Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Configuring EVPN and VXLAN

    Contrail supports Ethernet VPNs (EVPN) and Virtual Extensible Local Area Networks (VXLAN).

    EVPN is a flexible solution that uses Layer 2 overlays to interconnect multiple edges (virtual machines) within a data center. Traditionally, the data center is built as a flat Layer 2 network with issues such as flooding, limitations in redundancy and provisioning, and high volumes of MAC addresses learned, which cause churn at node failures. EVPN is designed to address these issues without disturbing flat MAC connectivity.

    In EVPN, MAC address learning is driven by the control plane, rather than by the data plane, which helps control learned MAC addresses across virtual forwarders, thus avoiding flooding. The forwarders advertise locally learned MAC addresses to the controllers. The controllers use MP-BGP to communicate with peers. The peering of controllers using BGP for EVPN results in better and faster convergence.

    With EVPN, MAC learning is confined to the virtual networks to which the virtual machine belongs, thus isolating traffic between multiple virtual networks. In this manner, virtual networks can share the same MAC addresses without any traffic crossover.

    Unicast in EVPN

    Unicast forwarding is based on MAC addresses where traffic can terminate on a local endpoint or is encapsulated to reach the remote endpoint. Encapsulation can be MPLS/UDP, MPLS/GRE, or VXLAN.

    BUM Traffic in EVPN

    Multicast and broadcast traffic is flooded in a virtual network. The replication tree is built by the control plane, based on the advertisements of end nodes (virtual machines) sent by forwarders. Each virtual network has one distribution tree, a method that avoids maintaining multicast states at fabric nodes, so the nodes are unaffected by multicast. The replication happens at the edge forwarders. Per-group subscription is not provided. Broadcast, unknown unicast, and multicast (BUM) traffic are all handled the same way, and get flooded in the virtual network to which the virtual machine belongs.


    VXLAN is an overlay technology that encapsulates MAC frames into a UDP header at Layer 2. Communication is established between two virtual tunnel endpoints (VTEPs). VTEPs encapsulate the virtual machine traffic into a VXLAN header, as well as strip off the encapsulation. Virtual machines can only communicate with each other when they belong to the same VXLAN segment. A 24-bit virtual network identifier (VNID) uniquely identifies the VXLAN segment. This enables having the same MAC frames across multiple VXLAN segments without traffic crossover. Multicast in VXLAN is implemented as Layer 3 multicast, in which endpoints subscribe to groups.

    Design Details of EVPN and VXLAN

    With Contrail Release 1.03, EVPN is enabled by default. The supported forwarding modes include:

    • Fallback bridging—IPv4 traffic lookup is performed using IP FIB. All non-IPv4 traffic is directed to a MAC FIB.
    • Layer 2-only— All traffic is forwarded using MAC FIB lookup.

    The forwarding mode can be configured individually on each virtual network.

    EVPN is used to share MACs across different control planes in both forwarding models. The result of a MAC lookup is a next hop, which, similar to IP forwarding, points to a local virtual machine or a tunnel to reach the virtual machine on a remote server. The tunnel encapsulation methods supported for EVPN are MPLSoGRE, MPLSoUDP, and VXLAN. The encapsulation method selected is based on a user-configured priority.

    In VXLAN, the VNID is assigned uniquely for every virtual network carried in the VXLAN header. The VNID uniquely identifies a virtual network.. When the VXLAN header is received from the fabric at a remote server, the VNID lookup provides the VRF of the virtual machine. This VRF is used for the MAC lookup from the inner header, which then provides the destination virtual machine.

    Non-IP multicast traffic uses the same multicast tree as for IP multicast ( The multicast is matched against the all-broadcast prefix in the bridging table (FF:FF:FF:FF:FF:FF). VXLAN is not supported for IP/non-IP multicast traffic.

    The following table summarizes the traffic and encapsulation types supported for EVPN.






    Traffic Type

    IP unicast








    non IP unicast




    non IP-BUM




    Configuring Forwarding

    With Contrail 1.03, the default forwarding mode is enabled for fallback bridging (IP FIB and MAC FIB). The mode can be changed, either through the Contrail web UI or by using python provisioning commands.

    From the Contrail web UI, select the virtual network for which you will change the forwarding mode, select Edit Network, then select Advanced Options to change the forwarding mode. In the following, the network named vn is being edited. Under Advanced Options->Forwarding Mode, two options are available:

    • Select L2 and L3 to enable IP and MAC FIB (fallback bridging).
    • Select L2 to enable only MAC FIB.

    Alternatively, you can use the following python provisioning command to change the forwarding mode:

    python provisioning_forwarding_mode --project_fq_name 'defaultdomain: admin' --vn_name vn1 --forwarding_mode < l2_l3| l2 >


    l2_l3 = Enable IP FIB and MAC FIB (fallback bridging)

    l2 = Enable MAC FIB only (Layer 2 only)

    Configuring the VXLAN Identifier Mode

    The VXLAN identifier mode can be configured to select an auto-generated VNID or a user-generated VXLAN ID, either through the Contrail web UI or by modifying a python file.

    The following Contrail web UI shows the location for configuring the VXLAN identifier mode at Configure > Infrastructure > Forwarding Options. The user can select one of these options:

    • Automatic— The VXLAN identifier is automatically assigned for the virtual network.
    • Configured– The VXLAN identifier must be provided by the user for the virtual network.

      Note: When Configured is selected, if the user does not provide an identifier, then VXLAN encapsulation is not used and the mode falls back to MPLS.

    Alternatively, the VXLAN identifier mode can be set by using python to modify the file /opt/contrail/utils/ , as follows:

    python <add | update | delete > <username > < password > < tenant_name > < config_node_ip >

    Configuring the VXLAN Identifier

    The VXLAN identifier can be set only if the VXLAN network identifier mode has been set to configured. You can then set the VXLAN ID either by using the Contrail web UI or by using python commands.

    The following shows the web UI location of the VXLAN identifier field in Edit Network, Advanced Options.

    Alternatively, you can use the following python provisioning command to configure the VXLAN identifier:

    python provisioning_forwarding_mode --project_fq_name 'defaultdomain: admin' --vn_name vn1 --forwarding_mode < vxlan_id >

    Configuring Encapsulation Methods

    The default encapsulation mode for EVPN is MPLS over UDP. All packets on the fabric are encapsulated with the label allocated for the virtual machine interface. The label encoding and decoding is the same as for IP forwarding. Additional encapsulation methods supported for EVPN include MPLS over GRE and VXLAN. MPLS over UDP is different from MPLS over GRE only in the method of tunnel header encapsulation.

    VXLAN has its own header and uses a VNID label to carry the traffic over the fabric. A VNID is assigned to every virtual network and is shared by all virtual machines in the virtual network. The VNID is mapped to the VRF of the virtual network to which it belongs.

    The priority order in which to apply encapsulation methods is determined by the sequence of methods set either from the web UI or in the file

    The following shows the web UI location for setting the encapsulation method priorities from Configure > Infrastructure > Forwarding Options, in which the user has selected the priority order to be VXLAN first, then MPLS over GRE, and last priority is MPLS over UDP.

    Use the following procedure to change the default encapsulation method to VXLAN.

    Note: VXLAN is only supported for EVPN unicast. It is not supported for IP traffic or multicast traffic. VXLAN priority and presence in or configured in web UI is ignored for traffic not supported by VXLAN.

    To set the priority of encapsulation methods to VXLAN:

    1. Modify the file found in /opt/contrail/utils/.

      The default encapsulation line is:

      encap_obj=EncapsulationPrioritiesType(encapsulation=['MPLSoUDP','M PLSoGRE'])

      Modify the line to:

      encap_obj=EncapsulationPrioritiesType(encapsulation=['VXLAN', 'MPLSoUDP','MPLSoGRE'])

    2. Once the status is modified, execute the following script:

      python <add|update|delete> <username> <password> <tenant_name> <config_node_ip>

      The configuration is applied globally for all virtual networks.

    Modified: 2015-09-03