Linked Image Example Become a Network Expert for Top Product Companies
VXLAN Fabric Quizzes

EVPN VXLAN Quizzes

Programmable Fabric Quiz

1. What is the primary limitation of traditional VLANs in large multi-tenant data centers that VXLAN helps overcome?

Explanation: Traditional VLANs use a 12-bit identifier (IEEE 802.1Q), limiting the number of unique network segments to 4096. VXLAN uses a 24-bit Virtual Network Identifier (VNI), allowing for up to 16 million segments, which is crucial for the scalability required in large cloud and multi-tenant environments.

2. Which of the following are identified as challenges or drawbacks of using Spanning Tree Protocol (STP) in modern data centers? (Select ALL that apply)

Explanation: STP creates a loop-free tree topology, which inherently leads to blocked ports (unused links), potentially slow convergence times during topology changes, suboptimal forwarding paths (traffic must follow the tree), and no native ECMP capabilities because only a single path is active. The 4K VLAN limit is a characteristic of 802.1Q, not specifically an STP functional drawback itself, although STP operates within that limit.

3. In a VXLAN BGP EVPN fabric, what is the primary role of BGP EVPN?

Explanation: BGP EVPN serves as the control plane in modern VXLAN fabrics. It distributes endpoint information (like MAC address, IP address, and the associated VTEP) among the VTEPs, eliminating the need for data-plane flood-and-learn mechanisms and enabling more scalable and efficient forwarding. VXLAN itself handles the encapsulation (Data Plane), and protocols like OSPF or IS-IS typically provide the underlay IP connectivity.

4. Match the Fabric Component/Concept with its primary description:

Items to Drag

VXLAN
VTEP
Leaf Switch
Spine Switch
Underlay Network

Drop Targets (Descriptions)

Connects directly to endpoints (servers).
Provides IP connectivity between fabric switches (VTEPs).
Network overlay protocol using MAC-in-UDP encapsulation.
Interconnects Leaf switches in a Clos topology.
Originates/Terminates VXLAN tunnels (encap/decap).

Correct Matches:

  • Connects directly to endpoints (servers): Leaf Switch
  • Provides IP connectivity between fabric switches (VTEPs): Underlay Network
  • Network overlay protocol using MAC-in-UDP encapsulation: VXLAN
  • Interconnects Leaf switches in a Clos topology: Spine Switch
  • Originates/Terminates VXLAN tunnels (encap/decap): VTEP

5. What are some key requirements for modern data center networks mentioned in the text? (Select ALL that apply)

Explanation: Modern data centers prioritize agility, scalability (beyond VLAN limits), elasticity, availability, cost-effectiveness, openness (avoiding vendor lock-in), security, a solution-oriented approach (integration, automation), ease of use, and support for hybrid clouds. While STP was foundational, its limitations make it unsuitable as a primary protocol for modern large-scale fabrics. The trend is away from device-by-device management towards system/service-centric management, often via controllers and automation.

6. What type of topology has become common for building scalable and resilient data center fabrics using technologies like VXLAN BGP EVPN?

Explanation: The Leaf-Spine architecture, a type of Clos network, is the standard topology for modern data center fabrics. It provides predictable latency, high bisectional bandwidth through ECMP across the spines, easy scalability (add leafs for ports, spines for bandwidth), and resilience compared to traditional hierarchical three-tier designs which often suffered from bottlenecks and STP limitations.

VXLAN BGP EVPN Basics Quiz

1. What is the primary scalability limitation of traditional VLANs (IEEE 802.1Q) that VXLAN addresses?

Explanation: Traditional VLANs use a 12-bit identifier, limiting networks to 4096 unique segments. In large multi-tenant cloud environments, this is insufficient. VXLAN uses a 24-bit Virtual Network Identifier (VNI), allowing up to 16 million segments, overcoming this significant scalability barrier.

2. Compared to traditional VXLAN Flood and Learn (F&L), what are the key advantages provided by using BGP EVPN as the control plane? (Select ALL that apply)

Explanation: BGP EVPN acts as a control plane, distributing MAC/IP-to-VTEP mappings, which significantly reduces the reliance on data-plane flooding (F&L) for learning. This enhances scalability. It also standardizes MAC mobility signaling and can help suppress unnecessary ARP broadcasts by allowing VTEPs to respond locally if they know the mapping. BGP EVPN still relies on an IP underlay for VTEP reachability.

3. In MP-BGP, what is used to keep the routes for different tenants (VRFs) distinct within the BGP tables, even if they use overlapping IP addresses?

Explanation: A Route Distinguisher (RD) is an 8-byte value prepended to a tenant's route within MP-BGP. Its purpose is to make potentially overlapping routes unique across different VPNs or VRFs. While Route Targets (RTs) control the import/export of routes into VRFs, the RD is what ensures the uniqueness of the prefix itself within the global BGP table.

4. Match the BGP EVPN Route Type with its primary function:

Items to Drag

Route Type 2
Route Type 3
Route Type 5
Route Target (RT)
Route Distinguisher (RD)

Drop Targets (Descriptions)

Advertises specific host MAC and optionally IP address reachability.
Makes prefixes unique for different tenants/VRFs in BGP tables.
Advertises IP prefix reachability (used for subnets and external routes).
Controls the import/export of routes into specific VRF tables.
Used for distributing VTEP membership for a VNI (e.g., for ingress replication).

Correct Matches:

  • Route Type 2: Advertises specific host MAC and optionally IP address reachability.
  • Route Distinguisher (RD): Makes prefixes unique for different tenants/VRFs in BGP tables.
  • Route Type 5: Advertises IP prefix reachability (used for subnets and external routes).
  • Route Target (RT): Controls the import/export of routes into specific VRF tables.
  • Route Type 3: Used for distributing VTEP membership for a VNI (e.g., for ingress replication).

5. Which methods can be used in the underlay network to handle BUM (Broadcast, Unknown Unicast, Multicast) traffic originating within a VXLAN overlay? (Select ALL that apply)

Explanation: VXLAN requires a mechanism to replicate BUM traffic from one VTEP to potentially multiple other VTEPs participating in the same VNI. The two common underlay transport methods described are using IP Multicast (where VTEPs join a multicast group associated with the VNI) and Ingress Replication (where the source VTEP creates and sends individual unicast copies to all other relevant VTEPs). STP is avoided in the underlay, Route Type 5 is for control-plane prefix advertisement, and L2TP is a different tunneling protocol.

6. How does VXLAN encapsulation contribute to achieving good load balancing (ECMP) across the underlying IP network?

Explanation: For traffic between the same two VTEPs, the outer source and destination IP addresses are constant. To allow the underlay IP network's ECMP hashing (often based on a 5-tuple: SrcIP, DstIP, Protocol, SrcPort, DstPort) to distribute different internal flows across different paths, VXLAN VTEPs generate a varying outer UDP source port. This source port value is typically derived from a hash of the *inner* packet's headers, providing the necessary entropy for effective load balancing in the underlay.

Forwarding Quiz

1. What is the primary benefit of ARP suppression in a VXLAN BGP EVPN fabric?

Explanation: ARP suppression leverages the endpoint information learned via BGP EVPN. When a VTEP receives an ARP request for a known destination IP address, it can respond locally using the cached information, thus "suppressing" the need to flood the ARP broadcast across the VXLAN fabric. This significantly reduces unnecessary BUM traffic for resolved endpoints.

2. Which of the following are characteristics or benefits of the Distributed IP Anycast Gateway in VXLAN BGP EVPN? (Select ALL that apply)

Explanation: The Distributed IP Anycast Gateway involves configuring the same IP and MAC (AGM) on all participating VTEPs for a given subnet. This moves the L3 gateway function to the access layer (leaf), eliminating the need for FHRP protocols between leafs for gateway redundancy. It provides optimal forwarding (no hair-pinning) and supports seamless endpoint mobility because the gateway IP/MAC doesn't change from the endpoint's perspective when it moves.

3. In the context of vPC (Virtual PortChannel) integration with VXLAN BGP EVPN, what is the purpose of the "advertise-pip" feature?

Explanation: The `advertise-pip` feature differentiates how next-hops are advertised for different EVPN route types from a vPC pair. Endpoint routes (Type 2) continue using the shared anycast Virtual IP (VIP) for reachability. However, IP Prefix routes (Type 5), often originating from only one peer (like specific loopbacks or external connections), are advertised using the unique Physical IP (PIP) of the originating switch. This ensures return traffic for those specific prefixes is directed to the correct vPC peer, avoiding potential black-holing.

4. Match the VXLAN/EVPN Forwarding Concept with its description:

Items to Drag

ARP Suppression
Ingress Replication
Symmetric IRB
Distributed Anycast Gateway
MAC Mobility Sequence

Drop Targets (Descriptions)

Shared L3 gateway IP/MAC on multiple VTEPs for optimal routing & mobility.
Handles BUM traffic by sending multiple unicast copies from the source VTEP.
VTEP answers ARP requests locally for known endpoints using EVPN data.
BGP EVPN value used to track endpoint moves and determine the latest location.
Uses a common L3VNI for routed traffic (bridge-route-route-bridge flow).

Correct Matches:

  • Distributed Anycast Gateway: Shared L3 gateway IP/MAC on multiple VTEPs for optimal routing & mobility.
  • Ingress Replication: Handles BUM traffic by sending multiple unicast copies from the source VTEP.
  • ARP Suppression: VTEP answers ARP requests locally for known endpoints using EVPN data.
  • MAC Mobility Sequence: BGP EVPN value used to track endpoint moves and determine the latest location.
  • Symmetric IRB: Uses a common L3VNI for routed traffic (bridge-route-route-bridge flow).

5. When configuring DHCP Relay with a Distributed IP Anycast Gateway, why might DHCP Option 82 be necessary? (Select ALL that apply)

Explanation: With the Distributed Anycast Gateway, multiple VTEPs share the same gateway IP. If this shared IP is used in the GiAddr field of relayed DHCP messages, the DHCP server's response could return to any of those VTEPs, not necessarily the one that originated the request. To ensure the response returns correctly, the GiAddr is often overridden with a unique source IP from the relaying VTEP (using `ip dhcp relay source-interface`). However, this unique IP doesn't identify the client's subnet scope. DHCP Option 82 (specifically suboptions like Circuit-ID or Link Selection) is then inserted by the relay agent to provide the necessary client location/subnet information to the DHCP server so it can select the correct IP address pool.

6. What is the primary role of the MAC mobility sequence number in BGP EVPN Route Type 2 messages?

Explanation: When an endpoint (VM) moves from one VTEP to another, both the old and new VTEPs might temporarily advertise reachability. The MAC mobility sequence number, carried in the BGP EVPN Route Type 2 extended community, is incremented by the VTEP detecting the endpoint at the new location. Remote VTEPs use the higher sequence number as a tiebreaker to determine the current, most up-to-date location of the endpoint, ensuring traffic is forwarded correctly after a move.

The Underlay Quiz

1. What is a primary reason for configuring the underlay network interfaces with a larger MTU (e.g., 9216 bytes) in a VXLAN fabric?

Explanation: VXLAN adds headers (outer MAC, IP, UDP, VXLAN) totaling about 50-54 bytes to the original Ethernet frame. To prevent fragmentation, especially if the original frames are already large (like jumbo frames up to 9000 bytes), the underlay network's physical links must be configured with an MTU large enough to handle the original frame plus the VXLAN overhead. An MTU of 9216 is common on data center switches and accommodates this.

2. When designing the IP addressing for the underlay, which of the following are recommended practices or considerations mentioned? (Select ALL that apply)

Explanation: Best practices include using stable loopback interfaces for RIDs and VTEP source IPs, and advertising these loopbacks in the underlay routing protocol. Using /31 prefixes or IP unnumbered saves IP addresses compared to /30 or larger subnets on point-to-point links. Separating the VTEP source loopback from the routing loopback offers operational benefits. RPs, if needed for multicast, are typically placed on the spines in a spine-leaf topology.

3. If OSPF is chosen as the underlay routing protocol, what interface network type is recommended for the point-to-point links between leaf and spine switches?

Explanation: The text recommends setting the OSPF network type to `point-to-point` on the leaf-spine links. This avoids the unnecessary Designated Router (DR) and Backup Designated Router (BDR) election process inherent in the default `broadcast` type for Ethernet, leading to faster adjacency formation and potentially reducing the number and complexity of Link State Advertisements (LSAs).

4. Match the Underlay Concept or Protocol with its key characteristic described in the text:

Items to Drag

Clos Topology
IP Unnumbered
Ingress Replication
Phantom RP
IS-IS Protocol

Drop Targets (Descriptions)

Conserves IP addresses by borrowing a loopback IP for physical P2P links.
Handles BUM traffic via unicast mode; source VTEP creates multiple copies.
Link-state IGP independent of IP, uses CLNS/NSAP addressing.
Multistage fabric design providing predictable latency and ECMP paths (Spine-Leaf).
RP redundancy method for PIM BiDir using longest prefix match on non-assigned IPs.

Correct Matches:

  • IP Unnumbered: Conserves IP addresses by borrowing a loopback IP for physical P2P links.
  • Ingress Replication: Handles BUM traffic via unicast mode; source VTEP creates multiple copies.
  • IS-IS Protocol: Link-state IGP independent of IP, uses CLNS/NSAP addressing.
  • Clos Topology: Multistage fabric design providing predictable latency and ECMP paths (Spine-Leaf).
  • Phantom RP: RP redundancy method for PIM BiDir using longest prefix match on non-assigned IPs.

5. If eBGP is used as the routing protocol for BOTH the underlay and the overlay (EVPN), what configuration adjustments are typically required? (Select ALL that apply)

Explanation: When using eBGP for both underlay and overlay, specific configurations are needed. The EVPN next-hop (the originating VTEP's loopback) must not be changed by the spines (`next-hop unchanged`). Spines need to reflect routes for all tenants even if they don't host those VRFs locally (`retain route-target all`). It's also common practice to have distinct BGP sessions: one for the underlay (typically between physical interface IPs) and another for the overlay EVPN address family (typically between loopback IPs using `ebgp-multihop`). OSPF settings are irrelevant if BGP is the underlay protocol.

6. Which method for handling BUM traffic in the underlay is generally considered more bandwidth-efficient, especially at scale, but requires PIM configuration?

Explanation: Multicast mode leverages the underlying network's ability to replicate packets efficiently. A single packet enters the multicast-enabled underlay from the source VTEP, and the network replicates it only where necessary along the multicast tree towards interested receivers (other VTEPs in the same VNI). In contrast, ingress replication requires the source VTEP to create and send N-1 individual unicast copies, which consumes significantly more bandwidth on the source VTEP's uplinks, especially as the number of VTEPs (N) increases. However, multicast mode requires configuring and managing a multicast protocol like PIM in the underlay.

Multitenancy Quiz

1. In a VXLAN BGP EVPN fabric, what serves as the *global* identifier for a specific Layer 2 broadcast domain, allowing VLAN IDs to be locally significant?

Explanation: VXLAN uses the 24-bit Virtual Network Identifier (VNI) in its header. For Layer 2 services, this is specifically the Layer 2 VNI (L2VNI). The L2VNI serves as the unique identifier for the broadcast domain across the entire fabric, allowing the traditional 12-bit VLAN IDs used on host-facing ports to be locally significant (i.e., the same VLAN ID can be reused on different switches or even ports if mapped to different VNIs).

2. What are the key differences between the "VLAN-oriented" and "Bridge Domain (BD)-oriented" modes for configuring Layer 2 multitenancy in VXLAN? (Select ALL that apply)

Explanation: VLAN-oriented mode directly maps a configured VLAN (and its associated hardware resources) to a VNI using `vn-segment` under the `vlan` configuration. It uses SVIs for L3 and is limited by the 4K VLAN space per switch. BD-oriented mode decouples the wire VLAN from the internal configuration; it uses `bridge-domain` constructs, `encapsulation profile`s applied via service instances on interfaces to map wire encapsulations (like dot1q VLAN) to VNIs associated with the bridge domain, uses BDIs for L3, and can scale beyond 4K mappings based on hardware BD limits. Both modes work with BGP EVPN.

3. For Layer 3 multitenancy in VXLAN BGP EVPN, what identifier is carried in the VXLAN header for routed traffic belonging to a specific VRF?

Explanation: While the VXLAN header has only one VNI field, its meaning depends on the traffic type. For Layer 2 (bridged) traffic within the same subnet, the L2VNI is used. For Layer 3 (routed) traffic between subnets within a VRF, the Layer 3 VNI (L3VNI or VRF VNI) associated with that specific VRF is placed in the VXLAN header's VNI field. This L3VNI provides data plane separation for routed traffic between different tenants (VRFs).

4. Match the Multitenancy Term with its primary role in VXLAN BGP EVPN:

Items to Drag

VLAN
L2VNI
VRF
L3VNI
Bridge Domain (BD)

Drop Targets (Descriptions)

Logical router instance providing L3 isolation.
Global identifier in VXLAN header for a specific L2 broadcast domain.
Local identifier (dot1q tag) on host-facing Ethernet segments.
Identifier in VXLAN header for routed traffic within a specific VRF.
Switch construct mapping local L2 segments (like VLANs) to global VNIs.

Correct Matches:

  • VRF: Logical router instance providing L3 isolation.
  • L2VNI: Global identifier in VXLAN header for a specific L2 broadcast domain.
  • VLAN: Local identifier (dot1q tag) on host-facing Ethernet segments.
  • L3VNI: Identifier in VXLAN header for routed traffic within a specific VRF.
  • Bridge Domain (BD): Switch construct mapping local L2 segments (like VLANs) to global VNIs.

5. To activate Layer 3 multitenancy for a specific VRF in VXLAN BGP EVPN, which configuration steps are generally required? (Select ALL that apply)

Explanation: Activating an L3 VRF involves defining the VRF itself with its unique L3VNI, configuring BGP to advertise routes for this VRF within the EVPN address family, associating this L3VNI with the NVE interface so the VTEP knows it's active for VXLAN, and creating a Layer 3 interface (SVI in VLAN-oriented mode, BDI in BD-oriented mode) linked to the VRF to handle routing logic. Static routes are generally not required for routes learned via BGP EVPN.

6. Compared to VRF Lite for extending Layer 3 segments between devices, what is a primary advantage of using VXLAN BGP EVPN for Layer 3 multitenancy?

Explanation: VRF Lite typically requires dedicated subinterfaces (often VLAN-based) and separate IGP/BGP peerings *for each VRF* between devices, which becomes complex and doesn't scale well. VXLAN BGP EVPN transports reachability information for multiple VRFs (using unique RDs and RTs) over a single MP-BGP session established over the common underlay network. This significantly reduces the number of interfaces and peering sessions required, making it much more scalable for Layer 3 multitenancy.

Unicast Forwarding Quiz

1. For intra-subnet (bridged) traffic in VXLAN BGP EVPN, what information is primarily used in the data plane forwarding decision at the VTEP?

Explanation: Intra-subnet traffic forwarding is a Layer 2 bridging operation. In VXLAN, this uses the MAC address table. The lookup key includes the scope, which is the Layer 2 VNI (L2VNI) identifying the broadcast domain, and the destination MAC address of the target endpoint. The result points either to a local interface or the remote VTEP's IP address if the MAC is remote.

2. When Symmetric IRB is used for inter-subnet (routed) traffic between VTEPs, which statements are true? (Select ALL that apply)

Explanation: Symmetric IRB involves bridging from the host to the ingress VTEP, routing into the VRF (using the L3VNI for encapsulation), routing again at the egress VTEP within the same VRF, and finally bridging to the destination host. This constitutes a bridge-route-route-bridge flow. The L3VNI identifies the VRF context for the encapsulated packet between VTEPs. MAC addresses are rewritten during routing operations; the inner SMAC becomes the ingress VTEP's Router MAC (RMAC), and the inner DMAC becomes the egress VTEP's RMAC (learned via BGP EVPN extended community). ARP suppression is an optimization, not a requirement for symmetric IRB.

3. How does the network handle traffic destined for a "silent endpoint" (an endpoint whose MAC/IP is not yet learned via BGP EVPN) in a routed scenario?

Explanation: When a specific host route (/32 or /128) isn't known, the routing lookup hits the next longest match, which is typically the subnet route (/24 or similar) advertised via EVPN Route Type 5. This route points towards the VTEP(s) where the subnet exists. The traffic is encapsulated using the L3VNI and sent to one of these VTEPs (based on underlay ECMP). Upon arrival and decapsulation, the receiving VTEP again hits the local subnet route, which triggers a glean adjacency, causing it to send an ARP request into the associated L2VNI/VLAN to discover the specific silent host's MAC address.

4. Match the Forwarding Scenario or Concept with its description:

Items to Drag

L2GW Forwarding
L3GW Forwarding
Early ARP Termination
Anycast VTEP
Silent Host Discovery

Drop Targets (Descriptions)

Ingress VTEP responds to ARP request locally using known EVPN data (ARP Suppression).
Inter-subnet routing using L3VNI and Symmetric IRB.
Shared VTEP IP (VIP) representing a vPC pair in the VXLAN fabric.
Using subnet routes to trigger ARP requests for unknown destinations.
Intra-subnet bridging using L2VNI and MAC address tables.

Correct Matches:

  • Early ARP Termination: Ingress VTEP responds to ARP request locally using known EVPN data (ARP Suppression).
  • L3GW Forwarding: Inter-subnet routing using L3VNI and Symmetric IRB.
  • Anycast VTEP: Shared VTEP IP (VIP) representing a vPC pair in the VXLAN fabric.
  • Silent Host Discovery: Using subnet routes to trigger ARP requests for unknown destinations.
  • L2GW Forwarding: Intra-subnet bridging using L2VNI and MAC address tables.

5. When forwarding traffic *to* an endpoint connected via vPC (represented by an Anycast VTEP IP), how does the underlay handle path selection? (Select ALL that apply)

Explanation: Both physical VTEPs in a vPC pair advertise reachability to the shared Anycast VTEP IP (VIP) into the underlay routing protocol. When remote VTEPs send traffic to this VIP, the underlay network's ECMP mechanism hashes the packet based on its outer headers and selects one of the available paths, leading to either of the physical VTEPs. Thus, the traffic can land on either peer. If the destination is an orphan host connected to only one peer, and the traffic lands on the other peer, the packet must be forwarded across the vPC Peer Link to reach the correct switch and the orphan port.

6. How is endpoint discovery and reachability handled for IPv6 endpoints in a VXLAN BGP EVPN fabric compared to IPv4?

Explanation: The core concepts of VXLAN BGP EVPN apply to both IPv4 and IPv6. The primary difference in endpoint discovery is the use of IPv6 Neighbor Discovery (ND - specifically Neighbor Solicitation/Advertisement) instead of ARP for resolving IP-to-MAC bindings. Once learned, this IPv6 address and MAC information is populated and distributed using the same BGP EVPN Route Type 2 messages as IPv4, just with larger address fields. The underlay is currently IPv4, and L3VNIs apply equally to IPv6 VRFs.

Multicast Forwarding Quiz

1. In early VXLAN implementations without specific IGMP snooping enhancements, how was Layer 2 multicast traffic typically handled within an L2VNI?

Explanation: The text states that initially, Layer 2 multicast traffic in VXLAN was handled the same way as broadcast and unknown unicast (BUM) traffic. This meant it was essentially flooded across the network to all VTEPs where the corresponding L2VNI was configured, regardless of whether there were interested receivers behind those remote VTEPs.

2. What are the key aspects of the IGMP snooping enhancements for VXLAN described in the text? (Select ALL that apply)

Explanation: The enhancements allow IGMP snooping to work more effectively with VXLAN. Instead of unconditionally adding the VTEP interface to the multicast OIF list for an L2VNI, the enhancements make this addition conditional. An IGMP join received from a remote host (forwarded over VXLAN) triggers the VTEP connected to the source to start sending the multicast data stream over VXLAN. This prevents sending multicast data over the fabric when there are no interested remote receivers, optimizing bandwidth usage. Receivers still need to send IGMP joins.

3. In a vPC domain within a VXLAN fabric, what is the role of the Designated Forwarder (DF)?

Explanation: To avoid duplication of BUM and multicast traffic originating from behind a vPC domain, one of the vPC peers is elected as the Designated Forwarder (DF). The DF is responsible for encapsulating this traffic and sending it into the VXLAN overlay towards the underlay network (using the appropriate underlay multicast group or ingress replication list). Often, the DF also handles decapsulation for traffic arriving from the overlay.

4. Match the Multicast Forwarding Term/Concept with its description:

Items to Drag

Layer 2 Multicast
Underlay Multicast Group
VXLAN IGMP Snooping Enhancements
vPC Designated Forwarder (DF)
External PIM Router

Drop Targets (Descriptions)

IP Multicast address mapped to an L2VNI for BUM transport in multicast mode.
Elected vPC peer responsible for encapsulating BUM/multicast into VXLAN.
Multicast traffic between source and receivers in the same L2VNI/broadcast domain.
Used in centralized L3 multicast designs; attached to fabric, handles PIM routing.
Prevents flooding overlay multicast data if no remote receivers signal interest.

Correct Matches:

  • Underlay Multicast Group: IP Multicast address mapped to an L2VNI for BUM transport in multicast mode.
  • vPC Designated Forwarder (DF): Elected vPC peer responsible for encapsulating BUM/multicast into VXLAN.
  • Layer 2 Multicast: Multicast traffic between source and receivers in the same L2VNI/broadcast domain.
  • External PIM Router: Used in centralized L3 multicast designs; attached to fabric, handles PIM routing.
  • VXLAN IGMP Snooping Enhancements: Prevents flooding overlay multicast data if no remote receivers signal interest.

5. How is Layer 2 multicast traffic handled for an orphan endpoint (connected to only one vPC peer, say VTEP V2) when the *other* peer (VTEP V1) is the Designated Forwarder (DF)? (Select ALL that apply)

Explanation: When the non-DF peer (VTEP V2) receives multicast traffic from a connected orphan host, it cannot encapsulate it itself. It must forward the traffic across the vPC peer link to the DF (VTEP V1), which then encapsulates and sends it into the overlay. Conversely, when multicast traffic for the orphan arrives from the overlay, it's decapsulated by the DF (VTEP V1). Since the destination is connected to VTEP V2, the decapsulated traffic must then be forwarded across the vPC peer link from VTEP V1 to VTEP V2 to reach the orphan endpoint.

6. According to the text, what is the described approach for handling Layer 3 multicast (routed multicast) in current VXLAN BGP EVPN deployments?

Explanation: The text explicitly describes the current approach for tenant-routed multicast (Layer 3 multicast) as a centralized design. This involves connecting external PIM routers to the fabric. Multicast traffic has its VXLAN header removed at the border, and the external router handles PIM peering and routing, extending Layer 2 multicast domains to these external routers where necessary. A fully distributed model is mentioned as a future enhancement.

External Connectivity Quiz

1. What is the primary role of a "border node" in a VXLAN BGP EVPN fabric?

Explanation: The border node serves as the interconnection point between the VXLAN BGP EVPN fabric and external networks (like WAN, Internet, Campus). It handles North-South traffic, acting as a gateway where VXLAN encapsulation/decapsulation occurs for this traffic. Generic leaf switches handle East-West traffic and connect endpoints.

2. Which characteristics are associated with placing the border node functionality on the *spine* (Border Spine)? (Select ALL that apply)

Explanation: A Border Spine acts as a VTEP for North-South traffic, placing external networks one hop from the leafs. It also continues its role as an underlay transit device for East-West traffic. This concentration of roles (potentially including RR/RP) means capacity planning is critical. It does *not* add an extra hop for North-South traffic compared to a Border Leaf; rather, the Border Leaf design adds a hop (Leaf -> Spine -> Border Leaf).

3. Which Layer 3 external connectivity option is described as the simplest but potentially least scalable due to requiring per-VRF interfaces and routing peers?

Explanation: VRF Lite (also called Inter-AS Option A) provides Layer 3 handoff by creating separate Layer 3 interfaces (often subinterfaces with unique VLAN tags) and separate routing protocol peerings for *each* VRF between the border node and the external router. While simple conceptually, this per-VRF configuration becomes cumbersome and doesn't scale well as the number of VRFs increases.

4. Match the External Connectivity Concept with its description:

Items to Drag

Border Leaf
LISP
BorderPE
VRF Lite
Downstream VNI

Drop Targets (Descriptions)

Uses Endpoint IDs (EID) and Routing Locators (RLOC) with a mapping system; pull-based.
L3 handoff using per-VRF interfaces (e.g., subinterfaces) and routing peers.
Egress VTEP dictates the VNI used by ingress VTEP for VRF route leaking.
External connectivity placed on dedicated leaf switches; separates N/S & E/W roles.
Border node acting as MPLS L3VPN Provider Edge; re-originates EVPN routes into VPNv4/v6.

Correct Matches:

  • LISP: Uses Endpoint IDs (EID) and Routing Locators (RLOC) with a mapping system; pull-based.
  • VRF Lite: L3 handoff using per-VRF interfaces (e.g., subinterfaces) and routing peers.
  • Downstream VNI: Egress VTEP dictates the VNI used by ingress VTEP for VRF route leaking.
  • Border Leaf: External connectivity placed on dedicated leaf switches; separates N/S & E/W roles.
  • BorderPE: Border node acting as MPLS L3VPN Provider Edge; re-originates EVPN routes into VPNv4/v6.

5. For Layer 2 external connectivity from a VXLAN BGP EVPN fabric, what considerations or recommendations are mentioned? (Select ALL that apply)

Explanation: For reliable Layer 2 external connectivity, dual-homing/multihoming using vPC (or potentially EVPN multihoming) is recommended over single attachments. VXLAN does *not* natively transport STP BPDUs, so connecting directly to an external STP domain without care can cause loops; vPC helps create a logically loop-free topology at the border. Standard Layer 2 protection mechanisms should be applied to the external-facing Ethernet ports for stability.

6. What is a key characteristic of the "downstream VNI assignment" method for VRF route leaking compared to the basic local/distributed leaking?

Explanation: In standard VRF route leaking within EVPN, the ingress VTEP encapsulates using the VNI of the *source* VRF, requiring the destination VRF (and its VNI) to also be configured on the egress VTEP for local leaking after decapsulation. With downstream VNI assignment, the egress VTEP advertises the route along with *its own* local VNI for that VRF in the BGP EVPN update. The ingress VTEP uses this advertised VNI (the downstream VNI) for encapsulation, ensuring the packet arrives at the egress VTEP already in the correct VNI context for the destination VRF.

Multi-Pod/Multifabric/DCI Quiz

1. According to the text, what is a primary difference between OTV and early VXLAN implementations regarding endpoint learning?

Explanation: The text explicitly contrasts OTV and early VXLAN by stating that OTV included an integrated control protocol (based on IS-IS extensions) to exchange peer and Layer 2 address information, thus avoiding flood-and-learn. Early VXLAN, on the other hand, was primarily defined with a MAC-in-IP/UDP data plane and used Flood and Learn (F&L) semantics for endpoint discovery. BGP EVPN was later added as a control plane for VXLAN.

2. What are the key characteristics of a Multi-pod VXLAN BGP EVPN deployment as described in the chapter? (Select ALL that apply)

Explanation: Multi-pod designs extend the spine-leaf topology, often using super-spines to interconnect different pods (groups of spines and leafs). Crucially, it forms a single end-to-end VXLAN data plane, meaning VXLAN tunnels extend between leafs regardless of which pod they are in. This allows seamless VM mobility across pods. While control plane aspects (like underlay routing areas or BGP AS numbers) might differ between pods, the shared data plane means failure propagation (like an overlay broadcast storm) is still a concern, unlike in a true multifabric design.

3. What is the primary advantage of a Multifabric design compared to a Multi-pod design for Data Center Interconnect (DCI)?

Explanation: The key differentiator of a multifabric design is the complete separation of control planes (underlay and overlay) and data planes between the distinct fabrics. VXLAN tunnels terminate at the border of each fabric. This provides strong failure containment (e.g., an overlay storm in one fabric doesn't propagate) and allows independent administration and numbering schemes (VNIs, multicast groups, etc.) within each fabric. Multi-pod, in contrast, shares a single data plane.

4. Match the DCI or Fabric Interconnection Concept with its description:

Items to Drag

OTV
Multi-pod
Interfabric Option 2
Interfabric Option 3
Interfabric Option 4

Drop Targets (Descriptions)

Single end-to-end data plane; uses hierarchical spines (e.g., super-spine).
Multifabric L3 DCI using integrated handoff (e.g., MPLS L3VPN, LISP).
Transport-agnostic L2 DCI solution with integrated control plane (IS-IS based).
Multifabric L2 DCI using integrated handoff (e.g., OTV, EVPN-to-EVPN stitching).
Multifabric DCI requiring VXLAN termination and classic Ethernet/VRF Lite handoff.

Correct Matches:

  • Multi-pod: Single end-to-end data plane; uses hierarchical spines (e.g., super-spine).
  • Interfabric Option 3: Multifabric L3 DCI using integrated handoff (e.g., MPLS L3VPN, LISP).
  • OTV: Transport-agnostic L2 DCI solution with integrated control plane (IS-IS based).
  • Interfabric Option 4: Multifabric L2 DCI using integrated handoff (e.g., OTV, EVPN-to-EVPN stitching).
  • Interfabric Option 2: Multifabric DCI requiring VXLAN termination and classic Ethernet/VRF Lite handoff.

5. When interconnecting multiple VXLAN fabrics using "Interfabric Option 2" (classic Ethernet/VRF Lite handoff), what typically occurs at the border node? (Select ALL that apply)

Explanation: Interfabric Option 2 relies on terminating the VXLAN overlay at the border node of each fabric. The border node then "normalizes" the traffic onto classic Ethernet using VLAN tags for segmentation. For Layer 3, VRF Lite principles apply, mapping VRFs to VLANs (often via subinterfaces) and establishing per-VRF routing adjacencies (like eBGP) to exchange prefixes. For Layer 2, L2VNIs are mapped to traditional VLANs carried over trunk ports across the DCI link. This option does *not* use integrated L3VPN/LISP/OTV handoffs (that's Options 3 & 4).

6. Why might interconnecting pods directly back-to-back at the spine layer be less desirable than using a super-spine layer, especially if more than two pods are involved?

Explanation: While direct spine-to-spine connections work for two pods, adding a third or subsequent pod requires connecting the new pod's spines to the existing spines. Maintaining full mesh connectivity between all spines across all pods becomes increasingly complex and requires significant cabling and configuration ("becomes cumbersome"). A super-spine layer provides a structured, hierarchical interconnection point, simplifying the topology as the number of pods grows.

L4-7 Services Integration Quiz

1. What are the two primary modes in which a firewall can be deployed within a network, as described in the chapter?

Explanation: The text explicitly discusses two main deployment modes for firewalls: Routing (Layer 3) mode, where the firewall acts as a router participating in IP routing, and Bridging/Transparent (Layer 2) mode, where the firewall acts like a "bump on the wire" between two Layer 2 segments without participating in routing.

2. When deploying an intra-tenant (East-West) firewall in a VXLAN BGP EVPN fabric that uses the Distributed IP Anycast Gateway, why can't simple destination-based routing be used to force traffic between subnets *within the same VRF* through the firewall? (Select ALL that apply)

Explanation: With the distributed gateway, routing happens at the ingress leaf. BGP EVPN advertises specific host routes (/32 or /128). When routing between subnets in the same VRF, the lookup for the destination IP hits this specific host route, which points directly to the egress leaf where the host is attached. This optimal path bypasses any intermediate service node like an intra-tenant firewall, even if the firewall advertises the broader subnet route. Policy-Based Routing (PBR) or deploying the firewall as the actual default gateway (sacrificing the distributed gateway for those segments) are needed to override this behavior.

3. What is the primary purpose of using Policy-Based Routing (PBR) for intra-tenant firewall insertion in a fabric with a distributed gateway?

Explanation: As explained in the text, standard destination routing bypasses an intra-tenant firewall when using a distributed gateway because the host route points directly to the egress VTEP. PBR allows the network administrator to define policies (based on source/destination IP, ports, etc.) that explicitly redirect matching traffic to a specific next-hop (the firewall's IP address, reachable via VXLAN), thus overriding the default routing behavior and forcing inspection.

4. Match the L4-7 Service Concept or Deployment Mode with its description:

Items to Drag

Routed Mode Firewall
Transparent Mode Firewall
Tenant-Edge Firewall
One-Armed Source-NAT LB
Service Chaining

Drop Targets (Descriptions)

Acts like a Layer 2 bridge ("bump on the wire"), doesn't participate in routing.
Load balancer connected via single link; uses its own IP for server-side connections.
Participates in IP routing, can act as default gateway or peer with routers.
Sequentially directing traffic through multiple service nodes (e.g., firewall then LB).
Secures traffic entering or leaving a specific tenant/VRF boundary.

Correct Matches:

  • Transparent Mode Firewall: Acts like a Layer 2 bridge ("bump on the wire"), doesn't participate in routing.
  • One-Armed Source-NAT LB: Load balancer connected via single link; uses its own IP for server-side connections.
  • Routed Mode Firewall: Participates in IP routing, can act as default gateway or peer with routers.
  • Service Chaining: Sequentially directing traffic through multiple service nodes (e.g., firewall then LB).
  • Tenant-Edge Firewall: Secures traffic entering or leaving a specific tenant/VRF boundary.

5. Why is Source NAT (SNAT) often used when deploying a load balancer in one-armed mode? (Select ALL that apply)

Explanation: In one-armed mode, the load balancer isn't the default gateway for the servers. Without SNAT, servers would see the original client IP and try to reply directly, bypassing the load balancer on the return path. This breaks stateful load balancing. By applying SNAT, the load balancer replaces the client's source IP with one of its own IPs when sending traffic to the server. The server then replies to the load balancer's IP, ensuring the return traffic goes through the load balancer, which can then reverse the NAT and send the reply to the original client. This inherently hides the client IP from the server.

6. When using static routing to direct traffic to a firewall HA pair attached to different VTEPs, what problem can occur during a failover if not handled correctly?

Explanation: If a static route points to the firewall's IP, and that IP moves to a new VTEP during failover, the original VTEP will learn the firewall's IP is now reachable via BGP EVPN (advertised from the new VTEP). Since the next-hop IP for the static route is still considered reachable (just via BGP now, not locally via HMM/ARP), the static route itself might remain active on the original VTEP. This can cause traffic to continue being sent to the original VTEP first, then across the fabric to the new VTEP, resulting in suboptimal forwarding. Using HMM tracking or configuring static routes only on remote leafs can mitigate this.

Fabric Management Quiz

1. Which Cisco NX-OS feature enables unattended switch configuration and consistent software deployment for Day-0 operations in a VXLAN fabric?

Explanation: The text explicitly identifies Power On Auto Provisioning (POAP) as the NX-OS feature enabling Day-0 automation. POAP allows switches to boot up without configuration, use DHCP to find instructions (Python/Tcl scripts), and automatically download their specific configuration and potentially software images, ensuring consistency across the fabric.

2. What are the key differences or characteristics distinguishing the "in-band" and "out-of-band" methods for POAP? (Select ALL that apply)

Explanation: Out-of-band POAP utilizes the `mgmt0` interface, offering independent boot order but potentially lower bandwidth. In-band POAP uses the regular data ports (front-panel), potentially offering higher bandwidth but introducing dependencies (e.g., needing a DHCP relay on already-booted switches and a potential boot order). Both methods can download configurations and software images as instructed by the POAP script.

3. Which Cisco management tool is described as providing a turnkey solution with an embedded capability (Auto Fabric Provisioning - AFP) to push necessary Day-0 and Day-1 configurations, primarily for Nexus 9000 series switches?

Explanation: The text specifically mentions Nexus Fabric Manager (NFM) as providing a turnkey solution with Auto Fabric Provisioning (AFP) for deploying VXLAN BGP EVPN networks via a point-and-click interface. It also notes that NFM primarily manages Nexus 9000 series switches at the time of writing. DCNM is presented as broader, supporting various Nexus platforms and technologies, while VTS focuses mainly on overlay provisioning.

4. Match the Fabric Management Operation/Concept with its primary focus:

Items to Drag

Day-0 Operations
Day-1 Operations
Day-2 Operations
VXLAN OAM (NGOAM)
VM Tracker

Drop Targets (Descriptions)

Provisioning Layer 2/Layer 3 overlay services (VNIs, VRFs, etc.).
Feature enabling switch interaction with VMM for event-driven configuration.
Initial fabric bring-up, cabling validation, base configuration via POAP.
Tools like ping/traceroute nve for overlay path visibility & troubleshooting.
Ongoing monitoring, visibility, health checks, inventory management.

Correct Matches:

  • Day-1 Operations: Provisioning Layer 2/Layer 3 overlay services (VNIs, VRFs, etc.).
  • VM Tracker: Feature enabling switch interaction with VMM for event-driven configuration.
  • Day-0 Operations: Initial fabric bring-up, cabling validation, base configuration via POAP.
  • VXLAN OAM (NGOAM): Tools like ping/traceroute nve for overlay path visibility & troubleshooting.
  • Day-2 Operations: Ongoing monitoring, visibility, health checks, inventory management.

5. What capabilities does the VXLAN OAM (NGOAM) framework provide for troubleshooting and visibility, according to the chapter? (Select ALL that apply)

Explanation: The text describes VXLAN OAM (NGOAM) tools like `ping nve` to check overlay reachability, `traceroute nve` to identify the underlay hops for a specific overlay flow, and `pathtrace nve` to get detailed hop-by-hop interface statistics along the path. It also highlights the ability of these tools (specifically `ping nve` in the example) to determine the calculated UDP source port used for ECMP hashing based on the inner payload details provided. OAM focuses on visibility and troubleshooting, not automatic reconfiguration.

6. What is the primary difference between the "push" and "pull" models for Day-1 overlay service provisioning?

Explanation: The text defines the push model as a central entity (like a controller or manager) sending configuration snippets (configlets) directly to the network devices. The pull model involves the network device itself detecting an event (like a new endpoint via VM Tracker) and then requesting or "pulling" the necessary configuration from a central repository or controller. DCNM is mentioned as supporting both models.
0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x