Configuring Ethernet Switch Ports

This chapter contains the following sections:

Configuring VLANs

A VLAN is a switched network that is logically segmented by function, project team, or application, without regard to the physical locations of the users. VLANs have the same attributes as physical LANs, but you can group end stations even if they are not physically located on the same LAN segment. Any switch port can belong to a VLAN, and unicast, broadcast, and multicast packets are forwarded and flooded only to end stations in the VLAN. Each VLAN is considered a logical network, and packets destined for stations that do not belong to the VLAN must be forwarded through a router.


Note


There no support for Jumbo frames on L2 interfaces.

The following is an example of a vlan configuration:

IR1800#show vlan
VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Ge0/1/0, Ge0/1/1, Ge0/1/2, Ge0/1/3
1002 fddi-default                     act/unsup 
1003 token-ring-default               act/unsup 
1004 fddinet-default                  act/unsup 
1005 trnet-default                    act/unsup 
 
VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1    enet  100001     1500  -      -      -        -    -        0      0   
1002 fddi  101002     1500  -      -      -        -    -        0      0   
1003 tr    101003     1500  -      -      -        -    -        0      0   
1004 fdnet 101004     1500  -      -      -        ieee -        0      0   
1005 trnet 101005     1500  -      -      -        ibm  -        0      0   
 
Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------

IR1800#
You can assign a given port to a vlan by following these steps:
interface GigabitEthernet0/1/0
switchport access vlan 4

interface vlan 4
ip v4 address ...
ipv6 address autoconf

VLAN Trunking Protocol (VTP)

VTP is a Layer 2 messaging protocol that maintains VLAN configuration consistency by managing the addition, deletion, and renaming of VLANs on a network-wide basis. VTP minimizes misconfigurations and configuration inconsistencies that can cause several problems, such as duplicate VLAN names, incorrect VLAN-type specifications, and security violations.

Before you create VLANs, you must decide whether to use VTP in your network. Using VTP, you can make configuration changes centrally on one or more switches and have those changes automatically communicated to all the other switches in the network. Without VTP, you cannot send information about VLANs to other switches.VTP is designed to work in an environment where updates are made on a single switch and are sent through VTP to other switches in the domain. It does not work well in a situation where multiple updates to the VLAN database occur simultaneously on switches in the same domain, which would result in an inconsistency in the VLAN database.

Further information about configuring VTP can be found here:http://www.cisco.com/c/en/us/td/docs/routers/access/interfaces/software/feature/guide/geshwic_cfg.html#wp1046901

Configuring 802.1x Authentication

IEEE 802.1x port-based authentication defines a client-server-based access control and authentication protocol to prevent unauthorized clients from connecting to a LAN through publicly accessible ports.The authentication server authenticates each client connected to a switch port before allowing access to any switch or LAN services. Until the client is authenticated, IEEE 802.1x access control allows only Extensible Authentication Protocol over LAN (EAPOL), Cisco Discovery Protocol (CDP), and Spanning Tree Protocol (STP) traffic through the port to which the client is connected. After authentication, normal traffic passes through the port.

With IEEE 802.1x authentication, the devices in the network have specific roles:

  • Supplicant—Device (workstation) that requests access to the LAN and switch services and responds to requests from the router. The workstation must be running IEEE 802.1x-compliant client software such as that offered in the Microsoft Windows XP operating system. (The supplicant is sometimes called the client.)

  • Authentication server—Device that performs the actual authentication of the supplicant. The authentication server validates the identity of the supplicant and notifies the router whether or not the supplicant is authorized to access the LAN and switch services. The Network Access Device transparently passes the authentication messages between the supplicant and the authentication server, and the authentication process is carried out between the supplicant and the authentication server. The particular EAP method used will be decided between the supplicant and the authentication server (RADIUS server). The RADIUS security system with EAP extensions is available in Cisco Secure Access Control Server Version 3.0 or later. RADIUS operates in a client and server model in which secure authentication information is exchanged between the RADIUS server and one or more RADIUS clients.

  • Authenticator—Router that controls the physical access to the network based on the authentication status of the supplicant. The router acts as an intermediary between the supplicant and the authentication server, requesting identity information from the supplicant, verifying that information with the authentication server, and relaying a response to the supplicant. The router includes the RADIUS client, which is responsible for encapsulating and decapsulating the EAP frames and interacting with the authentication server.

For detailed information on how to configure 802.1x port-based authentication, see the following link:

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_8021x/configuration/15-mt/sec-user-8021x-15-mt-book/config-ieee-802x-pba.html

Example: Enabling IEEE 802.1x and AAA on a Switch Port

This example shows how to configure an IR1800 router as 802.1x authenticator:

Router> enable
Router# configure terminal
Router(config)# dot1x system-auth-control
Router(config)# aaa new-model
Router(config)# aaa authentication dot1x default group radius
Router(config)# interface GigabitEthernet 0/1/0
Router(config-if)# switchport mode access
Router(config-if)# access-session port-control auto
Router(config-if)# dot1x pae authenticator
Router(config-if)# access-session closed
Router(config-if)# access-session host-mode single-host
Router(config-if)# end

Configuring Spanning Tree Protocol

Spanning Tree Protocol (STP) is a Layer 2 link management protocol that provides path redundancy while preventing loops in the network. For a Layer 2 Ethernet network to function properly, only one active path can exist between any two stations. Multiple active paths among end stations cause loops in the network. If a loop exists in the network, end stations might receive duplicate messages. Switches might also learn end-station MAC addresses on multiple Layer 2 interfaces. These conditions result in an unstable network. Spanning-tree operation is transparent to end stations, which cannot detect whether they are connected to a single LAN segment or a switched LAN of multiple segments.

The STP uses a spanning-tree algorithm to select one switch of a redundantly connected network as the root of the spanning tree. The algorithm calculates the best loop-free path through a switched Layer 2 network by assigning a role to each port based on the role of the port in the active topology:

  • Root—A forwarding port elected for the spanning-tree topology

  • Designated—A forwarding port elected for every switched LAN segment

  • Alternate—A blocked port providing an alternate path to the root bridge in the spanning tree

  • Backup—A blocked port in a loopback configuration

The switch that has all of its ports as the designated role or as the backup role is the root switch. The switch that has at least one of its ports in the designated role is called the designated switch. Spanning tree forces redundant data paths into a standby (blocked) state. If a network segment in the spanning tree fails and a redundant path exists, the spanning-tree algorithm recalculates the spanning-tree topology and activates the standby path. Switches send and receive spanning-tree frames, called bridge protocol data units (BPDUs), at regular intervals. The switches do not forward these frames but use them to construct a loop-free path. BPDUs contain information about the sending switch and its ports, including switch and MAC addresses, switch priority, port priority, and path cost. Spanning tree uses this information to elect the root switch and root port for the switched network and the root port and designated port for each switched segment.

When two ports on a switch are part of a loop, the spanning-tree port priority and path cost settings control which port is put in the forwarding state and which is put in the blocking state. The spanning-tree port priority value represents the location of a port in the network topology and how well it is located to pass traffic. The path cost value represents the media speed.

For detailed configuration information on STP see the following link:

http://www.cisco.com/c/en/us/td/docs/routers/access/interfaces/NIM/software/configuration/guide/4_8PortGENIM.html#pgfId-1079138


Important


If the router is factory-defaulted, write erased, or config-reset, the vlan database gets deleted. Even though the configuration takes effect, interfaces need to be removed and re-applied.
Example: Spanning Tree Protocol Configuration

The following example shows configuring spanning-tree port priority of a Gigabit Ethernet interface. If a loop occurs, spanning tree uses the port priority when selecting an interface to put in the forwarding state.

Router# configure terminal 
Router(config)# interface GigabitEthernet 0/1/0
Router(config-if)# spanning-tree vlan 1 port-priority 64 
Router(config-if)# end 

The following example shows how to change the spanning-tree port cost of a Gigabit Ethernet interface. If a loop occurs, spanning tree uses cost when selecting an interface to put in the forwarding state.

Router#configure terminal 
Router(config)# interface GigabitEthernet 0/1/0
Router(config-if)# spanning-tree cost 18 
Router(config-if)# end 

The following example shows configuring the bridge priority of VLAN 10 to 33792:

Router# configure terminal 
Router(config)# spanning-tree vlan 10 priority 33792 
Router(config)# end 

The following example shows configuring the hello time for VLAN 10 being configured to 7 seconds. The hello time is the interval between the generation of configuration messages by the root switch.

Router# configure terminal 
Router(config)# spanning-tree vlan 10 hello-time 7
Router(config)# end

The following example shows configuring forward delay time. The forward delay is the number of seconds an interface waits before changing from its spanning-tree learning and listening states to the forwarding state.

Router# configure terminal 
Router(config)# spanning-tree vlan 10 forward-time 21 
Router(config)# end

The following example shows configuring maximum age interval for the spanning tree. The maximum-aging time is the number of seconds a switch waits without receiving spanning-tree configuration messages before attempting a reconfiguration.

Router# configure terminal 
Router(config)# spanning-tree vlan 20 max-age 36 
Router(config)# end 

The following example shows the switch being configured as the root bridge for VLAN 10, with a network diameter of 4.

Router# configure terminal 
Router(config)# spanning-tree vlan 10 root primary diameter 4 
Router(config)# exit

Configuring MAC Address Table Manipulation

The MAC address table contains address information that the switch uses to forward traffic between ports. All MAC addresses in the address table are associated with one or more ports. The address table includes these types of addresses:

  • Dynamic address: a source MAC address that the switch learns and then drops when it is not in use. You can use the aging time setting to define how long the switch retains unseen addresses in the table.

  • Static address: a manually entered unicast address that does not age and that is not lost when the switch resets.

The address table lists the destination MAC address, the associated VLAN ID, and port associated with the address and the type (static or dynamic).

Port security is supported, as is sticky MAC addresses.

See the “Example: MAC Address Table Manipulation” for sample configurations for enabling secure MAC address, creating a statc entry, set the maximum number of secure MAC addresses and set the aging time.

For detailed configuration information on MAC address table manipulation see the following link:

http://www.cisco.com/c/en/us/td/docs/routers/access/interfaces/software/feature/guide/geshwic_cfg.html#wp1048223

Example: MAC Address Table Manipulation

The following example shows creating a static entry in the MAC address table.

Router# configure terminal
Router(config)# mac address-table static 0002.0003.0004 interface GigabitEthernet 0/1/0 vlan 3
Router(config)# end

The following example shows setting the aging timer.

Router# configure terminal
Router(config)# mac address-table aging-time 300
Router(config)# end

Configuring Switch Port Analyzer

The Cisco IR1800 supports local SPAN only, and up to one SPAN session. You can analyze network traffic passing through ports by using SPAN to send a copy of the traffic to another port on the switch or on another switch that has been connected to a network analyzer or other monitoring or security device. SPAN copies (or mirrors) traffic received or sent (or both) on source ports to a destination port for analysis. SPAN does not affect the switching of network traffic on the source ports. You must dedicate the destination port for SPAN use. Except for traffic that is required for the SPAN or RSPAN session, destination ports do not receive or forward traffic.

Only traffic that enters or leaves source ports or traffic that enters or leaves source can be monitored by using SPAN; traffic routed to a source cannot be monitored. For example, if incoming traffic is being monitored, traffic that gets routed from another source cannot be monitored; however, traffic that is received on the source and routed to another can be monitored.

For detailed information on how to configure a switched port analyzer (SPAN) session, see the following web link:

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/15-0_2_se/configuration/guide/scg3750/swspan.html

Example: SPAN Configuration

The following example shows how to configure a SPAN session to monitor bidirectional traffic from a Gigabit Ethernet source interface:

Router# configure terminal 
Router(config)# monitor session 1 source GigabitEthernet 0/1/0
Router(config)# end

The following example shows how to configure a gigabit ethernet interface as the destination for a SPAN session:

Router# configure terminal
Router(config)# monitor session 1 destination GigabitEthernet 0/1/0
Router(config)# end

The following example shows how to remove gigabit ethernet as a SPAN source for SPAN session 1:

Router# configure terminal
Router(config)# no monitor session 1 source GigabitEthernet 0/1/0
Router(config)# end

Show Monitor Example

Router(config)#monitor session 1 source interface gi0/1/0
Router(config)#monitor session 1 destination interface gi0/1/1
Router#sh monitor session 1
Session 1
---------
Type : Local Session
Source Ports :
Both : Gi0/1/0
Destination Ports : Gi0/1/1

Example of ERSPAN

Router#show monitor session 1
Session 1
---------
Type                     : ERSPAN Source Session
Status                   : Admin Disabled
Source Ports             : 
    RX Only              : Gi0/0/0
Destination IP Address   : 172.5.5.200
MTU                      : 1464
Destination ERSPAN ID    : 100
Origin IP Address        : 172.5.6.2
IPv6 DSCP                : 0
IPV6 TTL                 : 0

Configuring IGMP Snooping

IGMP snooping constrains the flooding of multicast traffic by dynamically configuring Layer 2 interfaces so that multicast traffic is forwarded to only those interfaces associated with IP multicast devices. As the name implies, IGMP snooping requires the LAN switch to snoop on the IGMP transmissions between the host and the router and to keep track of multicast groups and member ports. When the switch receives an IGMP report from a host for a particular multicast group, the switch adds the host port number to the forwarding table entry; when it receives an IGMP Leave Group message from a host, it removes the host port from the table entry. It also periodically deletes entries if it does not receive IGMP membership reports from the multicast clients.

The multicast router sends out periodic general queries to all VLANs. All hosts interested in this multicast traffic send join requests and are added to the forwarding table entry.

Use the ip igmp snooping enable command to configure IGMP Snooping on the IR1800.

By default, IGMP snooping is globally enabled in the IR1800.

MLD snooping is also supported on the IR1800, and further information can be found in this documentation set: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/16-1/configuration_guide/b_161_consolidated_3850_cg/b_161_consolidated_3850_cg_chapter_01100.html

Configuring EVPN VXLAN VLAN-Aware Service

A VLAN-Aware EVPN instance (EVI) allows multiple subnets (L2VNI) to be mapped to a single EVI. When this feature is configured, the MAC-VRF is identified by the combination of the route-target and the ethernet-tag. The EVPN routes that require the identification of a specific bridge-table within a MAC-VRF will advertise these routes with the Ethernet Tag field set to a value that allows such identification. This feature enhances the router's inter-operability.

There are two methods to configure VLAN-Aware:

  1. Profile based configuration

  2. Manual configuration

Guidelines and Limitations

  • You may configure either the Profile based configuration, or Manual Configuration method on an EVI. Both methods cannot be used to configure VLAN-aware on the same EVI on the device.

  • This feature is supported only on Layer 2. IRB and L3 are not supported.

Profile based Configuration of EVPN VXLAN VLAN-Aware Service

Configure EVPN VXLAN VLAN-Aware instance

Follow this procedure to configure a VLAN-aware EVPN instance (EVI):

Procedure
  Command or Action Purpose

Step 1

configure terminal

Example:
Router#configure terminal

Enters Global Configuration Mode

Step 2

l2vpn evpn profile <profile-name> <service-type>

Example:
Router(config)#l2vpn evpn profile evpn_va vlan-aware

Configures an EVPN Vxlan Vlan-Aware profile.

Step 3

evi-id <id>

Example:
Router(config-evpn-prof)#evi-id 1

Configures the EVPN Instance (EVI) id.

Step 4

ethernet-tag [auto-vni|auto-vlan]

Example:
Router(config)#ethernet-tag auto-vlan

Enables the autogeneration of the Ethernet-Tag based on the L2VNI or on the VLAN value. The default is auto-vni.

Step 5

(Optional) l2vni-base <l2vni-base>

Example:
Router(config-evpn-prof)#l2vni-base 50000 

(Optional) Configures the L2 Virtual Network Identifier (VNI) base id.

Step 6

(Optional) replication-type {ingress|static {[ipv4_mcast_addr|ipv4_mcast_prefix]

Example:
Router(config-evpn-prof)#replication-type ingress

(Optional) Configures the replication-type.

Step 7

(Optional) encapsulation vxlan

Example:
Router(config-evpn-prof)#encapsulation vxlan

(Optional) Configures the encapsulation type.

Step 8

(Optional) default-gateway advertise {enable|disable}

Example:
Router(config)#default-gateway advertise enable

(Optional) Enable or Disable default gateway advertising.

Step 9

(Optional) multicast advertise enable

Example:
Router(config)#multicast advertise enable

(Optional) Enable or Disable multicast advertising.

Step 10

(Optional) ip local-learning {enable|disable}

Example:
Router(config)#ip local-learning enable

(Optional) Enable or Disable IP based local learning.

Step 11

(Optional) flooding-suppression address-resolution {enable|disable}

Example:
Router(config)#flooding-suppression address-resolution enable

(Optional) Enable or Disable flooding suppression based address resolution.

Step 12

(Optional) re-originate route-type5

Example:
Router(config)#re-originate route-type5

(Optional) Enable re-origination of type 5 routes.

Apply the configuration on a Bridge-Domain

Follow the procedure to apply the configuration on a bridge-domain on your device:

Procedure
  Command or Action Purpose

Step 1

bridge-domain <id>

Example:
Router(config)#bridge-domain 12

Applies the configuration to the specified bridge domain.

Step 2

member Vlan12 service-instance 12

Example:
Router(config-bdomain)#member Vlan12 service-instance 12

Specifies the service instance for the VLAN member.

Step 3

member evpn-instance profile <va-profile-name>

Example:
Router(config-bdomain)#member evpn-instance profile evpn_va

Add an EVI member to the bridge-domain.

Manual configuration of EVPN VXLAN VLAN-Aware Service

To manually configure EVPN VXLAN VLAN-Aware service on your device, complete these tasks:

Static Configuration of VXLAN VLAN-Aware EVPN Instance

Follow the procedure for static configuration of the EVPN instance:

Procedure
  Command or Action Purpose

Step 1

configure terminal

Example:
Router#configure terminal

Enters Global Configuration Mode

Step 2

l2vpn evpn instance 1 vlan-aware

Example:
Router(config)#l2vpn evpn instance 1 vlan-aware
Configure a VLAN-Aware EVPN instance.

Step 3

encapsulation vxlan

Example:
Router(config-evpn-evi)#encapsulation vxlan

Configures the encapsulation type to VXLAN.

Example
l2vpn evpn instance 1 vlan-aware
 encapsulation vxlan
!

Applying Configuration on the Bridge Domain

Follow the procedure to apply the configuration on the bridge domain:

Procedure
  Command or Action Purpose

Step 1

configure terminal

Example:
Router#configure terminal

Enters Global Configuration Mode

Step 2

bridge-domain 12

Example:
Router(config)bridge-domain 12

Specifies the bridge domain for the configuration to be applied to.

Step 3

member Vlan12 service-instance 12

Example:
Router(config-bdomain)#member Vlan12 service-instance 12

Specifies the service instance for the VLAN member.

Step 4

member evpn-instance 1 vni <vni> ethernet-tag <etag>

Example:
Router(config-bdomain)#member evpn-instance 1 vni 30012 ethernet-tag 20012

Configure a VLAN-aware EVI member under the bridge-domain

Example
bridge-domain 12 
 member Vlan12 service-instance 12
 member evpn-instance 1 vni 30012 ethernet-tag 20012

Configure Ingress Replication for EVPN VXLAN VLAN-Aware

Follow this procedure to configure Ingress Replication for EVPN VXLAN VLAN-Aware:

Procedure
  Command or Action Purpose

Step 1

configure terminal

Example:
Router#configure terminal

Enters Global Configuration Mode

Step 2

l2vpn evpn instance 1 vlan-aware

Example:
Router(config)#l2vpn evpn instance 1 vlan-aware

Configure a VLAN-Aware EVPN instance

Step 3

replication-type ingress

Example:
Router(config-evpn-evi)#replication-type ingress

Configures the replication type to ingress replication.

Step 4

interface nve1

Example:
Router(config)#interface nve1

Configures the NVE interface and enters the interface configuration mode.

Step 5

no ip address

Example:
Router(config-if)#no ip address

Disables IP processing on the interface.

Step 6

source-interface Loopback0

Example:
Router(config-if)#source-interface Loopback0

Specifies the source loopback for the interface.

Step 7

host-reachability protocol bgp

Example:
Router(config-if)#host-reachability protocol bgp 
Specifies the BGP protocol for host reachability.

Step 8

member vni 30000 ingress replication

Example:
Router(config-if)#member vni 30000 ingress replication

Configures the L2VNI member with ingress replication.

Example
l2vpn evpn instance 1 vlan-aware
 encapsulation vxlan
 replication-type ingress
!
interface nve1
 no ip address
 source-interface Loopback0
 host-reachability protocol bgp
 member vni 30000 ingress-replication
 member vni 30012 ingress-replication
!

Configure Static Replication for VLAN-Aware

Follow this procedure to configure Static Replication for VLAN-Aware:

Procedure
  Command or Action Purpose

Step 1

configure terminal

Example:
Router#configure terminal

Enters Global Configuration Mode

Step 2

l2vpn evpn instance 1 vlan-aware

Example:
Router(config)#l2vpn evpn instance 1 vlan-aware

Enables VLAN-Aware on the specified EVPN instance.

Step 3

replication-type static

Example:
Router(config)#replication-type static

Configures the replication type to static replication.

Step 4

interface nve1

Example:
Router(config)#interface nve1

Configures the interface and enters the interface configuraiton mode.

Step 5

no ip address

Example:
Router(config-if)#no ip address

Disables IP processing on the interface.

Step 6

source-interface Loopback0

Example:
Router(config-if)#source-interface Loopback0

Specifies the source loopback for the interface.

Step 7

host-reachability protocol bgp

Example:
Router(config-if)#host-reachability protocol bgp 
Specifies the BGP protocol for host reachability.

Step 8

member vni 30000 mcast-group 209.165.1.1

Example:
Router(config-if)#member vni 30000 mcast-group 209.165.1.1 

Configures the VNI member and Multicast group

Step 9

member vni 30012 mcast-group 209.165.1.1

Example:
Router(config-if)#member vni 30012 mcast-group 209.165.1.1 

Configures the VNI member and Multicast group

Example
Example:
l2vpn evpn instance 1 vlan-aware
 encapsulation vxlan
 replication-type static
!
interface nve1
 no ip address
 source-interface Loopback0
 host-reachability protocol bgp
 member vni 30000 mcast-group 209.165.1.1
 member vni 30012 mcast-group 209.165.1.1
!

Configuration Example

Here is an example of configuring the VLAN aware feature over VXLAN EVPN in a network topology with three routers (R1, R2, and R3) as the VTEPs (Virtual Tunnel Endpoint), connected to three switchports (SW1, SW2, and SW3) which are connected to the host, while one router (R4) acts as the spine as shown in the figure.

Figure 1. Configuration example of 4 router topology

Here is the running configuration for Router 1 (R1)

l2vpn evpn
 replication-type ingress
!
l2vpn evpn profile evpn_va vlan-aware
 evi-id 3
 l2vni-base 50000
 ethernet-tag auto-vni
!
bridge-domain 12 
 member Vlan12 service-instance 12
 member evpn-instance profile evpn_va
!
bridge-domain 22 
 member Vlan22 service-instance 22
 member evpn-instance profile evpn_va

interface Loopback0
 ip address 192.0.2.1 255.255.255.255
!
interface GigabitEthernet0/0/0
 ip address 10.10.10.2 255.255.255.0
!
!
interface FastEthernet0/0/1
 switchport trunk allowed vlan 12,22
 switchport mode trunk
!
interface Vlan12
 no ip address
 service instance 12 ethernet
  encapsulation dot1q 12
 !
!
interface Vlan22
 no ip address
 service instance 22 ethernet
  encapsulation dot1q 22
 !
interface nve1
 no ip address
 source-interface Loopback0
 host-reachability protocol bgp
 member vni 30000 ingress-replication
!
router ospf 1
 router-id 192.0.2.1
 network 10.10.10.0 0.0.0.255 area 0
 network 192.0.2.1 0.0.0.0 area 0
!
router bgp 1
 bgp router-id 192.0.2.1
 bgp log-neighbor-changes
 neighbor 192.0.2.4 remote-as 1
 neighbor 192.0.2.4 update-source Loopback0
 !
 address-family ipv4
  neighbor 192.0.2.4 activate
  neighbor 192.0.2.4 send-community both
 exit-address-family
!
address-family l2vpn evpn
  neighbor 192.0.2.4 activate
  neighbor 192.0.2.4 send-community both
 exit-address-family
!

Here is the running configuration for Router 2 (R2)

l2vpn evpn
 replication-type ingress
!
l2vpn evpn profile evpn_va vlan-aware
 evi-id 3
 l2vni-base 50000
 ethernet-tag auto-vni
!
bridge-domain 12 
 member Vlan12 service-instance 12
 member evpn-instance profile evpn_va
!
bridge-domain 22 
 member Vlan22 service-instance 22
 member evpn-instance profile evpn_va
!
interface Loopback0
 ip address 192.0.2.2 255.255.255.255
!
interface GigabitEthernet0/0/0
 ip address 10.10.20.2 255.255.255.0
!
interface GigabitEthernet0/1/3
 switchport trunk allowed vlan 12,22
 switchport mode trunk
!
interface Vlan12
 no ip address
 service instance 12 ethernet
  encapsulation dot1q 12
 !
!
interface Vlan22
 no ip address
 service instance 22 ethernet
  encapsulation dot1q 22
 !
interface nve1
 no ip address
 source-interface Loopback0
 host-reachability protocol bgp
 member vni 30000 ingress-replication
!
router ospf 1
 router-id 192.0.2.2
 network 10.10.20.0 0.0.0.255 area 0
 network 192.0.2.2 0.0.0.0 area 0
!
router bgp 1
 bgp router-id 192.0.2.2
 bgp log-neighbor-changes
 neighbor 192.0.2.4 remote-as 1
 neighbor 192.0.2.4 update-source Loopback0
 !
 address-family ipv4
  neighbor 192.0.2.4 activate
  neighbor 192.0.2.4 send-community both
 exit-address-family
!
address-family l2vpn evpn
  neighbor 192.0.2.4 activate
  neighbor 192.0.2.4 send-community both
 exit-address-family
!

Here is the running configuration for Router 3 (R3)

l2vpn evpn
 replication-type ingress
!
l2vpn evpn profile evpn_va vlan-aware
 evi-id 3
 l2vni-base 50000
 ethernet-tag auto-vni
!
bridge-domain 12 
 member Vlan12 service-instance 12
 member evpn-instance profile evpn_va
!
bridge-domain 22 
 member Vlan22 service-instance 22
 member evpn-instance profile evpn_va

interface Loopback0
 ip address 192.0.2.3 255.255.255.255
!
interface GigabitEthernet0/0/1
 ip address 10.10.30.2 255.255.255.0
interface GigabitEthernet0/1/2
 switchport trunk allowed vlan 12,22
 switchport mode trunk
!
interface Vlan12
 no ip address
 service instance 12 ethernet
  encapsulation dot1q 12
 !
!
interface Vlan22
 no ip address
 service instance 22 ethernet
  encapsulation dot1q 22
 !
interface nve1
 no ip address
 source-interface Loopback0
 host-reachability protocol bgp
 member vni 30000 ingress-replication
!
router ospf 1
 router-id 192.0.2.3
 network 10.10.30.0 0.0.0.255 area 0
 network 192.0.2.3 0.0.0.0 area 0
!
router bgp 1
 bgp router-id 192.0.2.3
 bgp log-neighbor-changes
 neighbor 192.0.2.4 remote-as 1
 neighbor 192.0.2.4 update-source Loopback0
 !
 address-family ipv4
  neighbor 192.0.2.4 activate
  neighbor 192.0.2.4 send-community both
 exit-address-family
 !
 address-family l2vpn evpn
  neighbor 192.0.2.4 activate
  neighbor 192.0.2.4 send-community both
 exit-address-family
!

Here is the running configuration for the Router 4 (R4) which is acting as the spine.

interface Loopback0
 ip address 192.0.2.4 255.255.255.255
!
interface GigabitEthernet0/0/0
 ip address 10.10.10.1 255.255.255.0
 negotiation auto
!
interface GigabitEthernet0/0/1
 ip address 10.10.20.1 255.255.255.0
 negotiation auto
!
interface GigabitEthernet0/0/2
 ip address 10.10.30.1 255.255.255.0
 negotiation auto
!
router ospf 1
 router-id 192.0.2.4
 network 10.10.10.0 0.0.0.255 area 0
 network 10.10.20.0 0.0.0.255 area 0
 network 10.10.30.0 0.0.0.255 area 0
 network 192.0.2.4 0.0.0.0 area 0
!
router bgp 1
 bgp router-id 192.0.2.4
 bgp log-neighbor-changes
 neighbor 192.0.2.1 remote-as 1
 neighbor 192.0.2.1 update-source Loopback0
 neighbor 192.0.2.2 remote-as 1
 neighbor 192.0.2.2 update-source Loopback0
 neighbor 192.0.2.3 remote-as 1
 neighbor 192.0.2.3 update-source Loopback0
 !
address-family l2vpn evpn
  neighbor 192.0.2.1 activate
  neighbor 192.0.2.1 send-community both
  neighbor 192.0.2.1 route-reflector-client
  neighbor 192.0.2.2 activate
  neighbor 192.0.2.2 send-community both
  neighbor 192.0.2.2 route-reflector-client
  neighbor 192.0.2.3 activate
  neighbor 192.0.2.3 send-community both
 exit-address-family
!

Here is the running configuration for the switchport SW1, connected to Router R1.

interface GigabitEthernet1/4
 switchport trunk allowed vlan 12,22
 switchport mode trunk
!
interface GigabitEthernet1/7
 switchport trunk allowed vlan 12,22
 switchport mode trunk
!

Here is the running configuration for the switchport SW2, connected to Router R2.

interface GigabitEthernet1/4
 switchport trunk allowed vlan 12,22
 switchport mode trunk
!
interface GigabitEthernet1/7
 switchport trunk allowed vlan 12,22
 switchport mode trunk
!

Here is the running configuration for the switchport SW3, connected to Router R3.

 switchport trunk allowed vlan 12,22
 switchport mode trunk
!
interface GigabitEthernet1/7
 switchport trunk allowed vlan 12,22
 switchport mode trunk
!

Verify Configuration of EVPN VXLAN VLAN-Aware Service

Verify the configuration on the router R1

Use the show l2vpn evpn evi 3 detail command to verify the configuration of the EVI and bridge-domain, and to ensure the ethernet-tag value is configured.

Router1#show l2vpn evpn evi 3 detail
EVPN instance:       3 (VLAN Aware)
  Profile:           evpn_va
  RD:                10.10.10.2:32770 (auto)
  Import-RTs:        1:3 
  Export-RTs:        1:3 
  Per-EVI Label:     none
  State:             Established
  Replication Type:  Ingress (profile)
  Encapsulation:     vxlan (profile)
  IP Local Learn:    Enabled (global)
  Adv. Def. Gateway: Disabled (global)
  Re-originate RT5:  Disabled (profile)
  AR Flood Suppress: Enabled (global)
  Bridge Domain:     12
    Ethernet-Tag:    50012
    State:           Established
    Flood Suppress:  Attached
    Core If:         
    Access If:       
    NVE If:          nve1
    RMAC:            0000.0000.0000
    Core BD:         0
    L2 VNI:          50012
    L3 VNI:          0
    VTEP IP:         192.0.2.1
    Pseudoports:
      Vlan12 service instance 12
        Routes: 0 MAC, 0 MAC/IP
    Peers:
      192.0.2.2
        Routes: 0 MAC, 0 MAC/IP, 1 IMET, 0 EAD
      192.0.2.3
        Routes: 1 MAC, 0 MAC/IP, 1 IMET, 0 EAD
  Bridge Domain:     22
    Ethernet-Tag:    50022
    State:           Established
    Flood Suppress:  Attached
    Core If:         
    Access If:       
    NVE If:          nve1
    RMAC:            0000.0000.0000
    Core BD:         0
    L2 VNI:          50022
    L3 VNI:          0
    VTEP IP:         192.0.2.1
    Pseudoports:
      Vlan22 service instance 22
        Routes: 0 MAC, 0 MAC/IP
    Peers:
      192.0.2.2
        Routes: 0 MAC, 0 MAC/IP, 1 IMET, 0 EAD
      192.0.2.3
        Routes: 0 MAC, 0 MAC/IP, 1 IMET, 0 EAD

Use the show l2route evpn imet command to verify the IMET routes.

Router1#show l2route evpn imet
EVI       ETAG   Prod                          Router IP Addr  Type    Label                               Tunnel ID Multicast Proxy
----- ---------- ------ --------------------------------------- ----- -------- --------------------------------------- ---------------
    3      50012    BGP                              10.10.20.2     6    50012                               192.0.2.2              No
    3      50012    BGP                              10.10.30.2     6    50012                               192.0.2.3              No
    3      50012  L2VPN                              10.10.10.2     6    50012                               192.0.2.1              No
    3      50022    BGP                              10.10.20.2     6    50022                               192.0.2.2              No
    3      50022    BGP                              10.10.30.2     6    50022                               192.0.2.3              No
    3      50022  L2VPN                              10.10.10.2     6    50022                               192.0.2.1              No

Use the show ip bgp l2vpn evpn all command to verify the configuration.

Router1#show ip bgp l2vpn evpn all
BGP table version is 31, local router ID is 192.0.2.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, 
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, 
              x best-external, a additional-path, c RIB-compressed, 
              t secondary path, L long-lived-stale,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 192.0.2.1:32770
 *>   [2][192.0.2.1:32770][50012][48][000011000001][0][*]/20
                      0.0.0.0                            32768 ?
 *>i  [2][192.0.2.1:32770][50012][48][000012000001][0][*]/20
                      192.0.2.3            0    100      0 ?
 *>i  [2][192.0.2.1:32770][50012][48][000013000001][0][*]/20
                      192.0.2.2            0    100      0 ?
 *>i  [2][192.0.2.1:32770][50012][48][04BD9708512B][0][*]/20
                      192.0.2.3            0    100      0 ?
 *>   [2][192.0.2.1:32770][50022][48][000011000002][0][*]/20
                      0.0.0.0                            32768 ?
 *>i  [2][192.0.2.1:32770][50022][48][000012000002][0][*]/20
                      192.0.2.3            0    100      0 ?
 *>i  [2][192.0.2.1:32770][50022][48][000013000002][0][*]/20
                      192.0.2.2            0    100      0 ?
Route Distinguisher: 192.0.2.2:32770
 *>i  [2][192.0.2.2:32770][50012][48][000013000001][0][*]/20
                      192.0.2.2            0    100      0 ?
 *>i  [2][192.0.2.2:32770][50022][48][000013000002][0][*]/20
                      192.0.2.2            0    100      0 ?
Route Distinguisher: 192.0.2.3:32770
 *>i  [2][192.0.2.3:32770][50012][48][000012000001][0][*]/20
                      192.0.2.3            0    100      0 ?
 *>i  [2][192.0.2.3:32770][50012][48][04BD9708512B][0][*]/20
                      192.0.2.3            0    100      0 ?
 *>i  [2][192.0.2.3:32770][50022][48][000012000002][0][*]/20
                      192.0.2.3            0    100      0 ?
Route Distinguisher: 192.0.2.1:32770
 *>   [3][192.0.2.1:32770][50012][32][192.0.2.1]/17
                      0.0.0.0                            32768 ?
 *>i  [3][192.0.2.1:32770][50012][32][192.0.2.2]/17
                      192.0.2.2            0    100      0 ?
 *>i  [3][192.0.2.1:32770][50012][32][192.0.2.3]/17
                      192.0.2.3            0    100      0 ?
 *>   [3][192.0.2.1:32770][50022][32][192.0.2.1]/17
                      0.0.0.0                            32768 ?
 *>i  [3][192.0.2.1:32770][50022][32][192.0.2.2]/17
                      192.0.2.2            0    100      0 ?
 *>i  [3][192.0.2.1:32770][50022][32][192.0.2.3]/17
                      192.0.2.3            0    100      0 ?
Route Distinguisher: 192.0.2.2:32770
 *>i  [3][192.0.2.2:32770][50012][32][192.0.2.2]/17
                      192.0.2.2            0    100      0 ?
 *>i  [3][192.0.2.2:32770][50022][32][192.0.2.2]/17
                      192.0.2.2            0    100      0 ?
Route Distinguisher: 192.0.2.3:32770
 *>i  [3][192.0.2.3:32770][50012][32][192.0.2.3]/17
                      192.0.2.3            0    100      0 ?
 *>i  [3][192.0.2.3:32770][50022][32][192.0.2.3]/17
                      192.0.2.3            0    100      0 ?

Use the show nve peers command to verify the configuration.

Router1#show nve peers 
'M' - MAC entry download flag  'A' - Adjacency download flag
'4' - IPv4 flag  '6' - IPv6 flag

Interface  VNI      Type Peer-IP          RMAC/Num_RTs   eVNI     state flags UP time
nve1       50012    L2CP 192.0.2.2    1              50012      UP   N/A  00:38:47
nve1       50012    L2CP 192.0.2.3    1              50012      UP   N/A  00:38:47
nve1       50022    L2CP 192.0.2.2    1              50022      UP   N/A  00:38:47
nve1       50022    L2CP 192.0.2.3    1              50022      UP   N/A  00:38:47

Use the show l2vpn evpn mac command to verify the configuration.

Router1#show l2vpn evpn mac
MAC Address    EVI   BD    ESI                      Ether Tag  Next Hop(s)
-------------- ----- ----- ------------------------ ---------- ---------------
0000.1100.0001 3     12    0000.0000.0000.0000.0000 50012      Vl12:12
0000.1200.0001 3     12    0000.0000.0000.0000.0000 50012      192.0.2.3
0000.1300.0001 3     12    0000.0000.0000.0000.0000 50012      192.0.2.2
04bd.9708.512b 3     12    0000.0000.0000.0000.0000 50012      192.0.2.3
0000.1100.0002 3     22    0000.0000.0000.0000.0000 50022      Vl22:22
0000.1200.0002 3     22    0000.0000.0000.0000.0000 50022      192.0.2.3
0000.1300.0002 3     22    0000.0000.0000.0000.0000 50022      192.0.2.2

Verify the configuration on the router R2

Use the show l2vpn evpn evi 3 detail command to verify the configuration of the EVI and bridge-domain, and to ensure the ethernet-tag value is configured.

Router2#show l2vpn evpn evi 3 detail
 
EVPN instance:       3 (VLAN Aware)
  Profile:           evpn_va
  RD:                10.10.20.2:32770 (auto)
  Import-RTs:        1:3 
  Export-RTs:        1:3 
  Per-EVI Label:     none
  State:             Established
  Replication Type:  Ingress (profile)
  Encapsulation:     vxlan (profile)
  IP Local Learn:    Enabled (global)
  Adv. Def. Gateway: Disabled (global)
  Re-originate RT5:  Disabled (profile)
  AR Flood Suppress: Enabled (global)
  Bridge Domain:     12
    Ethernet-Tag:    50012
    State:           Established
    Flood Suppress:  Attached
    Core If:         
    Access If:       
    NVE If:          nve1
    RMAC:            0000.0000.0000
    Core BD:         0
    L2 VNI:          50012
    L3 VNI:          0
    VTEP IP:         192.0.2.2
    Pseudoports:
      Vlan12 service instance 12
        Routes: 0 MAC, 0 MAC/IP
    Peers:
      192.0.2.1
        Routes: 0 MAC, 0 MAC/IP, 1 IMET, 0 EAD
      192.0.2.3
        Routes: 1 MAC, 0 MAC/IP, 1 IMET, 0 EAD
  Bridge Domain:     22
    Ethernet-Tag:    50022
    State:           Established
    Flood Suppress:  Attached
    Core If:         
    Access If:       
    NVE If:          nve1
    RMAC:            0000.0000.0000
    Core BD:         0
    L2 VNI:          50022
    L3 VNI:          0
    VTEP IP:         192.0.2.2
    Pseudoports:
      Vlan22 service instance 22
        Routes: 0 MAC, 0 MAC/IP
    Peers:
      192.0.2.1
        Routes: 0 MAC, 0 MAC/IP, 1 IMET, 0 EAD
      192.0.2.3
        Routes: 0 MAC, 0 MAC/IP, 1 IMET, 0 EAD

Use the show l2route evpn imet command to verify the IMET routes.

Router2#show l2route evpn imet
 EVI       ETAG   Prod                          Router IP Addr  Type    Label                               Tunnel ID Multicast Proxy
----- ---------- ------ --------------------------------------- ----- -------- --------------------------------------- ---------------
    3      50012    BGP                              10.10.10.2     6    50012                               192.0.2.1              No
    3      50012    BGP                              10.10.30.2     6    50012                               192.0.2.3              No
    3      50012  L2VPN                              10.10.20.2     6    50012                               192.0.2.2              No
    3      50022    BGP                              10.10.10.2     6    50022                               192.0.2.1              No
    3      50022    BGP                              10.10.30.2     6    50022                               192.0.2.3              No
    3      50022  L2VPN                              10.10.20.2     6    50022                               192.0.2.2              No

Use the show ip bgp l2vpn evpn all command to verify the configuration.

Router2#sh ip bgp l2vpn evpn all
BGP table version is 27, local router ID is 192.0.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, 
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, 
              x best-external, a additional-path, c RIB-compressed, 
              t secondary path, L long-lived-stale,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 192.0.2.1:32770
 *>i  [2][192.0.2.1:32770][50012][48][000011000001][0][*]/20
                      192.0.2.1            0    100      0 ?
 *>i  [2][192.0.2.1:32770][50022][48][000011000002][0][*]/20
                      192.0.2.1            0    100      0 ?
Route Distinguisher: 192.0.2.2:32770
 *>i  [2][192.0.2.2:32770][50012][48][000011000001][0][*]/20
                      192.0.2.1            0    100      0 ?
 *>i  [2][192.0.2.2:32770][50012][48][000012000001][0][*]/20
                      192.0.2.3            0    100      0 ?
 *>   [2][192.0.2.2:32770][50012][48][000013000001][0][*]/20
                      0.0.0.0                            32768 ?
 *>i  [2][192.0.2.2:32770][50012][48][04BD9708512B][0][*]/20
                      192.0.2.3            0    100      0 ?
 *>i  [2][192.0.2.2:32770][50022][48][000011000002][0][*]/20
                      192.0.2.1            0    100      0 ?
 *>i  [2][192.0.2.2:32770][50022][48][000012000002][0][*]/20
                      192.0.2.3            0    100      0 ?
 *>   [2][192.0.2.2:32770][50022][48][000013000002][0][*]/20
                      0.0.0.0                            32768 ?
Route Distinguisher: 192.0.2.3:32770
 *>i  [2][192.0.2.3:32770][50012][48][000012000001][0][*]/20
                      192.0.2.3            0    100      0 ?
 *>i  [2][192.0.2.3:32770][50012][48][04BD9708512B][0][*]/20
                      192.0.2.3            0    100      0 ?
 *>i  [2][192.0.2.3:32770][50022][48][000012000002][0][*]/20
                      192.0.2.3            0    100      0 ?
Route Distinguisher: 192.0.2.1:32770
 *>i  [3][192.0.2.1:32770][50012][32][192.0.2.1]/17
                      192.0.2.1            0    100      0 ?
 *>i  [3][192.0.2.1:32770][50022][32][192.0.2.1]/17
                      192.0.2.1            0    100      0 ?
Route Distinguisher: 192.0.2.2:32770
 *>i  [3][192.0.2.2:32770][50012][32][192.0.2.1]/17
                      192.0.2.1            0    100      0 ?
 *>   [3][192.0.2.2:32770][50012][32][192.0.2.2]/17
                      0.0.0.0                            32768 ?
 *>i  [3][192.0.2.2:32770][50012][32][192.0.2.3]/17
                      192.0.2.3            0    100      0 ?
 *>i  [3][192.0.2.2:32770][50022][32][192.0.2.1]/17
                      192.0.2.1            0    100      0 ?
 *>   [3][192.0.2.2:32770][50022][32][192.0.2.2]/17
                      0.0.0.0                            32768 ?
 *>i  [3][192.0.2.2:32770][50022][32][192.0.2.3]/17
                      192.0.2.3            0    100      0 ?
Route Distinguisher: 192.0.2.3:32770
 *>i  [3][192.0.2.3:32770][50012][32][192.0.2.3]/17
                      192.0.2.3            0    100      0 ?
 *>i  [3][192.0.2.3:32770][50022][32][192.0.2.3]/17
                      192.0.2.3            0    100      0 ?

Use the show nve peers command to verify the configuration.

Router2#show nve peers 
'M' - MAC entry download flag  'A' - Adjacency download flag
'4' - IPv4 flag  '6' - IPv6 flag

Interface  VNI      Type Peer-IP          RMAC/Num_RTs   eVNI     state flags UP time
nve1       50012    L2CP 192.0.2.1    2              50012      UP   N/A  00:05:28
nve1       50012    L2CP 192.0.2.3    3              50012      UP   N/A  00:05:28
nve1       50022    L2CP 192.0.2.1    2              50022      UP   N/A  00:05:28
nve1       50022    L2CP 192.0.2.3    2              50022      UP   N/A  00:05:28

Use the show l2vpn evpn mac command to verify the configuration

Router2#show l2vpn evpn mac
MAC Address    EVI   BD    ESI                      Ether Tag  Next Hop(s)
-------------- ----- ----- ------------------------ ---------- ---------------
0000.1100.0001 3     12    0000.0000.0000.0000.0000 50012      192.0.2.1
0000.1200.0001 3     12    0000.0000.0000.0000.0000 50012      192.0.2.3
0000.1300.0001 3     12    0000.0000.0000.0000.0000 50012      Vl12:12
04bd.9708.512b 3     12    0000.0000.0000.0000.0000 50012      192.0.2.3
0000.1100.0002 3     22    0000.0000.0000.0000.0000 50022      192.0.2.1
0000.1200.0002 3     22    0000.0000.0000.0000.0000 50022      192.0.2.3
0000.1300.0002 3     22    0000.0000.0000.0000.0000 50022      Vl22:22

Verify the configuration on the router R3

Use the show l2vpn evpn evi 3 detail command to verify the configuration of the EVI and bridge-domain, and to ensure the ethernet-tag value is configured.

Router3#show l2vpn evpn evi 3 detail
EVPN instance:       3 (VLAN Aware)
  Profile:           evpn_va
  RD:                10.10.30.2:32770 (auto)
  Import-RTs:        1:3 
  Export-RTs:        1:3 
  Per-EVI Label:     none
  State:             Established
  Replication Type:  Ingress (profile)
  Encapsulation:     vxlan (profile)
  IP Local Learn:    Enabled (global)
  Adv. Def. Gateway: Disabled (global)
  Re-originate RT5:  Disabled (profile)
  AR Flood Suppress: Enabled (global)
  Bridge Domain:     12
    Ethernet-Tag:    50012
    State:           Established
    Flood Suppress:  Attached
    Core If:         
    Access If:       
    NVE If:          nve1
    RMAC:            0000.0000.0000
    Core BD:         0
    L2 VNI:          50012
    L3 VNI:          0
    VTEP IP:         192.0.2.3
    Pseudoports:
      Vlan12 service instance 12
        Routes: 1 MAC, 0 MAC/IP
    Peers:
      192.0.2.1
        Routes: 0 MAC, 0 MAC/IP, 1 IMET, 0 EAD
      192.0.2.2
        Routes: 0 MAC, 0 MAC/IP, 1 IMET, 0 EAD
  Bridge Domain:     22
    Ethernet-Tag:    50022
    State:           Established
    Flood Suppress:  Attached
    Core If:         
    Access If:       
    NVE If:          nve1
    RMAC:            0000.0000.0000
    Core BD:         0
    L2 VNI:          50022
    L3 VNI:          0
    VTEP IP:         192.0.2.3
    Pseudoports:
      Vlan22 service instance 22
        Routes: 0 MAC, 0 MAC/IP
    Peers:
      192.0.2.1
        Routes: 0 MAC, 0 MAC/IP, 1 IMET, 0 EAD
      192.0.2.2
        Routes: 0 MAC, 0 MAC/IP, 1 IMET, 0 EAD

Use the show l2route evpn imet command to verify the IMET routes.

Router3#show l2route evpn imet
  EVI       ETAG   Prod                          Router IP Addr  Type    Label                               Tunnel ID Multicast Proxy
----- ---------- ------ --------------------------------------- ----- -------- --------------------------------------- ---------------
    3      50012    BGP                              10.10.10.2     6    50012                               192.0.2.1              No
    3      50012    BGP                              10.10.20.2     6    50012                               192.0.2.2              No
    3      50012  L2VPN                              10.10.30.2     6    50012                               192.0.2.3              No
    3      50022    BGP                              10.10.10.2     6    50022                               192.0.2.1              No
    3      50022    BGP                              10.10.20.2     6    50022                               192.0.2.2              No
    3      50022  L2VPN                              10.10.30.2     6    50022                               192.0.2.3              No

Use the show ip bgp l2vpn evpn all command to verify the configuration.

Router3# sh ip bgp l2vpn evpn all
BGP table version is 30, local router ID is 192.0.2.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, 
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, 
              x best-external, a additional-path, c RIB-compressed, 
              t secondary path, L long-lived-stale,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 192.0.2.1:32770
 *>i  [2][192.0.2.1:32770][50012][48][000011000001][0][*]/20
                      192.0.2.1            0    100      0 ?
 *>i  [2][192.0.2.1:32770][50022][48][000011000002][0][*]/20
                      192.0.2.1            0    100      0 ?
Route Distinguisher: 192.0.2.2:32770
 *>i  [2][192.0.2.2:32770][50012][48][000013000001][0][*]/20
                      192.0.2.2            0    100      0 ?
 *>i  [2][192.0.2.2:32770][50022][48][000013000002][0][*]/20
                      192.0.2.2            0    100      0 ?
Route Distinguisher: 192.0.2.3:32770
 *>i  [2][192.0.2.3:32770][50012][48][000011000001][0][*]/20
                      192.0.2.1            0    100      0 ?
 *>   [2][192.0.2.3:32770][50012][48][000012000001][0][*]/20
                      0.0.0.0                            32768 ?
 *>i  [2][192.0.2.3:32770][50012][48][000013000001][0][*]/20
                      192.0.2.2            0    100      0 ?
 *>   [2][192.0.2.3:32770][50012][48][04BD9708512B][0][*]/20
                      0.0.0.0                            32768 ?
 *>i  [2][192.0.2.3:32770][50022][48][000011000002][0][*]/20
                      192.0.2.1            0    100      0 ?
 *>   [2][192.0.2.3:32770][50022][48][000012000002][0][*]/20
                      0.0.0.0                            32768 ?
 *>i  [2][192.0.2.3:32770][50022][48][000013000002][0][*]/20
                      192.0.2.2            0    100      0 ?
Route Distinguisher: 192.0.2.1:32770
 *>i  [3][192.0.2.1:32770][50012][32][192.0.2.1]/17
                      192.0.2.1            0    100      0 ?
 *>i  [3][192.0.2.1:32770][50022][32][192.0.2.1]/17
                      192.0.2.1            0    100      0 ?
Route Distinguisher: 192.0.2.2:32770
 *>i  [3][192.0.2.2:32770][50012][32][192.0.2.2]/17
                      192.0.2.2            0    100      0 ?
 *>i  [3][192.0.2.2:32770][50022][32][192.0.2.2]/17
                      192.0.2.2            0    100      0 ?
Route Distinguisher: 192.0.2.3:32770
 *>i  [3][192.0.2.3:32770][50012][32][192.0.2.1]/17
                      192.0.2.1            0    100      0 ?
 *>i  [3][192.0.2.3:32770][50012][32][192.0.2.2]/17
                      192.0.2.2            0    100      0 ?
 *>   [3][192.0.2.3:32770][50012][32][192.0.2.3]/17
                      0.0.0.0                            32768 ?
 *>i  [3][192.0.2.3:32770][50022][32][192.0.2.1]/17
                      192.0.2.1            0    100      0 ?
 *>i  [3][192.0.2.3:32770][50022][32][192.0.2.2]/17
                      192.0.2.2            0    100      0 ?
 *>   [3][192.0.2.3:32770][50022][32][192.0.2.3]/17
                      0.0.0.0                            32768 ?

Use the show nve peers command to verify the configuration.

Router3#show nve peers 
'M' - MAC entry download flag  'A' - Adjacency download flag
'4' - IPv4 flag  '6' - IPv6 flag

Interface  VNI      Type Peer-IP          RMAC/Num_RTs   eVNI     state flags UP time
nve1       50012    L2CP 192.0.2.1    2              50012      UP   N/A  00:07:48
nve1       50012    L2CP 192.0.2.2    2              50012      UP   N/A  00:05:23
nve1       50022    L2CP 192.0.2.1    2              50022      UP   N/A  00:07:48
nve1       50022    L2CP 192.0.2.2    2              50022      UP   N/A  00:05:23 

Use the show l2vpn evpn mac command to verify the configuration

Router3# show l2vpn evpn mac
MAC Address    EVI   BD    ESI                      Ether Tag  Next Hop(s)
-------------- ----- ----- ------------------------ ---------- ---------------
0000.1100.0001 3     12    0000.0000.0000.0000.0000 50012      192.0.2.1
0000.1200.0001 3     12    0000.0000.0000.0000.0000 50012      Vl12:12
0000.1300.0001 3     12    0000.0000.0000.0000.0000 50012      192.0.2.2
0000.1100.0002 3     22    0000.0000.0000.0000.0000 50022      192.0.2.1
0000.1200.0002 3     22    0000.0000.0000.0000.0000 50022      Vl22:22
0000.1300.0002 3     22    0000.0000.0000.0000.0000 50022      192.0.2.2