VXLAN Lab Guide: Core Concepts and

Configuration
This guide explains the setup of VXLAN (Virtual Extensible LAN) networks based on the
HCIE-Datacom Lab Guide. It covers three scenarios: Layer 2 Interconnection with Static
VXLAN, Centralized VXLAN Gateway, and Distributed VXLAN Gateway with EVPN.
Each scenario includes key concepts, essential commands, and a step-by-step configuration
framework. The network involves a core (Edge_1, Edge_2, Border) and access switches
(ACC_1, ACC_2) connecting PCs (PC1, PC2).

Scenario 1: Layer 2 Interconnection Through a Static

VXLAN Tunnel
This scenario establishes a Layer 2 VXLAN tunnel between Edge_1 and Edge_2 to connect
PC1 and PC2 in VLAN 100, simulating a single broadcast domain across sites.

Core Concepts

• VXLAN: A tunneling protocol that extends Layer 2 networks over a Layer 3 underlay
using UDP encapsulation (port 4789). It uses VNIs (VXLAN Network Identifiers) to
segment traffic.
• VTEP (VXLAN Tunnel Endpoint): Devices (Edge_1, Edge_2) that encapsulate and
decapsulate VXLAN packets.
• Bridge Domain (BD): A Layer 2 forwarding domain on VTEPs, mapped to a VNI for
VXLAN traffic.
• NVE (Network Virtualization Edge) Interface: A logical interface on VTEPs for
VXLAN tunnel configuration.
• Static VXLAN Tunnel: Manually configured tunnel specifying source and destination
VTEP IPs.
• Underlay Network: The Layer 3 IP network (using OSPF) that carries VXLAN traffic
between VTEPs.
• Service Access Point: Layer 2 sub-interfaces on Edge_1/Edge_2 that connect to access
switches (ACC_1/ACC_2) and map VLANs to BDs.
• VCMP (VLAN Central Management Protocol): A Huawei protocol for VLAN
management, set to silent to allow Dot1q encapsulation on sub-interfaces.

Simplified Explanation: VXLAN acts like a virtual Ethernet cable stretching a VLAN across a
Layer 3 network. The underlay (OSPF network) is the highway, VTEPs are toll booths
adding/removing VXLAN headers, and BDs are virtual switches connecting local VLANs to the
tunnel.
Key Commands

Interface and VLAN Setup

• vlan <id>: Create a VLAN (e.g., vlan 12).

• interface <type><number>: Configure a physical interface (e.g., interface
GigabitEthernet0/0/1).
• port link-type trunk: Set interface as trunk.
• port trunk allow-pass vlan <id>: Allow specific VLANs on trunk.
• interface Vlanif<id>: Create VLAN interface for Layer 3.
• ip address <ip> <mask>: Assign IP (e.g., ip address [Link] [Link]).
• interface LoopBack0: Configure Loopback0 for VTEP source IP.
• interface <type><number>.<sub> mode l2: Create Layer 2 sub-interface (e.g., interface
GigabitEthernet0/0/24.100 mode l2).
• encapsulation dot1q vid <id>: Set VLAN tagging.
• bridge-domain <id>: Bind sub-interface to BD.

OSPF (Underlay)

• ospf <process-id> router-id <ip>: Start OSPF with router ID (e.g., ospf 1 router-id
[Link]).
• area [Link]: Configure OSPF area 0.
• network <ip> <wildcard>: Advertise networks (e.g., network [Link] [Link]).
• display ospf peer: Verify OSPF neighbors.
• display ospf routing: Check OSPF routing table.

VXLAN Configuration

• bridge-domain <id>: Create BD (e.g., bridge-domain 10).

• vxlan vni <vni>: Map BD to VNI (e.g., vxlan vni 1000).
• vcmp role silent: Disable VCMP for Dot1q encapsulation.
• interface Nve1: Create NVE interface.
• source <ip>: Set source VTEP IP (e.g., source [Link]).
• vni <vni> head-end peer-list <peer-ip>: Configure static tunnel to peer VTEP.
• display vxlan tunnel: Verify tunnel status.

Verification

• ping <ip>: Test connectivity (e.g., ping [Link]).

• display mac-address: Check MAC address table.
• acl number <id>: Create ACL to match VXLAN packets (e.g., acl number 3000).
• capture-packet acl <id> interface <name> destination file <file>: Capture VXLAN
packets.

Configuration Framework
 1. Basic Connectivity:
o Configure device IDs: Edge_1 (ID=1), Border (ID=2), Edge_2 (ID=3).
o Assign Loopback0 IPs: Edge_1 ([Link]/32), Border ([Link]/32), Edge_2
([Link]/32).
o Configure trunk interfaces:
▪ Edge_1 to Border: VLAN 12, VLANIF12 ([Link]/24 on Edge_1,
[Link]/24 on Border).
▪ Border to Edge_2: VLAN 23, VLANIF23 ([Link]/24 on Border,
[Link]/24 on Edge_2).
o Enable OSPF (process 1) on Loopback0 and VLANIFs, using Loopback IPs as
router IDs.
o Verify: Ping VLANIFs, check OSPF neighbors (display ospf peer), and routing
table (display ospf routing).
2. Service Access Points:
o On Edge_1/Edge_2:
▪ Create BD 10, map to VNI 1000 (bridge-domain 10, vxlan vni 1000).
▪ Set vcmp role silent.
▪ Configure trunk to ACC_1/ACC_2 (allow VLAN 100).
▪ Create Layer 2 sub-interface (e.g., GigabitEthernet0/0/24.100 mode l2),
set encapsulation dot1q vid 100, bind to BD 10.
o On ACC_1/ACC_2:
▪ Configure access interface to PC (VLAN 100, port default vlan 100).
▪ Configure trunk to Edge_1/Edge_2 (allow VLAN 100).
3. Static VXLAN Tunnel:
o On Edge_1: Create NVE1 (interface Nve1), set source [Link], configure VNI
1000 with peer [Link].
o On Edge_2: Create NVE1, set source [Link], configure VNI 1000 with peer
[Link].
o Verify: display vxlan tunnel (shows tunnel in Up state).
4. Verification:
o Ping PC2 ([Link]) from PC1 ([Link]).
o Check MAC addresses on Edge_1/Edge_2 (display mac-address).
o Capture VXLAN packets on Border (capture-packet acl 3000 interface
GigabitEthernet0/0/24 destination file [Link]).
o Analyze packet: Outer IP (source [Link], destination [Link]), UDP port 4789,
VNI 1000, inner frame (PC1 to PC2).

Simplified Explanation

PC1 and PC2 think they’re on the same LAN (VLAN 100), but they’re physically separated.
Edge_1 and Edge_2 use VXLAN to “stretch” VLAN 100 over the IP network. When PC1 sends
a frame, Edge_1 wraps it in a VXLAN packet (like putting it in an envelope) and sends it to
Edge_2, which unwraps it and delivers it to PC2.
Scenario 2: Centralized VXLAN Gateway
This scenario uses a centralized VXLAN gateway on Border to enable Layer 3
interconnection between PC1 (BD 10, VLAN 100) and PC2 (BD 20, VLAN 200) across
different subnets.

Core Concepts

• Centralized Gateway: Border acts as the Layer 3 gateway for both BDs, handling inter-
subnet routing.
• VBDIF Interface: A Layer 3 interface tied to a BD, acting as the gateway (e.g.,
VBDIF10 for BD 10).
• VXLAN Tunnels: Static tunnels between Edge_1-Border (BD 10) and Border-Edge_2
(BD 20).
• Layer 3 Forwarding: Traffic between subnets (e.g., PC1 to PC2) goes through Border’s
VBDIF interfaces.

Simplified Explanation: Imagine Border as a central post office routing mail between two
neighborhoods (BD 10 and BD 20). PC1 sends a packet to PC2 via Border, which rewrites the
packet’s addressing (like forwarding a letter) and sends it to Edge_2.

Key Commands (New or Modified)

• interface Vbdif<id>: Create VBDIF interface (e.g., interface Vbdif10).

• ip address <ip> <mask>: Assign gateway IP (e.g., ip address [Link]
[Link]).

Configuration Framework

1. Basic Connectivity: Same as Scenario 1 (Loopback IPs, VLANIF12/23, OSPF).

2. Service Access Points:
o On Edge_1: BD 10, VNI 1000, sub-interface GigabitEthernet0/0/24.100 (VLAN
100).
o On Edge_2: BD 20, VNI 2000, sub-interface GigabitEthernet0/0/24.200 (VLAN
200).
o On ACC_1: Access VLAN 100 to PC1.
o On ACC_2: Access VLAN 200 to PC2.
3. Static VXLAN Tunnels:
o Edge_1 to Border: NVE1, source [Link], VNI 1000, peer [Link].
o Border: BD 10 (VNI 1000, peer [Link]), BD 20 (VNI 2000, peer [Link]).
o Edge_2 to Border: NVE1, source [Link], VNI 2000, peer [Link].
o Verify: display vxlan tunnel.
4. VBDIF Interfaces:
o On Border:
▪ interface Vbdif10, IP [Link]/24 (gateway for PC1).
 ▪ interface Vbdif20, IP [Link]/24 (gateway for PC2).
5. Verification:
o Ping gateways: PC1 to [Link], PC2 to [Link].
o Ping PC2 ([Link]) from PC1 ([Link]).
o Analyze forwarding: Packet from PC1 goes to Border (VBDIF10), routed to
VBDIF20, sent via VXLAN to Edge_2.

Scenario 3: Distributed VXLAN Gateway with EVPN

This scenario uses EVPN to establish a distributed VXLAN gateway, enabling both intra-
subnet (Layer 2) and inter-subnet (Layer 3) communication between PC1 (BD 10) and PC2
(BD 20) without a centralized gateway.

Core Concepts

• Distributed Gateway: Each VTEP (Edge_1, Edge_2) acts as a Layer 3 gateway for local
hosts, reducing traffic to a central point.
• EVPN: A control plane protocol for VXLAN, advertising MAC and IP routes (Type 2
for MAC/IP, Type 3 for multicast).
• EVPN Instance: Maps BDs to EVPN for Layer 2 forwarding.
• IP VPN Instance: Maps VBDIFs to a VPN for Layer 3 forwarding.
• Route Distinguisher (RD): Uniquely identifies routes in EVPN/IP VPN instances.
• Route Target (RT): Controls route import/export between instances.
• L2VNI: VNI for Layer 2 traffic (e.g., VNI 1000 for BD 10).
• L3VNI: VNI for Layer 3 traffic (e.g., VNI 1020 for inter-subnet routing).
• IRB (Integrated Routing and Bridging): Combines Layer 2 (BD) and Layer 3 (VBDIF)
forwarding.

Simplified Explanation: EVPN is like a smart directory that automatically shares address books
(MAC and IP routes) between Edge_1 and Edge_2. Each VTEP is a local post office, handling
both local deliveries (Layer 2) and cross-town routing (Layer 3) using VXLAN tunnels.

Key Commands (New or Modified)

EVPN and IP VPN Instances

• evpn-instance <name>: Create EVPN instance (e.g., evpn-instance Edge_1_BD_10).

• route-distinguisher <rd>: Set RD (e.g., route-distinguisher 21:10).
• vpn-target <rt> export-extcommunity: Set export RT (e.g., vpn-target 213:10 export-
extcommunity).
• vpn-target <rt> import-extcommunity: Set import RT.
• evpn binding vpn-instance <name>: Bind BD to EVPN instance.
• ip vpn-instance <name>: Create IP VPN instance (e.g., ip vpn-instance
Edge_1_VPN_10_20).
 • ipv4-family: Enter IPv4 address family.
• vxlan vni <vni>: Set L3VNI (e.g., vxlan vni 1020).
• ip binding vpn-instance <name>: Bind VBDIF to IP VPN instance.

BGP EVPN

• bgp <as>: Start BGP (e.g., bgp 100).

• router-id <ip>: Set BGP router ID.
• peer <ip> as-number <as>: Configure BGP peer.
• peer <ip> connect-interface LoopBack0: Set peering source.
• ipv4-family vpn-instance <name>: Enter VPN instance address family.
• advertise l2vpn evpn: Advertise EVPN routes for VPN instance.
• l2vpn-family evpn: Enter EVPN address family.
• policy vpn-target: Enable RT filtering.
• peer <ip> enable: Activate EVPN peering.
• peer <ip> advertise irb: Advertise IRB routes.
• display bgp evpn peer: Verify BGP EVPN peers.
• display bgp evpn all routing-table: Check EVPN routes.

Configuration Framework

1. Basic Connectivity: Same as Scenario 1.

2. Service Access Points:
o Edge_1: BD 10 (VNI 1000, VLAN 100), BD 20 (VNI 2000, VLAN 200).
o Edge_2: Same as Edge_1.
o ACC_1/ACC_2: VLAN 100/200 to PCs.
3. EVPN and IP VPN Instances:
o On Edge_1:
▪ EVPN instances: Edge_1_BD_10 (RD 21:10, RT 213:10,313:12 export,
213:10 import), Edge_1_BD_20 (RD 21:20, RT 213:20,313:12 export,
213:20 import).
▪ Bind BDs: BD 10 to Edge_1_BD_10, BD 20 to Edge_1_BD_20.
▪ IP VPN instance: Edge_1_VPN_10_20 (RD 31:12, RT 313:12, L3VNI
1020).
▪ Bind VBDIF10/20 to Edge_1_VPN_10_20, IPs [Link]/24,
[Link]/24.
o On Edge_2: Similar, with RD 23:10, 23:20, 33:12.
4. BGP EVPN:
o On Edge_1/Edge_2: BGP AS 100, peer with Loopback IPs ([Link] to [Link]).
o Enable EVPN address family, policy vpn-target, advertise irb.
o In VPN instance, advertise l2vpn evpn.
o Verify: display bgp evpn peer.
5. Verification:
o Ping gateways: PC1 to [Link], PC2 to [Link].
o Intra-subnet: PC1 to [Link] (Edge_2’s VLANIF100).
o Inter-subnet: PC1 to PC2 ([Link]).
 o Check VXLAN tunnels: display vxlan tunnel.
o Check EVPN routes: display bgp evpn all routing-table (Type 2, Type 3).
o Check IP routes: display ip routing-table vpn-instance Edge_1_VPN_10_20.

Forwarding Process

• Intra-Subnet (PC1 to [Link]):

o PC1 sends frame to Edge_1, which checks BD 10 MAC table (learned via EVPN
Type 2).
o Edge_1 encapsulates frame in VXLAN (L2VNI 1000) and sends to Edge_2.
o Edge_2 decapsulates and forwards to VLANIF100.
• Inter-Subnet (PC1 to PC2):
o PC1 sends packet to Edge_1’s VBDIF10.
o Edge_1 checks IP VPN instance routing table, finds IBGP route to [Link]
(next hop [Link]).
o Edge_1 encapsulates packet in VXLAN (L3VNI 1020, router MAC as
destination) and sends to Edge_2.
o Edge_2 decapsulates, checks VPN instance, forwards to PC2 via BD 20.

Quiz Answers
1. Scenario 1: How does a VTEP process broadcast packets in the local BD from
hosts?
o A VTEP replicates broadcast packets (e.g., ARP) to all remote VTEPs in the same
VNI (via ingress replication for static tunnels) and floods them locally within the
BD. For example, Edge_1 sends broadcasts to Edge_2 (VNI 1000) and local sub-
interfaces in BD 10.
2. Scenario 3: Can Layer 3 forwarding between VTEPs occur for same-subnet
communication in distributed gateways?
o No, same-subnet (intra-subnet) communication uses Layer 2 forwarding within
the same BD and L2VNI. Layer 3 forwarding (via L3VNI) is only for inter-subnet
traffic, as shown in PC1 to PC2 communication.

Additional Explanations
• Why VXLAN?: VXLAN supports large-scale Layer 2/3 virtualization over IP networks,
overcoming VLAN’s 4096-ID limit with 16M VNIs.
• Static vs. EVPN: Static VXLAN requires manual tunnel setup, while EVPN automates
tunnel creation and route advertisement, ideal for dynamic environments.
• Distributed vs. Centralized: Distributed gateways reduce latency by localizing Layer 3
forwarding, but require EVPN for route synchronization.
Analogy: VXLAN is like a subway system. Static tunnels are fixed routes you manually set up.
EVPN is an automated schedule sharing train routes dynamically. Centralized gateways are
central stations where all passengers (packets) must pass, while distributed gateways are local
stations handling nearby traffic directly.

This guide provides a clear framework for VXLAN configurations, with simplified explanations.
Let me know if you need specific device configurations or further details on any scenario!