Layer 2 VPN

EVPN – MPLS-based Layer 2 VPN


Layer 2 VPN



In today’s rapidly evolving digital landscape, businesses constantly seek ways to enhance their network infrastructure for improved performance, scalability, and security. One technology that has gained significant traction is Ethernet Virtual Private Network (EVPN). In this blog post, we will delve into the world of EVPN, exploring its benefits, use cases, and how it can revolutionize modern networking solutions.

EVPN, short for Ethernet Virtual Private Network, is a cutting-edge technology that combines the best features of Layer 2 and Layer 3 protocols to create a flexible and scalable virtual network overlay. It provides a seamless and secure connectivity solution for local and wide-area networks, making it an ideal choice for businesses of all sizes.


Highlights: EVPN

  • Extends BGP

What is EVPN? EVPN (Ethernet Virtual Private Network) extends to Border Gateway Protocol (BGP), allowing the network to carry endpoint reachability information such as layer 2 MAC and layer 3 IP addresses. This control plane technology uses MP-BGP for MAC and IP address endpoint distribution. One initial consideration to take note of is that layer 2 MAC addresses are treated as IP routes. It is based on standards defined by the IEEE 802.1Q and 802.1ad specifications.

  • Connects Layer 2 Segments

EVPN, also known as Ethernet VPN, connects L2 network segments separated by an L3 network. This is accomplished by building the L2 VPN network as a virtual Layer 2 network overlay over the Layer 3 network. It uses Border Gateway Protocol (BGP) for routing control as its control protocol. EVPN is a BGP-based control plane that can implement Layer 2 and Layer 3 VPNs.


Before you proceed, you may find the following useful:

  1. Network Traffic Engineering
  2. Data Center Fabric
  3. SDP vs VPN
  4. Data Center Topologies
  5. Network Overlays
  6. Overlay Virtual Networks
  7. Generic Routing Encapsulation
  8. Layer 3 Data Center



Key What Is EVPN Discussion Points:

  • Introduction to EVPN and how it can be used.

  • Discussion on the different types of components of an EVPN network.

  • The transition to EVPN. Why is was needed?

  • VXLAN and EVPN control plane.

  • EVPN MPLS discussion.


Back To Basics With EPVN

The Role of Layer 2

It started as a pure Layer 2 solution and got some Layer 3 functionality pretty early on, and later, it got entire blown IP prefixes, so now you can use EPVN to implement complete Layer 2 and Layer VPNs. EVPN is now considered a mature technology available in Multiprotocol Label Switching (MPLS) networks for some time.

Therefore, many refer to this to it as EVPN over MPLS. When discussing EVPN-MPLS or MPLS EVPN, EPVN still uses Route Distinguisher (RD) and Route Targets (RT).

RD creates separate address spaces, and RT integrates VPN membership. Remember that the precursor to EVPN was Over-the-Top Virtualization (OTV), a proprietary technology invented by Dino Farinacci while working at Cisco. Dino also worked heavily with the LISP protocol.

OTV used Intermediate System–to–Intermediate System (IS-IS) as the control plane and ran over IP networks. IS-IS can build paths for both unicast and multicast routes. The following tables list some of the key EVPN features:



Highlighting EVPN

 Multi-tenant control plane for L2/3 VPN

Defined in RFC 7432, requirements in RFC 7209

 The proposed control plane for Network Virtualization (NVO)

 Uses a new BGP address family

 Support numerous data-plane encapsulations such as MPL


Benefits of EVPN:

1. Scalability: EVPN offers a scalable solution by allowing businesses to expand their network infrastructure without compromising performance. With EVPN, companies can easily add or remove resources, virtual machines, or even entire data centers, ensuring their network grows with their business needs.

2. Efficient Traffic Forwarding: EVPN leverages the Border Gateway Protocol (BGP) to forward traffic across networks efficiently. Using BGP’s capabilities, EVPN simplifies network routing and reduces complexity, improving network performance.

3. Multi-Tenancy Support: EVPN provides a secure and isolated environment for multiple tenants, enabling service providers to offer their customers Virtual Private Networks (VPNs). This feature mainly benefits cloud service providers, enabling them to deliver secure, segregated networks to their clients.

4. Mobility and Flexibility: EVPN’s mobility and flexibility features allow end-users to seamlessly move their virtual machines or workloads across different locations within the network without any disruption. This capability is crucial for modern businesses that require agility and flexibility to meet their dynamic application requirements.

Use Cases of EVPN:

1. Data Center Interconnectivity: EVPN is an excellent choice for connecting multiple data centers, providing a cost-effective and efficient solution for workload mobility, disaster recovery, and load balancing across different locations.

2. Service Provider Networks: EVPN enables providers to deliver VPN services to their customers with enhanced security, isolation, and scalability. This allows businesses to connect their branch offices, remote locations, or cloud environments securely and efficiently.

3. Cloud Computing: EVPN is well-suited for cloud service providers who need to offer secure and scalable network connectivity to their clients. By leveraging EVPN, cloud providers can ensure their customers have isolated and dedicated networks within their cloud infrastructure.


  • A key point: Back to basics with the data center fabric journey

Spanning Tree and Virtual PortChannel

We have evolved data center networks over the past several years. Spanning Tree Protocol (STP)–based networks served network requirements for several years. Virtual PortChannel (vPC) was introduced to address some of the drawbacks of STP networks while providing dual-homing abilities. Subsequently, overlay technologies such as FabricPath and TRILL came to the forefront, introducing routed Layer 2 networks with a MAC-in-MAC overlay encapsulation. This evolved into a MAC-in-IP overlay with the invention of VXLAN.

While Layer 2 networks evolved beyond the loop-free topologies with STP, the first-hop gateway functions for Layer 3 also became more sophisticated. The traditional centralized gateways hosted at the distribution or aggregation layers have transitioned to distributed gateway implementations. This has allowed for scaling out and removal of choke points.

Virtual port channels
Diagram: Virtual port channels. Source Cisco


Cisco FabricPath is a MAC-in-MAC

Cisco FabricPath is a MAC-in-MAC encapsulation that eliminates the use of STP in Layer 2 networks. Instead, it uses Layer 2 Intermediate System to Intermediate System (IS-IS) with appropriate extensions to distribute the topology information among the network switches. In this way, switches behave like routers, building switch reachability tables and inheriting all the advantages of Layer 3 strategies such as ECMP. In addition, no unused links exist in this scenario, while optimal forwarding between any pair of switches is promoted.


The rise of VXLAN

While FabricPath has been immensely popular and adopted by thousands of customers, it has faced skepticism because it is associated with a single vendor, Cisco, and lacks multivendor support. In addition, with IP being the de facto standard in the networking industry, an IP-based overlay encapsulation was pushed. As a result, VXLAN was introduced. VXLAN, a MAC-in-IP/UDP encapsulation, is currently the most popular overlay encapsulation.

As an open standard, it has received widespread adoption from networking vendors. Just like FabricPath, VXLAN addresses all the STP limitations previously described. However, with VXLAN, a 24-bit number identifies a virtual network segment, thereby allowing support for up to 16 million broadcast domains as opposed to the traditional 4K limitations imposed by VLANs.


  • A key point: Lab Guide on VXLAN

The following guide is an example of a VXLAN network. So we have a routed core, meaning a Layer 3 core, and VXLAN acts as the overlay riding on top of the Layer 3 core. With this in place, the two hosts, desktop 0 and desktop 1, have Layer 2 connectivity between each other across Spine A and Spine B.

Notice the numbering of the VNI below. This needs to match on both tunnel endpoints. VXLAN VNI, commonly called the VXLAN Network Identifier, is a fundamental concept in the VXLAN overlay network. A unique identifier distinguishes different virtual networks within the same physical infrastructure. The VNI is a 24-bit value, allowing for many possible network segments.

VXLAN VNI operates by encapsulating Layer 2 Ethernet frames within IP packets, enabling virtual machines (VMs) to communicate across different physical networks or data centers. When a packet arrives at a VXLAN-enabled switch, the VNI is used to identify the virtual network to which the packet belongs. The switch then uses this information to forward the packet to the appropriate destination.

Notice below the encapsulation type of VLXAN with the command show nve interface 1 detail.


Overlay networking
Diagram: Overlay Networking with VXLAN


  • A key point: Lab Guide on MPLS TE

The following is an example of MPLS TE. MPLS TE, short for Multi-Protocol Label Switching Traffic Engineering, is a networking technology that allows network administrators to control and optimize traffic flow over an MPLS network. Administrators can use MPLS TE to prioritize specific traffic types, allocate bandwidth effectively, and avoid congestion hotspots.

Notice below I has set my bandwidth to a certain level.

Diagram: MPLS TE


EVPN MPLS: History

Layer 3 VPNs and MPLS

In the late 1990s, we witnessed the introduction of Layer 3 VPNs and Multiprotocol Label Switching (MPLS). Layer 3 VPNs distribute IP prefixes with a control plane, offering any connectivity. So we have MPLS VPN with PE and CE routers, and EVPN still uses these devices. MPLS also has RD and RT to create different address spaces.

This is also used in EVPN. Layer 3 VPN needed MPLS encapsulation. This signaling was done with LDP; you can use segment routing today. MPLS L3 VPN supports a range of topologies that can be created with Route Targets. Some of which led to complex design scenarios.


MPLS layer 3 VPN
Diagram: MPLS Layer 3 VPN. Source Aruba Networks.


Layer 2 VPNs and VPLS

Layer 2 VPNs arrived more humbly with a standard point-to-point connectivity model using Frame Relay, ATM, and Ethernet. Finally, in the early 2000s, the arrival of pseudowires and layer 2 VPNs came. Each of these VPN services operates on different VPN connections, with few operating on a Level 3 or MPLS connection. Point-to-point connectivity models no longer satisfied all designs, and services required multipoint Ethernet connectivity.

As a result, Virtual Private LAN Service (VPLS) was introduced. Virtual Private LAN Service (VPLS) is an example of L2VPN and has many drawbacks with using pseudowires to create the topology. A mesh of pseudowires with little control plane leads to much complexity.


VPLS with data plane learning

VPLS offered a data plane learning solution that could emulate a bridge and provide multipoint connectivity for Ethernet stations. It was widely deployed but had many shortcomings, such as support for multi-homing, BUM (BUM = Broadcast, Unknown unicast, and Multicast) optimization, flow-based load balancing, and multipathing. So EVPN was born as an answer to this problem.

In the last few years, we have entered a different era of data center architecture with different requirements. For example, we need efficient Layer 2 multipoint connectivity, active-active flows, and better multi-homing capability. Unfortunately, the shortcomings of existing data plane solutions hinder these requirements.


EVPN MPLS: Multi-Homing With Per-Flow Capabilities 

Some data centers require Layer 2 DCI (data center interconnect) and active-active flows between locations. Current L2 VPN technologies do not fully address these DCI requirements. A DCI with better multi-homing capability was needed without compromising network convergence and forwarding. Per-flow redundancy and proper load balancing introduced a BGP MPLS-based Ethernet VPN (EVPN) solution.


No more pseudowires

With EVPN, there is no more need for pseudowires. All the hard work is done with BGP. A significant benefit of EVPN operations is that MAC learning between PEs occurs not in the data plane but in the control plane (unlike VPLS). It utilizes a hybrid control/data plane model. First, data plane address learning occurs in the access layer.

In an SP model, this would be the CE to PE link; using IEEE 802.1x, LLDP, or ARP. Then we have control-plane address advertisements / learning over the MPLS core. The PEs run MP-BGP to advertise and learn customer MAC addresses. EVPN has many capabilities, and its use case is extended to act as the control plane for open standard VXLAN overlays.

Cisco EVPN
Diagram: EVPN with Cisco Catalyst. Source Cisco


L2 VPN challenges

There are several challenges with traditional Layer 2 VPNs. They do not offer an ALL-active per-flow redundancy model, traffic can loop between PEs, MAC flip-flopping may occur, and there is the duplication of BUM traffic (BUM = Broadcast, Unknown unicast, and Multicast).

In the diagram below, a CE has an Ethernet bundle terminating on two PEs; PE1 and PE2. The problem with the pseudowires VPLS data plane learning approach is that PE1 receives traffic on one of the bundle member links and will be sent over the full mesh of PW, eventually learned by PE2. PE2 cannot know if traffic originated on CE1, and PE2 will return it. CEs also get duplicated BUM traffic.

Diagram: L2 VPN challenges and the need for EVPN.


Another challenge with VPLS and L2 VPN is MAC Flip-Flopping over pseudowires. Like the above, you have dual-homed CEs sending traffic from the same MAC but with a different IP address. Now, you have MAC address learning by PE1 and sent to the remote PE3. PE3 learns that the MAC address is via PE1, but the same MAC with a different flow can arrive via PE2.

PE3 learns the same MAC over the different links, so it keeps flipping the MAC learning from one link to another. All these problems are forcing us to move to a control plane Layer 2 VPN solution – EVPN.


What Is EVPN

EVPN operates with the same principles and operational experiences of Layer 3 VPNs, for example, MP-BGP, route targets (RT), and route distinguishers (RD). EVPN takes BGP, puts a Layer 2 address in it, and advertises as if they were Layer 3 destinations with an MPLS rewrite or MPLS tag as the rewritten header or as the next hop.

It enables the routing of Layer 2 addresses through MP-BGP. Instead of encapsulating an Ethernet frame in IPv4, you have a MAC address with MPLS tags sent across the MPLS core.

The MPLS core is swapping labels as usual and thinks it is another IPv4 packet. It is conceptually similar to IPv6 transportation across an IPv4 LDP core, a feature known as 6PE.


what is evpn

EVPN MPLS: Layer 3 principles apply

All Layer 3 principles apply, allowing you to prepend MAC addresses with RD’s to make it unique, permitting overlapping addresses for Layer 2. RTS offers separation allowing constraints on flooding to interested segments. EVPN gives all your policies with BGP – LP, MED, etc., enabling efficient MAC address flooding control. EVPN is more efficient on your BGP tables; you can control the distribution of the MAC address to the edge of your network.

You control where the MAC addresses are going and where the state is being pushed. It’s a lot simpler than VPLS. You look at the destination MAC address at the network edge and shove a label on it. EVPN has many capabilities. Not only do we use BGP to advertise the reachability of MAC addresses and Ethernet segments, but it may also advertise MAC-to-IP correlation. BGP can provide information that hosts A has this IP and MAC address.


VXLAN & EVPN control plane

Datacenter fabrics started with STP; back then, this was the only thing you could do at Layer 2. Its primary deficiency was that you could only have one active link. We later introduced VPC and VSS, allowing all link forwarding in a non-looped topology. Cisco FabricPath / BGP introduces MAC-in-MAC layer 2 multipathing.

In the gateway area, they added Anycast HSRP, which was limited to 4 gateways. More importantly, there was a state exchange between them.

The industry is moving on, and we now see the introduction of VXLAN as a MAC in IP mechanism. VXLAN allows us to cross a layer 3 boundary and build an overlay over a layer 3 network. Its initial forwarding mechanism was to flood and learn with plenty of drawbacks, So now, they added a control plane to VXLAN – EVPN.

A VXLAN/EVPN solution is an MP-BGP based control-plane using the EVPN NLRI. BGP carries out Layer-2 MAC and Layer-3 IP information distribution. It reduces flooding as forwarding decisions are based on the control plane. The VPN control plane offers VTEP peer discovery and end-host reachability information distribution.



Highlighting EVPN

Reduction in flooding traffic with optimized BUM flooding

Uses features such as Proxy ARP

 Integrates routing and bridging. Asymmetrical IRB and Symmetrical IRB.

 Supports egress load balancing across multiple PE devices

 Provide IP address mobility and MAC mobility


A final note: EVPN and VXLAN

So, in summary, on the data plane, the original EPVN specified in RFC 7432 was designed to work with MPLS encapsulation. This is where the BGP next hop would be the endpoint of the MPLS label switching path across the network, i.e., the BGP next hop is the transport LSP endpoint, and then the EPVN route would carry one or more MPLS labels similar to that of Layer 3 VPN.

However, RFC 5512 specified the BGP encapsulation community that you could attach to any BGP route to indicate what data plane encapsulation to use to get there, and one of the drafts that are now being used to implement EVPN with VXLAN specifies how to use the encapsulation community and how to modify EVPN to work with MPLS.

Diagram: EVPN VXLAN. Source Aruba Networks.


So instead of using MPLS labels that are locally unique and assigned by PE routers. With EVPN and VXLAN, we can now use global segment identities known as VNI. A VXLAN header that includes a 24-bit field—called the VXLAN network identifier (VNI)—is used to identify the VXLAN uniquely.

The VNI is similar to a VLAN ID, but considering the VXLAN vs VLAN debate, having 24 bits allows you to create many more VXLANs than VLANs. This VNI, such as the VNI range, needs to be administrivia configured. The BGP’s next hop is the egress VTEP, the tunnel endpoint. And the encapsulation community is used to indicate that you need to use VXLAN to get there.



Ethernet Virtual Private Network (EVPN) is a groundbreaking networking technology that offers many benefits, including scalability, efficient traffic forwarding, multi-tenancy support, and mobility. It revolutionizes how businesses connect and manage their networks, providing a secure and flexible solution for modern networking requirements.

Whether it’s data center interconnectivity, service provider networks, or cloud computing, EVPN is poised to play a crucial role in shaping the future of networking. Embracing EVPN can empower businesses to streamline their network operations and stay ahead in today’s digital landscape.


evpn over mpls

Matt Conran
Latest posts by Matt Conran (see all)

2 Responses