This CCIE Data Center workbook is designed to help you practice the CCIE DC LAB exam DOO questions for the VXLAN EVPN topics using a similar question style used in the CCIE LAB exam (NOT THE EXACT QUESTIONS).
In this workbook, you’ll find a series of technical questions and answers, along with a detailed network diagram, to guide you through the complexities of VXLAN EVPN. The goal is to provide you with a robust practice environment that mirrors the challenges you’ll face in the actual lab exam, helping you build the confidence and skills needed to succeed.
Workbook Practice Instructions
Before going through the workbook exercises, make sure to meet the following requirements:
- Use the attached topology as a reference for this assignment.
- Adding static routes or default routes is NOT allowed.
- In any configuration where additional addressing may be necessary, use only the information displayed in the question.
- A basic configuration has been added to all switches in the topology. These configurations are provided as a starting point.
- When preparing for your CCIE LAB exam, I recommend NOT using any configuration guide (yes, memorize the commands to save time!)
- You should not spend more than 60 minutes to finish this workbook; in the LAB exam, you should be faster (Be careful; time is critical in the LAB exam)
Workbook Network Diagram
Please refer to the network topology below to answer the workbook questions.
Exercise 1: VXLAN EVPN Underlay Network
In this exercise, you should verify your ability to implement the underlay network required for VXLAN EVPN technology.
Check the pre-configuration added to all switches carefully.
In this exercise, ignore any VPC configuration (if any).
N5K1#
feature ospf
feature bgp
feature pim
router ospf 1
ip pim rp-address 1.1.1.71 group-list 224.0.0.0/4
interface loopback0
ip address 1.1.1.51/32
ip router ospf 1 area 0.0.0.0
ip pim sparse-mode
interface eth1/1-2
mtu 9150
medium p2p
ip unnumbered loopback0
ip ospf network point-to-point
ip router ospf 1 area 0.0.0.0
ip pim sparse-mode
no shutdown
router bgp 56363
router-id 51.0.0.0
N5K2#
feature ospf
feature bgp
feature pim
router ospf 1
ip pim rp-address 1.1.1.71 group-list 224.0.0.0/4
interface loopback0
ip address 1.1.1.52/32
ip router ospf 1 area 0.0.0.0
ip pim sparse-mode
interface eth1/1-2
mtu 9150
medium p2p
ip unnumbered loopback0
ip ospf network point-to-point
ip router ospf 1 area 0.0.0.0
ip pim sparse-mode
no shutdown
router bgp 56363
router-id 52.0.0.0
N7K1#
feature ospf
feature bgp
feature pim
router ospf 1
ip pim rp-address 1.1.1.71 group-list 224.0.0.0/4
interface loopback0
ip address 1.1.1.71/32
ip router ospf 1 area 0.0.0.0
ip pim sparse-mode
interface loopback1
ip address 1.2.3.4/32
ip router ospf 1 area 0.0.0.0
interface eth1/1-3
mtu 9150
medium p2p
ip unnumbered loopback0
ip ospf network point-to-point
ip router ospf 1 area 0.0.0.0
ip pim sparse-mode
no shutdown
router bgp 56363
router-id 71.0.0.0
N7K2#
feature ospf
feature bgp
feature pim
router ospf 1
ip pim rp-address 1.1.1.71 group-list 224.0.0.0/4
interface loopback0
ip address 1.1.1.72/32
ip router ospf 1 area 0.0.0.0
ip pim sparse-mode
interface loopback1
ip address 1.2.3.4/32
ip router ospf 1 area 0.0.0.0
interface eth1/1-3
medium p2p
ip unnumbered loopback0
ip ospf network point-to-point
ip router ospf 1 area 0.0.0.0
ip pim sparse-mode
no shutdown
router bgp 56363
router-id 72.0.0.0
N9K1#
feature ospf
feature bgp
feature pim
router ospf 1
ip pim rp-address 1.1.1.71 group-list 224.0.0.0/4
interface loopback0
ip address 1.1.1.91/32
ip router ospf 1 area 0.0.0.0
ip pim sparse-mode
interface eth1/1-2
mtu 9150
medium p2p
ip unnumbered loopback0
ip ospf network point-to-point
ip router ospf 1 area 0.0.0.0
ip pim sparse-mode
no shutdown
router bgp 56363
router-id 91.0.0.0
- In the CCIE LAB exam, you should always double-check the pre-configuration carefully before answering any question.
- All leaves and spines use IP unnumbered addressing, and each P2P link uses the loopback0 address. It doesn’t matter; OSPF neighborship should be fine if all other pre-configurations are fine.
Ensure all required configurations are added to have loopback0 (/32) ip addresses reachability between all leaves and spines in site-A fabric.
For loopback addresses end-to-end reachability between all leaves and spines in Site-A, we should add the following configuration in N7K2:
interface eth1/1-3
mtu 9150
MTU mismatch impacts the OSPF neighborship. We have to make sure the MTU matches in all fabric links. Use the following commands for verification:
show ip ospf neigbhor
show ip ospf interface brief
ping 1.1.1.x source-interface loopback0 ; x = {51, 52, 51, 72, 91}
Configure BGP peering on all site-A fabric switches N5K1, N5K2, N7K1, N7K2, and N9K1 so that they can advertise L2VPN EVPN routes.
For the leaf switches (N5K1, N5K2 & N9K1):
router bgp 56363
neighbor 1.1.1.71
remote-as 56363
update-source loopback0
address-family l2vpn evpn
send-community extended
neighbor 1.1.1.72
remote-as 56363
update-source loopback0
address-family l2vpn evpn
send-community extended
For the spine switches (N7K1 & N7K2):
router bgp 56363
neighbor 1.1.1.0/24
remote-as 56363
update-source loopback0
address-family l2vpn evpn
send-community extended
route-reflector-client
Use the following commands for verification:
show bgp l2vpn evpn summary
(you should see the neighborship is up for all connected switches with prefix count of 0)
The multicast tree (ASM) is currently built through the N7K1 switch only. Configure an active/active multicast RP redundancy to be used for the overlay BUM traffic replication in both N7K1 and N7K2.
Note that your are not allowed to use MSDP.
An active/active RP means both N7K1 and N7K2 should be active RP at the same
time. This can be accomplished by using anycast RP configuration:
For the leaf switches (N5K1, N5K2 & N9K1):
ip pim rp-address 1.2.3.4 group-list 224.0.0.0/4
For the spine switches (N7K1 & N7K2):
ip pim rp-address 1.2.3.4 group-list 224.0.0.0/4
ip pim anycast-rp 1.2.3.4 1.1.1.71
ip pim anycast-rp 1.2.3.4 1.1.1.72
interface loopback1
ip pim sparse-mode
Use the following commands for verification:
show ip pim rp
show ip mroute
(you should see the 1.2.3.4 as the RP in all switches and pointing toward the N7Ks)
Exercise 2: VXLAN EVPN L2 Connectivity
In this exercise, you should verify your ability to implement the VXLAN L2 overlay network to provide L2 forwarding between fabric endpoints.
Using the underlay network configured in part-1, configure Site-A switches according to the following requirements:
- Ensure all leaves in Site-A are configured to be ready for any L2 overlay forwarding (Server-B should be able to ping Server-C).
- Use VXLAN technology with loopback0 as a source interface and BGP as a control protocol.
- Ensure that all VNIs use a Route-Distinguisher (RD) that contains loopback0 ip address and Route-targets (RT) with format ASN:VNI (Do NOT statically configure any value).
- Ensure the overlay BUM traffic is replicated as necessary and reduce the BUM replication to the minimum.
- Assume that N5Ks have store-and-forward packet switching already configured.
- Ignore VPC configuration in this task since Server-A has not been deployed yet.
- Use the following information to build the L2 Overlay network:
– VLAN 10 > VNI 100010 > Multicast group (229.0.0.10).
– VLAN 20 > VNI 100020 > Multicast group (229.0.0.20).
– VLAN 30 > VNI 100030 > Multicast group (229.0.0.30). - Consider the following pre-configuration:
N5K1 and N5K2 are Nexus C5672UP, whereas N9K1 is Nexus C93180YC-FX.
N5K1#
feature fabric forwarding
feature vn-segment-vlan-based
feature nv overlay
nv overlay evpn
vlan 10
interface port-channel10
switchport mode access
switchport access vlan 10
N5K2#
feature fabric forwarding
feature vn-segment-vlan-based
feature nv overlay
nv overlay evpn
vlan 10, 20
interface port-channel10
switchport mode access
switchport access vlan 10
no shutdown
interface ethernet 1/6
switchport mode access
switchport access vlan 20
no shutdown
N9K1#
feature fabric forwarding
feature vn-segment-vlan-based
feature nv overlay
nv overlay evpn
vlan 10, 20, 30
interface ethernet 1/4
switchport mode access
switchport access vlan 20
no shutdown
interface ethernet 1/5
switchport mode access
switchport access vlan 30
no shutdown
To implement the L2 overlay bridging network in VXLAN EVPN, we need to configure the following:
- VLAN to VXLAN mapping.
- Configure downstream ports as access or trunk ports (Pre-configured).
- Configure the NVE interface with required VNI members.
- Define the L2 VNIs under the EVPN configuration mode.
You need to configure the minimum required commands to accomplish this task.
N5K1#
vlan 10
vn-segment 100010
interface nve1
no shutdown
host-reachability protocol bgp
source-interface loopback0
member vni 100010
suppress-arp
mcast-group 229.0.0.10
evpn
vni 100010 l2
rd auto
route-target import auto
route-target export auto
N5K2#
feature fabric forwarding
fvlan 10
vn-segment 100010
vlan 20
vn-segment 100020
interface nve1
no shutdown
host-reachability protocol bgp
source-interface loopback0
member vni 100010
suppress-arp
mcast-group 229.0.0.10
member vni 100020
suppress-arp
mcast-group 229.0.0.20
evpn
vni 100010 l2
rd auto
route-target import auto
route-target export auto
vni 100020 l2
rd auto
route-target import auto
route-target export auto
N9K1#
vlan 20
vn-segment 100020
vlan 30
vn-segment 100020
interface nve1
no shutdown
host-reachability protocol bgp
source-interface loopback0
member vni 100020
suppress-arp
mcast-group 229.0.0.20
member vni 100030
suppress-arp
mcast-group 229.0.0.30
evpn
vni 100020 l2
rd auto
route-target import auto
route-target export auto
vni 100030 l2
rd auto
route-target import auto
route-target export auto
For verification, use the following commands:
show nve vni (you should see the L2 VNIs in UP status)
show interface nve1 (the nve interface should be up)
Exercise 3: VXLAN EVPN L3 Connectivity
In this exercise, you should verify your ability to implement the VXLAN L3 overlay network to provide L3 forwarding between fabric endpoints.
Configure all leaves in Site-A fabric (N5K1, N5K2, and N9K1) to actively distribute anycast GWs for their connected servers. Please consider the following requirements:
- Ensure that all leaves use the anycast GW MAC address of 0000.1234.abcd.
- The newly created SVIs should be placed in ‘Customer1’ VRF.
- All subnets should be tagged with the value 555.
- Use the name ‘CCIE-DC’ for any new route map.
- Use the preconfigured VLAN 321 if needed.
- Ignore VPC configuration in this task since Server-A has not been deployed yet.
- Refer to the table below for subnets details:
– VLAN 10 > GW‘s IP (172.16.10.254/24).
– VLAN 20 > GW’s IP (172.16.20.254/24).
– VLAN 30 > GW’s IP (172.16.30.254/24). - Consider the following pre-configuration:
N5K1 and N5K2 are Nexus C5672UP, whereas N9K1 is Nexus C93180YC-FX.
N5K1#
VLAN 321
vrf context CUSTOMER1
vni 102030
rd auto
address-family ipv4 unicast
route-target both auto
route-target both auto evpn
N5K2#
VLAN 321
vrf context CUSTOMER1
vni 102030
rd auto
address-family ipv4 unicast
route-target both auto
route-target both auto evpn
N9K1#
VLAN 321
vrf context CUSTOMER1
vni 102030
rd auto
address-family ipv4 unicast
route-target both auto
route-target both auto evpn
To implement the L3 overlay network in VXLAN EVPN, we need to configure the following in all VTEPs:
- Configure the required VRF used for overlay traffic and define its L3 VNI. (Pre-configured).
- Configure the VRF-shared VLAN used for L3 forwarding and associate it with the VRF’s L3 VNI.
- Configure the distributed anycast gateway MAC.
- Configure the required SVIs, including the VRF-shared interface VLAN (defined in step 2).
- Under the NVE interface, associate the L3 NVI defined in the VRF context configuration.
- Redistribute the SVI subnets into the BGP process under the VRF address family.
You need to configure the minimum required commands to accomplish this task.
N5K1#
feature interface-vlan
VLAN 321
vn-segment 102030
fabric forwarding anycast-gateway-mac 0000.1234.abcd
interface Vlan321
no shutdown
vrf member CUSTOMER1
ip forward
interface Vlan10
no shutdown
mtu 9150
vrf member CUSTOMER1
ip address 172.16.10.254/24 tag 555
ip pim sparse-mode
fabric forwarding mode anycast-gateway
interface nve1
member vni 102030 associate-vrf
route-map CCIE-DC permit 10
match tag 555
router bgp 56363
vrf CUSTOMER1
address-family ipv4 unicast
advertise l2vpn evpn
redistribute direct route-map CCIE-DC
N5K2#
feature interface-vlan
VLAN 321
vn-segment 102030
fabric forwarding anycast-gateway-mac 0000.1234.abcd
interface Vlan321
no shutdown
vrf member CUSTOMER1
ip forward
interface Vlan10
no shutdown
mtu 9150
vrf member CUSTOMER1
ip address 172.16.10.254/24 tag 555
ip pim sparse-mode
fabric forwarding mode anycast-gateway
interface Vlan20
no shutdown
mtu 9150
vrf member CUSTOMER1
ip address 172.16.20.254/24 tag 555
ip pim sparse-mode
fabric forwarding mode anycast-gateway
interface nve1
member vni 102030 associate-vrf
route-map CCIE-DC permit 10
match tag 555
router bgp 56363
vrf CUSTOMER1
address-family ipv4 unicast
advertise l2vpn evpn
redistribute direct route-map CCIE-DC
N9K1#
feature interface-vlan
VLAN 321
vn-segment 102030
fabric forwarding anycast-gateway-mac 0000.1234.abcd
interface Vlan321
no shutdown
vrf member CUSTOMER1
ip forward
interface Vlan20
no shutdown
mtu 9150
vrf member CUSTOMER1
ip address 172.16.20.254/24 tag 555
ip pim sparse-mode
fabric forwarding mode anycast-gateway
interface Vlan30
no shutdown
mtu 9150
vrf member CUSTOMER1
ip address 172.16.30.254/24 tag 555
ip pim sparse-mode
fabric forwarding mode anycast-gateway
interface nve1
member vni 102030 associate-vrf
route-map CCIE-DC permit 10
match tag 555
router bgp 56363
vrf CUSTOMER1
address-family ipv4 unicast
redistribute direct route-map CCIE-DC
For verification, use the following commands:
show nve vni (you should see the L2 VNIs in UP status)
show ip route vrf CUSTOMER1 (you should see routes for the server's /32 IP addresses)
Exercise 4: VXLAN EVPN with VPC
In this exercise, you should verify your ability to implement VXLAN EVPN with VPC for dual-homed endpoints.
The server team prepared Server-A to be connected to Site-A fabric; as a data center network expert, you have been assigned to prepare the fabric for all required configurations. For this task, please consider the following requirements:
- Ensure that both ingress and egress traffic should be load-balanced between N5K1 and N5K2 VPC peers. The VPC anycast GW ip address should be 1.1.51.52/32.
- In case of uplink failure, each VPC peer should be able to failover using the peer link, Using VLAN 911 for this purpose.
- N5K1 and N5K2 switches are server leaves, and they will not be used for any external connectivity.
- Use the name ‘CCIE-DC’ for any new route map.
- Use the preconfigured VLAN 321 if needed.
- Consider the following pre-configuration:
N5K1 and N5K2 are Nexus C5672UP.
N5K1#
feature lacp
feature vpc
vlan 911
vpc domain 100
peer-keepalive destination 1.1.1.52 source 1.1.1.51 vrf default
peer-switch
role priority 1
peer-gateway
interface vlan 911
ip address 10.11.12.1/30
no shutdown
interface port-channel1
switchport
switchport mode trunk
switchport trunk allowed vlan 10, 20
spanning-tree port type network
vpc peer-link
interface port-channel10
switchport
switchport mode access
switchport access vlan 10
vpc 10
N5K2#
feature lacp
feature vpc
vlan 911
vpc domain 100
peer-keepalive destination 1.1.1.51 source 1.1.1.52 vrf default
peer-switch
role priority 2
peer-gateway
interface vlan 911
ip address 10.11.12.2/30
no shutdown
interface port-channel1
switchport
switchport mode trunk
switchport trunk allowed vlan 10, 20
spanning-tree port type network
vpc peer-link
interface port-channel10
switchport
switchport mode access
switchport access vlan 10
vpc 10
We need the following steps to meet the question requirements:
- Configure the Anycast VTEP IP in both VPC Switches.
- Configure the NVE Peer-Link VLAN in both VPC Switches.
- Configure Layer-3 Routing across the NVE peer-link-VLAN in both VPC switches to enable the failover using the peer link.
You need to configure the minimum required commands to accomplish this task.
N5K1#
interface loopback0
ip address 1.1.51.52/32 secondary
vpc nve peer-link-vlan 911
interface port-channel1
switchport trunk allowed vlan add 911
interface vlan 911
mtu 9150
ip pim sparse-mode
ip router ospf 1 area 0.0.0.0
ip ospf network point-to-point
ip ospf cost 100
no shutdown
N5K2#
interface loopback0
ip address 1.1.51.52/32 secondary
vpc nve peer-link-vlan 911
interface port-channel1
switchport trunk allowed vlan add 911
interface vlan 911
mtu 9150
ip pim sparse-mode
ip router ospf 1 area 0.0.0.0
ip ospf network point-to-point
ip ospf cost 100
no shutdown
For verification, use the following commands:
show nve peers (Should show us the vpc anycast VTEP '1.1.51.52' as a peer in N9K1)
show bgp l2vpn evpn (All locally attached EPs in N5K1 & N5K2 should have '1.1.51.52' as next-hop when run this command in N9K1)
Exercise 5: VXLAN EVPN Multisite
In this exercise, you should verify your ability to implement VXLAN EVPN with VPC for dual-homed endpoints.
A decision was taken to deploy another fabric (Site-B). You are the data center expert responsible for implementing the new data center interconnect (DCI) setup using VXLAN EVPN technology with the following requirements:
- All subnets configured in Site-A (Site-ID = 1) should be extended to Site-B (Site-ID =2) and vice versa.
- N9K1 and N9K2 should be deployed as the site’s border gateways (BGW) with ip addresses 1.1.1.1 and 1.1.1.2, respectively.
- Ensure that all overlay BUM traffic between sites is unicast-replicated (no multicast is allowed in Router-X).
- Assume that N9K2 is fully configured, and its BGP ASN is 65000 with loopback11 as the source interface (1.1.1.2).
- Consider the following pre-configuration:
Router-X runs the EIGRP protocol between the two N9Ks.
N9K1#
feature eigrp
router eigrp CCIE
autonomous-system 100
router-id 91.0.0.0
interface loopback11
ip address 1.1.1.1/32
ip router eigrp CCIE
interface Ethernet1/3
description DCI_Link_To_Router-X
ip address 9.0.0.1/30
ip router eigrp CCIE
no shutdown
We need the following steps to meet the question requirements:
- Configure the Anycast VTEP IP in both VPC Switches.
- Configure the NVE Peer-Link VLAN in both VPC Switches.
- Configure Layer-3 Routing across the NVE peer-link-VLAN in both VPC switches to enable the failover using the peer link.
N9K2 is fully configured.
N9K1#
vlan 10
vn-segment 100010
interface Vlan10
no shutdown
mtu 9150
vrf member CUSTOMER1
ip address 172.16.10.254/24 tag 555
ip pim sparse-mode
fabric forwarding mode anycast-gateway
interface loopback0
ip router eigrp CCIE
interface loopback11
ip router ospf 1 area 0.0.0.0
router bgp 56363
neighbor 1.1.1.2
remote-as 65000
update-source loopback11
ebgp-multihop 5
peer-type fabric-external
address-family l2vpn evpn
send-community extended
rewrite-evpn-rt-asn
evpn multisite border-gateway 1
delay-restore time 30
interface Ethernet1/1-2
evpn multisite fabric-tracking
interface Ethernet1/3
mtu 9150
evpn multisite dci-tracking
interface nve1
multisite border-gateway interface loopback11
member vni 100010
suppress-arp
mcast-group 229.0.0.10
multisite ingress-replication
member vni 100020
multisite ingress-replication
member vni 100030
multisite ingress-replication
For verification, use the following commands:
show bgp l2vpn evpn summary (you should see the external eBGP peer)
show bgp l2vpn evpn (other fabric routes should appear with the local BGW's ip as a next hop)
Conclusion
As you wrap up this CCIE Data Center workbook, consider extending your learning. I’m thrilled to share that I have an online course on Udemy: Cisco Data Centers | VXLAN EVPN. In this course, we dive even deeper into VXLAN EVPN; this course is your next step.
Remember, networking isn’t just about protocols and configurations; it’s about solving problems and enabling seamless communication. As you continue your journey, embrace curiosity, stay updated, and connect with fellow enthusiasts. Most importantly, keep practicing because mastery comes from doing, not just reading.
I hope this workbook was helpful; wish you the very best in your CCIE Data Center journey.