• Performing inline packet capture on Catalyst/Nexus switches
• Using Embedded Event Manager (EEM) scripts for automation
• Health checks: VTEP status, BGP session health, MAC age-out
• Log correlation and fabric-level analytics

Lab 8: Troubleshooting EVPN

• Exercise 1: Control Plane Troubleshooting
• Exercise 2: Data Plane Troubleshooting
• Exercise 3: Packet Path and Verification

Module 10: Managing EVPN with Cisco Nexus Dashboard

This module introduces the use of Cisco Nexus Dashboard (ND) for centralized automation, visibility, and health monitoring of EVPN VXLAN fabrics. Key tools include NDFC, NDI, and NDO.

Lesson 1: Nexus Dashboard Overview

• Introduction to the Nexus Dashboard platform
• Key components:
  • Nexus Dashboard Fabric Controller (NDFC)
  • Nexus Dashboard Insights (NDI)
  • Nexus Dashboard Orchestrator (NDO)
• Supported devices and scale-out architecture

Lesson 2: Configuration and Monitoring of EVPN Fabrics

• Connecting Nexus Dashboard to EVPN-enabled Nexus/Catalyst switches
• Topology discovery and device onboarding
• Configuration validation and intent enforcement
• Monitoring BGP sessions, MAC/IP learning, and tunnel state

Lesson 3: Automating EVPN Deployment with NDO

• Creation of EVPN overlays using automation templates
• Role of intent-based networking in overlay configuration
• EVPN provisioning at scale
• Change control and rollback capabilities

Lesson 4: Analytics with Nexus Dashboard Insights

• Real-time telemetry collection
• Visualizing multicast, ECMP, and VTEP statistics
• Historical traffic analysis for capacity planning
• Predictive analytics for fault detection and SLA assurance

Lesson 5: Security, Compliance, and Scaling

• Role-Based Access Control (RBAC) configuration
• Security alerting and event correlation
• Multi-site EVPN support and federated policy enforcement
• Interoperability between Nexus and Catalyst fabrics

Lab 9: Real-World Tasks in Nexus Dashboard

• Exercise 1: Onboarding switches into NDFC
• Exercise 2: Building EVPN VXLAN overlay using NDO
• Exercise 3: Traffic analysis with NDI
• Exercise 4: Simulating failures and troubleshooting in ND

Module 11: Managing EVPN with Cisco Catalyst Center (formerly DNA Center)

This module focuses on using Cisco Catalyst Center for EVPN VXLAN management, including automation, monitoring, assurance, and integration with identity and compliance tools like Cisco ISE.

Lesson 1: Introduction to Catalyst Center

• Overview of Cisco DNA architecture and key use cases
• EVPN support in Catalyst 9000 and Catalyst Center integration
• Intent-based policy model for enterprise fabrics

Lesson 2: Centralized EVPN Configuration and Monitoring

• Discovery and onboarding of EVPN-enabled switches
• Centralized configuration of VNIs, VRFs, and NVE interfaces
• Real-time visualization of EVPN fabric state

Lesson 3: Integration with Cisco ISE

• Mapping SGT tags in VXLAN headers
• Dynamic segmentation and identity-based access
• Security Group ACL enforcement at the fabric edge

Lesson 4: Troubleshooting EVPN with Catalyst Center

• Path trace and packet capture for EVPN flows
• Troubleshooting MAC learning, VTEP status, and VXLAN tunnels
• Root cause analysis using AI-driven insights
• Alerting and real-time telemetry feedback

Lesson 5: Scaling and Multi-site Support

• Automating EVPN expansion across campus and remote sites
• Template-based VTEP provisioning and policy replication
• Multi-domain stitching and inter-site overlay design

Lab 10: Lifecycle Management in Catalyst Center

• Exercise 1: Device discovery and EVPN configuration
• Exercise 2: Deploying overlay VNIs using templates
• Exercise 3: EVPN assurance and fault isolation
• Exercise 4: Multi-site EVPN expansion and validation