Glossary		Print Page		Document Feedback		Support & Services		Pluribus Networks		Pluribus Blog		LinkedIn		Facebook		Twitter

Displaying VXLAN Features with EVPN

A multi-pod EVPN configuration requires the extension of the intra-pod features commonly used for single-fabric setups. Therefore, before proceeding, refer to the VXLAN commands described in the Configuring VXLAN chapter above for reference.

VTEPs are the VXLAN termination points: Netvisor ONE provides a CLI construct called VTEP object to automatically set up a mesh of bidirectional connections between the end points.

Multi-pod EVPN designs comprise two or more pods in which at least one node per pod is designated as border gateway, as explained earlier. Border gateways are interconnected by EVPN-derived automatic VXLAN tunnels, as shown in dark red color in the figure below for POD 1 and POD 2.

In the network design in Figure 10-6, for redundancy, two pairs of clustered leaf nodes are selected as border gateways (highlighted in yellow and green).

Figure 10-6: Border Gateways vs. Non-Border Gateways

Displaying VTEPs

VTEPs can be created normally in each pod on all the leaf node pairs to automatically set up the intra-pod tunnels (in blue color in the figure above).

However, when the border gateways are configured and actively exchanging EVPN messages a pair of automatic VTEP objects (and the corresponding tunnels) are created as displayed in the output below:

CLI (network-admin@bgw11) > vtep-show format switch,scope,name,location,vrouter-name,ip,virtual-ip,

switch scope name location vrouter-name ip virtual-ip

------ ------ -------------------- ------------- --------------- ------------ ------------

fabric vtep-leaf1 leaf1 vrouter-leaf-1 172.16.128.1 172.16.128.3

fabric vtep-leaf2 leaf2 vrouter-leaf-2 172.16.128.2 172.16.128.3

fabric vtep-leaf3 leaf3 vrouter-leaf-3 172.16.129.1 172.16.129.3

fabric vtep-leaf4 leaf4 vrouter-leaf-4 172.16.129.2 172.16.129.3

fabric vtep-leaf5 leaf5 vrouter-leaf-5 172.16.130.1 172.16.130.3

fabric vtep-leaf6 leaf6 vrouter-leaf-6 172.16.130.2 172.16.130.3

fabric vtep-bgw11 bgw11 vrouter-bgw-11 172.16.133.1 172.16.133.3

fabric vtep-bgw12 bgw12 vrouter-bgw-12 172.16.133.2 172.16.133.3

bgw11 local __evpn__172.16.134.3 host-external 172.16.134.3 ::

bgw12 local __evpn__172.16.134.3 host-external 172.16.134.3 ::

Each automatic VTEP is created with a local scope and the host-external location string on the two border gateways only. The name starts with the __evpn__ string followed by the (virtual) IP address of the neighboring border gateway (pair).

EVPN VTEPs can be displayed with the following command and identified from their name and from the vtep-source column:

CLI (network-admin@bgw11*) > vtep-show format name,vtep-source

name vtep-source

-------------------- -----------

vtep-bgw11 config

__evpn__172.16.134.3 evpn

Displaying Automatic Tunnels

Tunnels are created automatically between border gateways for inter-pod communication. They can be identified from the type column in the following command:

CLI (network-admin@bgw11*) > tunnel-show format name,type,

name type

------------------------------------- ----------

auto-tunnel-190.11.1.1_65.1.1.10 vxlan

auto-tunnel-172.16.133.3_172.16.134.3 vxlan-evpn

Displaying EVPN Border Gateways

The role of border gateway, as configured by the user, can be shown with the expanded vtep-show format all command that includes the evpn-border column:

CLI (network-admin@bgw11) > vtep-show format all

switch scope name location vrouter-name ip virtual-ip mac description mac-learning evpn-border

------ ------ -------------------- ------------- --------------- ------------ ------------ ----------------- ----------- ------------ -----------

fabric vtep-leaf1 leaf1 vrouter-leaf-1 172.16.128.1 172.16.128.3 00:00:5e:00:01:01 on false

fabric vtep-leaf2 leaf2 vrouter-leaf-2 172.16.128.2 172.16.128.3 00:00:5e:00:01:01 on false

fabric vtep-leaf3 leaf3 vrouter-leaf-3 172.16.129.1 172.16.129.3 00:00:5e:00:01:02 on false

fabric vtep-leaf4 leaf4 vrouter-leaf-4 172.16.129.2 172.16.129.3 00:00:5e:00:01:02 on false

fabric vtep-leaf5 leaf5 vrouter-leaf-5 172.16.130.1 172.16.130.3 00:00:5e:00:01:03 on false

fabric vtep-leaf6 leaf6 vrouter-leaf-6 172.16.130.2 172.16.130.3 00:00:5e:00:01:03 on false

fabric vtep-bgw11 bgw11 vrouter-bgw-11 172.16.133.1 172.16.133.3 00:00:5e:00:01:06 on true

fabric vtep-bgw12 bgw12 vrouter-bgw-12 172.16.133.2 172.16.133.3 00:00:5e:00:01:06 on true

bgw11 local __evpn__172.16.134.3 host-external 172.16.134.3 :: 00:00:00:00:00:00 on false

bgw12 local __evpn__172.16.134.3 host-external 172.16.134.3 :: 00:00:00:00:00:00 on false

The role of a border gateway can also be verified by using the vrouter-show command; however, the basic command may not be sufficient. To obtain additional info, you may use the format-all option. Alternatively, you can use the evpn-border filter to display only the border gateway node(s) for example like so:

CLI (network-admin@bgw11) > vrouter-show format name,hw-router-mac,evpn-border

name hw-router-mac evpn-border

--------------- ----------------- -----------

vrouter-bgw-11 66:0e:94:14:f3:5b enable

vrouter-bgw-12 66:0e:94:22:d7:1c enable

vrouter-leaf-1 66:0e:94:ad:d4:41 disable

vrouter-leaf-2 66:0e:94:95:f9:74 disable

<snip>

The border gateway role is also reflected in the BGP configuration, as discussed above and as shown in this command output:

CLI (network-admin@bgw11*) > vrouter-bgp-show multi-protocol l2vpn-evpn

vrouter-name neighbor remote-as next-hop-self prepend replace-as ebgp-multihop update-source route-reflector-client override-capability soft-reconfig-inbound max-prefix-warn-only bfd multi-protocol weight default-originate neighbor-keepalive-interval(s) neighbor-holdtime(s) dup-addr-max-moves(s) dup-addr-moves-duration(s) dup-addr-freeze connect-retry-interval(s) send-community allowas-in allowas-in-origin as-override advertisement-interval(s) description

--------------- ------------ --------- ------------- ------- ---------- ------------- ------------- ---------------------- ------------------- --------------------- -------------------- --- -------------- ------ ----------------- ------------------------------ -------------------- --------------------- -------------------------- --------------- ------------------------- -------------- ---------- ----------------- ----------- ------------------------- -----------

vrouter-bgw-11 172.16.134.1 66611 no yes no 4 172.16.133.1 no no yes no no l2vpn-evpn none no 60 180 5 180 180 15 yes no no no 0 none

vrouter-bgw-11 172.16.134.2 66611 no yes no 4 172.16.133.1 no no yes no no l2vpn-evpn none no 60 180 5 180 180 15 yes no no no 0 none

The above verbose command output can be compacted, for example like so, to get an abridged overview of the EVPN neighborship:

CLI (network-admin@bgw11*) > vrouter-bgp-show format ,neighbor,remote-as,update-source,multi-protocol

vrouter-name neighbor remote-as update-source multi-protocol

-------------- ------------ --------- ------------- --------------

vrouter-bgw-11 172.16.0.161 64311 ipv4-unicast

vrouter-bgw-11 172.16.2.161 64312 ipv4-unicast

vrouter-bgw-11 172.16.4.161 64313 ipv4-unicast

vrouter-bgw-11 172.16.6.161 64314 ipv4-unicast

vrouter-bgw-11 172.16.133.2 64518 ipv4-unicast

vrouter-bgw-11 101.1.1.1 60000 ipv4-unicast

vrouter-bgw-11 172.16.134.1 66611 172.16.133.1 l2vpn-evpn

vrouter-bgw-11 172.16.134.2 66611 172.16.133.1 l2vpn-evpn

Displaying VNIs

VTEPs’ VNI associations can be displayed with the vtep-vxlan-show command locally on the border gateway(s):

CLI (network-admin@bgw11*) > vtep-vxlan-show

name vxlan isolated

-------------------- ------ --------

vtep-leaf1 10201 no

vtep-leaf1 103501 no

vtep-leaf1 10403 no

vtep-leaf2 10201 no

vtep-leaf2 103501 no

vtep-leaf2 10403 no

vtep-leaf3 10201 no

vtep-leaf3 103501 no

vtep-leaf3 10403 no

vtep-leaf4 10201 no

vtep-leaf4 103501 no

vtep-leaf4 10403 no

vtep-leaf5 10201 no

vtep-leaf5 103501 no

vtep-leaf5 10403 no

vtep-leaf6 10201 no

vtep-leaf6 103501 no

vtep-leaf6 10403 no

vtep-bgw11 10201 no

vtep-bgw11 103501 no

vtep-bgw11 10403 no

vtep-bgw12 10201 no

vtep-bgw12 103501 no

vtep-bgw12 10403 no

__evpn__172.16.134.3 10201 no

__evpn__172.16.134.3 103501 no

In the above example, note that VNIs 10201 and 103501 are present on all the leaf nodes including the border gateways’ VTEPs and the automatically created host-external ones.

In other words, this command can be used to verify that the inter-pod VNIs are configured consistently on each pod’s VTEPs and that, as a consequence, the common VNIs get added to the automatic inter-pod tunnels too.

Let’s suppose the number of VNIs grows pretty large. Then, you can limit the output of the display for example to a particular EVPN VTEP of interest, like so:

CLI (network-admin@bgw11*) > vtep-vxlan-show name __evpn__172.16.134.3

name vxlan isolated

-------------------- ------ --------

__evpn__172.16.134.3 10201 no

__evpn__172.16.134.3 10202 no

__evpn__172.16.134.3 10203 no

__evpn__172.16.134.3 10204 no

__evpn__172.16.134.3 10205 no

…

Displaying EVPN Route Types

In order to display the supported EVPN route types for VXLAN (encapsulation type 8) received by a border gateway node, you can use the following command:

CLI (network-admin@bgw11*) > vrouter-evpn-bgp-routes-show format vrouter-name,rd,vni,network,route-type,next-hop,path,extended-community

vrouter-name rd vni network route-type next-hop path extended-community

-------------- -------------- ------ ------------------------ ---------- ------------ ---- -------------------------------------------

vrouter-bgw-11 0.0.0.0:2 103501 [24]:[10.2.3.0] 5 172.16.133.3 ET:8 RT:64518:103501 Rmac:00:00:5e:00:01:06

vrouter-bgw-11 0.0.0.0:2 103501 [24]:[10.2.4.0] 5 172.16.134.3 RT:1075:103501 ET:8 Rmac:00:00:5e:00:01:01

vrouter-bgw-11 192.168.0.11:3 10201 [48]:[00:3b:01:00:00:01] 2 172.16.133.3 ET:8 RT:64518:10201

vrouter-bgw-11 192.168.0.11:3 10201 [32]:[172.16.133.3] 3 172.16.133.3 ET:8 RT:64518:10201

vrouter-bgw-11 192.168.0.11:4 10403 [32]:[172.16.133.3] 3 172.16.133.3 ET:8 RT:64518:10403

vrouter-bgw-11 192.168.0.13:3 10404 [32]:[172.16.134.3] 3 172.16.134.3 RT:1075:10404 ET:8

vrouter-bgw-11 192.168.0.13:4 10201 [48]:[00:3d:01:00:00:01] 2 172.16.134.3 RT:1075:10201 ET:8

vrouter-bgw-11 192.168.0.13:4 10201 [32]:[172.16.134.3] 3 172.16.134.3 RT:1075:10201 ET:8

vrouter-bgw-11 192.168.0.14:3 10404 [32]:[172.16.134.3] 3 172.16.134.3 RT:1075:10404 ET:8

vrouter-bgw-11 192.168.0.14:4 10201 [48]:[00:3d:01:00:00:01] 2 172.16.134.3 RT:1075:10201 ET:8

vrouter-bgw-11 192.168.0.14:4 10201 [32]:[172.16.134.3] 3 172.16.134.3 RT:1075:10201 ET:8

Note that the route type is listed in a separate column. The EVPN route contents are shown in the network column (IP addresses for type 5, MAC addresses for type 2, etc.). Also note that EVPN Route Targets (RT) and Route Distinguishers (RD) are displayed. The RT field is used to transport the VNI values.

You can selectively display a single route type with these commands:

CLI (network-admin@bgw11*) > vrouter-evpn-bgp-routes-show route-type 2 format vrouter-name,rd,vni,network,route-type,next-hop,path,extended-community

vrouter-name rd vni network route-type next-hop path extended-community

-------------- -------------- ----- ------------------------ ---------- ------------ ---- -------------------

vrouter-bgw-11 192.168.0.11:3 10201 [48]:[00:3b:01:00:00:01] 2 172.16.133.3 ET:8 RT:64518:10201

vrouter-bgw-11 192.168.0.13:4 10201 [48]:[00:3d:01:00:00:01] 2 172.16.134.3 RT:1075:10201 ET:8

vrouter-bgw-11 192.168.0.14:4 10201 [48]:[00:3d:01:00:00:01] 2 172.16.134.3 RT:1075:10201 ET:8

CLI (network-admin@bgw11*) > vrouter-evpn-bgp-routes-show route-type 3 format vrouter-name,rd,vni,network,route-type,next-hop,path,extended-community

vrouter-name rd vni network route-type next-hop path extended-community

-------------- -------------- ----- ------------------- ---------- ------------ ---- -------------------

vrouter-bgw-11 192.168.0.11:3 10201 [32]:[172.16.133.3] 3 172.16.133.3 ET:8 RT:64518:10201

vrouter-bgw-11 192.168.0.11:4 10403 [32]:[172.16.133.3] 3 172.16.133.3 ET:8 RT:64518:10403

vrouter-bgw-11 192.168.0.13:3 10404 [32]:[172.16.134.3] 3 172.16.134.3 RT:1075:10404 ET:8

vrouter-bgw-11 192.168.0.13:4 10201 [32]:[172.16.134.3] 3 172.16.134.3 RT:1075:10201 ET:8

vrouter-bgw-11 192.168.0.14:3 10404 [32]:[172.16.134.3] 3 172.16.134.3 RT:1075:10404 ET:8

vrouter-bgw-11 192.168.0.14:4 10201 [32]:[172.16.134.3] 3 172.16.134.3 RT:1075:10201 ET:8

CLI (network-admin@bgw11*) > vrouter-evpn-bgp-routes-show route-type 5 format vrouter-name,rd,vni,network,route-type,next-hop,extended-community

vrouter-name rd vni network route-type next-hop extended-community

-------------- --------- ------ --------------- ---------- ------------ -------------------------------------------

vrouter-bgw-11 0.0.0.0:2 103501 [24]:[10.2.3.0] 5 172.16.133.3 ET:8 RT:64518:103501 Rmac:00:00:5e:00:01:06

vrouter-bgw-11 0.0.0.0:2 103501 [24]:[10.2.4.0] 5 172.16.134.3 RT:1075:103501 ET:8 Rmac:00:00:5e:00:01:01

Displaying VRFs

VRF information, including the associated L3 VNIs, can be displayed with the command:

CLI (network-admin@bgw11*) > vrf-show

name vnet scope anycast-mac vrf-gw vrf-gw2 vrf-gw-ip6 vrf-gw2-ip6 l3-vni active hw-router-mac hw-vrid flags enable description

---------- ---- ------ ----------------- ------ ------- ---------- ----------- ------ ------ ----------------- ------- ------ ------ -----------

vrf-pod1-1 0:0 fabric 64:0e:94:40:00:02 :: :: :: :: 103501 yes 66:0e:94:13:bd:c8 1 subnet yes

Subnet information, including the associated VRF, can be displayed with the command:

CLI (network-admin@bgw11*) > subnet-show

name scope vlan vxlan vrf network anycast-gw-ip packet-relay forward-proto state enable

-------- ------ ---- ----- ---------- ----------- ------------- ------------ ------------- ----- ------

vlan-403 fabric 403 10403 vrf-pod1-1 10.2.3.0/24 10.2.3.1 disable dhcp ok yes

Displaying Routing Information

To verify the RIB routes associated with EVPN, you can use either of the following commands:

CLI (network-admin@bgw11*) > vrouter-rib-routes-show vrid 1

vrid ip prelen number-of-nexthops nexthop flags vnet bd vlan intf-ip intf-id

---- -------- ------ ------------------ ------------ ------------------ ---- -- ---- -------- -------

1 10.2.4.0 24 1 172.16.134.3 in-hw,evpn 3501 :: 10

1 10.2.3.0 24 1 10.2.3.1 in-hw,local-subnet 403 10.2.3.1 11

CLI (network-admin@bgw11*) > vrouter-rib-routes-show vrid 1 flags evpn

vrid ip prelen number-of-nexthops nexthop flags vnet bd vlan intf-ip intf-id

---- -------- ------ ------------------ ------------ ---------- ---- -- ---- ------- -------

1 10.2.4.0 24 1 172.16.134.3 in-hw,evpn 3501 :: 10

On non-border gateway nodes (such as Leaf 1), you can verify the presence of an automatically created default route pointing to the border gateway(s) with either of the following commands:

CLI (network-admin@leaf1*) > vrouter-rib-routes-show vrid 1

vrid ip prelen number-of-nexthops nexthop flags vnet bd vlan intf-ip intf-id

---- -------- ------ ------------------ ------------ ------------------ ---- -- ---- -------- -------

1 0.0.0.0 0 1 172.16.133.3 in-hw,evpn 3501 :: 8

1 10.2.3.0 24 1 10.2.3.1 in-hw,local-subnet 403 10.2.3.1 9

CLI (network-admin@leaf1*) > vrouter-rib-routes-show vrid 1 flags evpn

vrid ip prelen number-of-nexthops nexthop flags vnet bd vlan intf-ip intf-id

---- ------- ------ ------------------ ------------ ---------- ---- -- ---- ------- -------

1 0.0.0.0 0 1 172.16.133.3 in-hw,evpn 3501 :: 8

In this case the default gateway points to a VIP address of a redundant border gateway pair, which can be displayed like so:

CLI (network-admin@bgw11*) > vrouter-interface-show is-vip true

vrouter-name nic ip mac vlan vlan-type nic-state is-vip vrrp-id vrrp-primary vrrp-state mtu priority-tag

-------------- ---------- --------------- ----------------- ---- --------- --------- ------ ------- ------------ ---------- ---- ------------

vrouter-bgw-11 eth21.3808 172.16.133.3/29 00:00:5e:00:01:06 3808 public up true 6 eth20.3808 master 9216 off

Displaying BGP Neighbor Information

To display BGP neighbors associated with EVPN, you can use the following command:

CLI (network-admin@bgw11*) > vrouter-evpn-bgp-neighbor-summary-show format all

vrouter-name neighbor ver as msg-rcvd msg-sent Tb/Ver InQ OutQ up/down state pfxrcd

-------------- ------------ --- ----- -------- -------- ------ --- ---- -------- ----------- ------

vrouter-bgw-11 172.16.134.1 4 65011 122 226 0 0 0 00:00:39 Connect 0

vrouter-bgw-11 172.16.134.2 4 65011 83 190 0 0 0 00:07:36 Established 4

Displaying vPort Information

On a non-border gateway node such as Leaf 1, you can verify the vPort database information associated with the EVPN control plane by using the following command:

CLI (network-admin@leaf1*) > vport-show state evpn

owner mac vxlan state vtep-ip

----- ----------------- ------ ----- ------------

leaf1 64:0e:94:40:00:02 10201 evpn 172.16.133.3

leaf1 64:0e:94:40:00:02 103501 evpn 172.16.133.3

Displaying Additional BGP Control Plane Information

EVPN uses BGP as control plane to exchange various kinds of information that are necessary for proper network functioning, such as VNI values, MAC/IP address pair entries (as found in ARP caches), and Layer 2 address information.

Note that the EVPN control plane in Netvisor ONE is divided into two layers. The higher layer comprises the familiar Netvisor ONE commands, which provide a holistic view on the network entities as described in the above sections. Instead, the lower layer (also known as FRR) provides a low-level 'raw' view on certain control plane functions.

For troubleshooting purposes, it can be useful to check that the upper layer and the lower layer information match.

For instance, it is possible to verify the list of active VNIs on a Border Gateway with the familiar 'high-level' vtep-vxlan-show command. For example, on bgw21 (limited to vtep-leaf2 for brevity's sake) the command output shows:

CLI (network-admin@bgw21*) > vtep-vxlan-show name vtep-leaf2 sort-asc vxlan,

name vxlan isolated

---------- ------ --------

vtep-leaf2 10110 no

vtep-leaf2 10112 no

vtep-leaf2 10120 no

vtep-leaf2 10121 no

vtep-leaf2 10122 no

vtep-leaf2 10130 no

vtep-leaf2 10131 no

vtep-leaf2 10140 no

vtep-leaf2 10145 no

vtep-leaf2 10146 no

vtep-leaf2 10147 no

vtep-leaf2 10148 no

vtep-leaf2 10149 no

vtep-leaf2 10150 no

The same VNI information can be checked also in the low-level 'raw' control plane view with the vrouter-evpn-bgp-vni-show command, which additionally shows that the VNIs are transported in the RT values. The command also shows that Netvisor ONE imports and exports all RTs from/to neighbor switches:

CLI (network-admin@bgw21*) > vrouter-evpn-bgp-vni-show sort-asc vni,

switch vrouter-name vni type rd import-rt export-rt

------ ------------ ------ ---- ---------- ------------ ------------

bgw21 bgw21-vr 10110 2 2.4.0.1:15 65012:10110 65012:10110

bgw21 bgw21-vr 10112 2 2.4.0.1:27 65012:10112 65012:10112

bgw21 bgw21-vr 10120 2 2.4.0.1:30 65012:10120 65012:10120

bgw21 bgw21-vr 10121 2 2.4.0.1:35 65012:10121 65012:10121

bgw21 bgw21-vr 10122 2 2.4.0.1:39 65012:10122 65012:10122

bgw21 bgw21-vr 10130 2 2.4.0.1:16 65012:10130 65012:10130

bgw21 bgw21-vr 10131 2 2.4.0.1:17 65012:10131 65012:10131

bgw21 bgw21-vr 10140 2 2.4.0.1:20 65012:10140 65012:10140

bgw21 bgw21-vr 10145 2 2.4.0.1:33 65012:10145 65012:10145

bgw21 bgw21-vr 10146 2 2.4.0.1:13 65012:10146 65012:10146

bgw21 bgw21-vr 10147 2 2.4.0.1:19 65012:10147 65012:10147

bgw21 bgw21-vr 10148 2 2.4.0.1:32 65012:10148 65012:10148

bgw21 bgw21-vr 10149 2 2.4.0.1:12 65012:10149 65012:10149

bgw21 bgw21-vr 10150 2 2.4.0.1:28 65012:10150 65012:10150

Similarly, it is possible to check the Layer 3 table's contents (MAC/IP address pairs) populated by EVPN and then also verify that the low-level entries match. For that you can use the following two commands (in this example, for the sake of brevity, only the entries associated with VLAN 211 and VNI 10211 are shown):

CLI (network-admin@bgw21*) > l3-table-show vlan 211

mac ip vlan vxlan state

----------------- ----------------- ---- ----- -----------

00:11:01:00:00:06 100.0.211.6 211 10211 active,evpn

00:11:01:00:00:02 2000::100:0:211:2 211 10211 active,evpn

00:11:01:00:00:0a 2000::100:0:211:a 211 10211 active,evpn

00:11:01:00:00:04 100.0.211.4 211 10211 active,evpn

00:11:01:00:00:03 2000::100:0:211:3 211 10211 active,evpn

00:11:01:00:00:07 100.0.211.7 211 10211 active,evpn

00:11:01:00:00:05 2000::100:0:211:5 211 10211 active,evpn

00:11:01:00:00:08 2000::100:0:211:8 211 10211 active,evpn

00:11:01:00:00:07 2000::100:0:211:7 211 10211 active,evpn

00:11:01:00:00:09 100.0.211.9 211 10211 active,evpn

00:11:01:00:00:05 100.0.211.5 211 10211 active,evpn

00:11:01:00:00:04 2000::100:0:211:4 211 10211 active,evpn

00:11:01:00:00:08 100.0.211.8 211 10211 active,evpn

00:11:01:00:00:02 100.0.211.2 211 10211 active,evpn

00:11:01:00:00:03 100.0.211.3 211 10211 active,evpn

00:11:01:00:00:0a 100.0.211.10 211 10211 active,evpn

00:11:01:00:00:06 2000::100:0:211:6 211 10211 active,evpn

00:11:01:00:00:09 2000::100:0:211:9 211 10211 active,evpn

The corresponding low-level command is:

CLI (network-admin@bgw21*) > vrouter-evpn-arp-cache-show vni 10211

name vni ip mac remote-vtep type state remote-seq local-seq

-------- ----- ----------------- ----------------- ----------- ------ ------ ---------- ---------

bgw21-vr 10211 2000::100:0:211:8 00:11:01:00:00:08 7.1.1.1 remote active 0 0

bgw21-vr 10211 100.0.211.7 00:11:01:00:00:07 7.1.1.1 remote active 0 0

bgw21-vr 10211 100.0.211.6 00:11:01:00:00:06 7.1.1.1 remote active 0 0

bgw21-vr 10211 2000::100:0:211:9 00:11:01:00:00:09 7.1.1.1 remote active 0 0

bgw21-vr 10211 2000::100:0:211:a 00:11:01:00:00:0a 7.1.1.1 remote active 0 0

bgw21-vr 10211 100.0.211.3 00:11:01:00:00:03 7.1.1.1 remote active 0 0

bgw21-vr 10211 2000::100:0:211:6 00:11:01:00:00:06 7.1.1.1 remote active 0 0

bgw21-vr 10211 100.0.211.2 00:11:01:00:00:02 7.1.1.1 remote active 0 0

bgw21-vr 10211 2000::100:0:211:7 00:11:01:00:00:07 7.1.1.1 remote active 0 0

bgw21-vr 10211 2000::100:0:211:4 00:11:01:00:00:04 7.1.1.1 remote active 0 0

bgw21-vr 10211 100.0.211.10 00:11:01:00:00:0a 7.1.1.1 remote active 0 0

bgw21-vr 10211 100.0.211.8 00:11:01:00:00:08 7.1.1.1 remote active 0 0

bgw21-vr 10211 2000::100:0:211:2 00:11:01:00:00:02 7.1.1.1 remote active 0 0

bgw21-vr 10211 100.0.211.4 00:11:01:00:00:04 7.1.1.1 remote active 0 0

bgw21-vr 10211 100.0.211.5 00:11:01:00:00:05 7.1.1.1 remote active 0 0

bgw21-vr 10211 100.0.211.1 00:11:01:00:00:01 7.1.1.1 remote active 0 0

bgw21-vr 10211 100.0.211.9 00:11:01:00:00:09 7.1.1.1 remote active 0 0

bgw21-vr 10211 2000::100:0:211:3 00:11:01:00:00:03 7.1.1.1 remote active 0 0

bgw21-vr 10211 2000::100:0:211:1 00:11:01:00:00:01 7.1.1.1 remote active 0 0

bgw21-vr 10211 2000::100:0:211:5 00:11:01:00:00:05 7.1.1.1 remote active 0 0

Furthermore, to check the Layer 2 table's contents (e.g., the MAC addresses learned locally and remotely via EVPN) and then also to verify that the low-level entries match, you can use the following two commands (in this example, for the sake of brevity, only the entries associated with VNI 10211 are displayed):

CLI (network-admin@bgw21*) > l2-table-show vlan 211 format mac,vlan,vxlan,ip,state,peer-state,peer-owner-state,status

mac vlan vxlan ip state peer-state peer-owner-state status

----------------- ---- ----- ------------------- ----------- ----------- ---------------- ------

00:11:01:00:00:01 211 10211 2000::100:0:211:1 tunnel,evpn evpn-wo-bgp

00:11:01:00:00:04 211 10211 2000::100:0:211:4 tunnel,evpn

00:12:01:00:00:08 211 10211 2000::100:0:211:107 tunnel tunnel active host

00:11:01:00:00:08 211 10211 2000::100:0:211:8 tunnel,evpn

00:11:01:00:00:07 211 10211 2000::100:0:211:7 tunnel,evpn

00:12:01:00:00:01 211 10211 2000::100:0:211:100 tunnel tunnel active host

00:11:01:00:00:05 211 10211 2000::100:0:211:5 tunnel,evpn

00:12:01:00:00:06 211 10211 2000::100:0:211:105 tunnel tunnel active host

00:11:01:00:00:03 211 10211 2000::100:0:211:3 tunnel,evpn

00:11:01:00:00:02 211 10211 2000::100:0:211:2 tunnel,evpn

00:12:01:00:00:02 211 10211 2000::100:0:211:101 tunnel tunnel active host

00:11:01:00:00:06 211 10211 2000::100:0:211:6 tunnel,evpn

00:12:01:00:00:07 211 10211 2000::100:0:211:106 tunnel tunnel active host

00:12:01:00:00:05 211 10211 2000::100:0:211:104 tunnel tunnel active host

00:12:01:00:00:0a 211 10211 2000::100:0:211:109 tunnel tunnel active host

00:11:01:00:00:0a 211 10211 100.0.211.10 tunnel,evpn

00:12:01:00:00:03 211 10211 2000::100:0:211:102 tunnel tunnel active host

00:12:01:00:00:04 211 10211 2000::100:0:211:103 tunnel tunnel active host

00:11:01:00:00:09 211 10211 2000::100:0:211:9 tunnel,evpn

00:12:01:00:00:09 211 10211 2000::100:0:211:108 tunnel tunnel active host

In the above command output it's possible to look at the state of a MAC address entry to check if it's learned from a local tunnel and/or from the evpn control plane. When the peer-state is evpn-wo-bgp, it means that the entry was learned (initially) directly from the data plane.

The corresponding low-level command to check the Layer 2 entries is:

CLI (network-admin@bgw21*) > vrouter-evpn-vni-mac-show vni 10211

vrouter-name vni mac type intf/remote-vtep vlan local-seq remote-seq

------------ ----- ----------------- ------ ---------------- ---- --------- ----------

bgw21-vr 10211 00:12:01:00:00:02 local 9000becvni10211 0 0 0

bgw21-vr 10211 00:12:01:00:00:0a local 9000becvni10211 0 0 0

bgw21-vr 10211 00:11:01:00:00:05 remote 7.1.1.1 0 0 0

bgw21-vr 10211 00:11:01:00:00:0a remote 7.1.1.1 0 0 0

bgw21-vr 10211 00:12:01:00:00:07 local 9000becvni10211 0 0 0

bgw21-vr 10211 00:11:01:00:00:02 remote 7.1.1.1 0 0 0

bgw21-vr 10211 00:12:01:00:00:09 local 9000becvni10211 0 0 0

bgw21-vr 10211 00:11:01:00:00:07 remote 7.1.1.1 0 0 0

bgw21-vr 10211 00:11:01:00:00:04 remote 7.1.1.1 0 0 0

bgw21-vr 10211 00:12:01:00:00:03 local 9000becvni10211 0 0 0

bgw21-vr 10211 00:11:01:00:00:08 remote 7.1.1.1 0 0 0

bgw21-vr 10211 00:12:01:00:00:08 local 9000becvni10211 0 0 0

bgw21-vr 10211 00:11:01:00:00:01 remote 7.1.1.1 0 0 0

bgw21-vr 10211 00:11:01:00:00:03 remote 7.1.1.1 0 0 0

bgw21-vr 10211 00:12:01:00:00:06 local 9000becvni10211 0 0 0

bgw21-vr 10211 00:12:01:00:00:01 local 9000becvni10211 0 0 0

bgw21-vr 10211 00:11:01:00:00:09 remote 7.1.1.1 0 0 0

bgw21-vr 10211 00:12:01:00:00:05 local 9000becvni10211 0 0 0

bgw21-vr 10211 00:12:01:00:00:04 local 9000becvni10211 0 0 0

bgw21-vr 10211 00:11:01:00:00:06 remote 7.1.1.1 0 0 0

Displaying EVPN Route History Information

Displaying EVPN route history information is useful to verify the inter-pod information exchanged over type 2, 3 and 5 messages and for forensic tracing.

To display the type 2 route history, you can use the vport-history-show command. For example, to display the injected (i.e., created/added) vPorts, you can use:

CLI (network-admin@bgw21) > vport-history-show caller inject, within-last 2d

time log-type reason owner mac vxlan state vtep-ip

-------------- --------- ------ ----- ----------------- ----- ----- ---------

01-18,06:33:40 l2-modify create bgw21 66:0e:94:3f:64:4a 40400 evpn 20.0.12.1

Or you can use this command to show all the latest actions, for example limited to a certain VNI:

CLI (network-admin@bgw21*) > vport-history-show within-last 2d vxlan 100200 state evpn-wo-bgp,

time log-type reason owner mac vlan vxlan state hostname status

-------------- --------- ------ ----- ----------------- ---- ------ ------------------ -------- -----------

01-18,06:23:37 l2-modify modify bgw21 20:04:0f:12:95:62 200 100200 tunnel,evpn-wo-bgp bgw21 PN-internal

01-18,06:23:52 l2-modify modify bgw21 50:9a:4c:d3:fd:f0 200 100200 tunnel,evpn-wo-bgp bgw21 PN-internal

01-18,06:29:34 l2-modify flush bgw21 20:04:0f:12:95:62 200 100200 evpn-wo-bgp bgw21 PN-internal

01-18,06:29:34 l2-modify flush bgw21 50:9a:4c:d3:fd:f0 200 100200 evpn-wo-bgp bgw21 PN-internal

You can display the type 5 route history with the following command, for example filtered for a specific address:

CLI (network-admin@bgw21) > vrouter-rib-history-show within-last 2d flags evpn, ip 200.1.1.0

time caller reason vrid ip prelen nexthop flags vlan intf-ip

-------------- ------ ------ ---- --------- ------ ---------- ---------- ---- --------

01-17,17:12:12 vrf add 1 200.1.1.0 24 190.12.1.1 in-hw,evpn 3434 33.3.3.3

01-17,20:17:32 vrf add 1 200.1.1.0 24 190.12.1.1 in-hw,evpn 3434 33.3.3.3

01-17,20:26:39 vrf add 1 200.1.1.0 24 190.12.1.1 in-hw,evpn 3434 33.3.3.3

01-17,20:56:09 vrf add 1 200.1.1.0 24 190.12.1.1 in-hw,evpn 3434 33.3.3.3

01-17,21:09:06 vrf add 1 200.1.1.0 24 190.12.1.1 in-hw,evpn 3434 33.3.3.3

01-17,21:23:45 vrf add 1 200.1.1.0 24 190.12.1.1 in-hw,evpn 3434 33.3.3.3

01-17,21:32:43 vrf add 1 200.1.1.0 24 190.12.1.1 in-hw,evpn 3434 33.3.3.3

01-17,21:36:37 vrf add 1 200.1.1.0 24 190.12.1.1 in-hw,evpn 3434 33.3.3.3

01-17,21:42:27 vrf add 1 200.1.1.0 24 190.12.1.1 in-hw,evpn 3434 33.3.3.3

01-17,22:50:22 vrf add 1 200.1.1.0 24 190.12.1.1 in-hw,evpn 3434 33.3.3.3

01-17,23:32:06 vrf add 1 200.1.1.0 24 190.12.1.1 in-hw,evpn 3434 33.3.3.3

01-17,23:32:07 vrf add 1 200.1.1.0 24 190.12.1.1 in-hw,evpn 3434 33.3.3.3

01-17,23:35:48 vrf add 1 200.1.1.0 24 190.12.1.1 in-hw,evpn 3434 33.3.3.3

Furthermore, to see the type 3 message-triggered VTEP changes you can filter the audit log with grep, for example like so:

CLI (network-admin@bgw21*) > log-audit-show name user_command format message, | grep evpn

message

-----------------------------------------------------------------------

Command "vtep-create scope local vtep-source evpn name __evpn__190.12.1.1 location 16777214 ip 190.12.1.1" result success

Command "vtep-vxlan-add name __evpn__190.12.1.1 vxlan 10400" result success

<snip>