The following guidelines and limitations apply to VXLAN/VTEP:
For more information, see the Cisco Nexus 9000 Series NX-OS System Management Configuration Guide, Release 7.x.
When SVI is enabled on a VTEP (flood and learn, or EVPN) regardless of ARP suppression, make sure that ARP-ETHER TCAM is carved using the hardware access-list tcam region arp-ether 256 double-wide command. This is not applicable to the Cisco Nexus 9200 and 9300-EX platform switches and Cisco Nexus 9500 platform switches with 9700-EX line cards.
Beginning with Cisco NX-OS Release 7.0(3)F3(3), VXLAN Layer 2 Gateway is supported only on the 9636C-RX line card. VXLAN and MPLS cannot be enabled on the Cisco Nexus 9508 switch at the same time.
Beginning with Cisco NX-OS Release 7.0(3)F3(3), if VXLAN is enabled, the Layer 2 Gateway cannot be enabled when there is any line card other than the 9636C-RX.
Cisco Nexus 3500 Series switches do not support VXLAN BGP EVPN on Cisco NX-OS Release 7.0(3)I7(2) and the previous releases.
Beginning with Cisco NX-OS Release 7.0(3)I6(1), you can configure EVPN over segment routing or MPLS. See the Cisco Nexus 9000 Series NX-OS Label Switching Configuration Guide, Release 7.x for more information.
Beginning with Cisco NX-OS Release 7.0(3)I6(1), you can use MPLS tunnel encapsulation using the new CLI encapsulation mpls command. You can configure the label allocation mode for the EVPN address family. See the Cisco Nexus 9000 Series NX-OS Label Switching Configuration Guide, Release 7.x for more information.
In VXLAN EVPN setup that has 2K VNI scale configuration, the control plane down time takes more than 200 seconds. To avoid BGP flap, configure the graceful restart time to 300 seconds.
SVI and sub-interfaces as core links are not supported in multisite EVPN.
In a VXLAN EVPN setup, border leaves must use unique route distinguishers, preferably using auto rd command. It is not supported to have same route distinguishers in different border leaves.
ARP suppression is only supported for a VNI if the VTEP hosts the First-Hop Gateway (Distributed Anycast Gateway) for this VNI. The VTEP and the SVI for this VLAN have to be properly configured for the distributed anycast gateway operation, for example, global anycast gateway MAC address configured and anycast gateway feature with the virtual IP address on the SVI.
When Layer 3
EVPN is configured in Cisco Nexus 3000 Series switches that are based on
Broadcom ASIC and these switches are added in the topology with Layer 2 EVPN,
the routing for this scenario is not supported. When you configure SVI and
Layer 3 EVPN in Cisco Nexus 3000 Series switches based on Broadcom ASIC with
anycast gateway and when you send the ARP requests from a Layer 2 EVPN device
(for example, Cisco Nexus 3000 Series switches based on Broadcom ASIC ), the
Cisco Nexus 3000 Series switches can not be used as a gateway for the ARP
requests received on the network ports.
The show commands with the internal keyword are not supported.
(Dynamic Host Configuration Protocol snooping) is not supported on VXLAN VLANs.
SPAN TX for
VXLAN encapsulated traffic is not supported for the Layer 3 uplink interface.
RACLs are not
supported on Layer 3 uplinks for VXLAN traffic. Egress VACLs support is not
available for de-capsulated packets in the network to access direction on the
As a best practice, use PACLs/VACLs for the access to the network direction.
classification is not supported for VXLAN traffic in the network to access
direction on the Layer 3 uplink interface.
buffer-boost feature is not applicable for VXLAN traffic.
VTEP does not
support Layer 3 subinterface uplinks that carry VxLAN encapsulated traffic.
interface uplinks that carry VxLAN encapsulated traffic do not support
subinterfaces for non-VxLAN encapsulated traffic.
sub-interface VLANs cannot be shared with VxLAN VLANs.
7.0(3)I2(1) and later, subinterfaces on 40G (ALE) uplink ports are not
supported on VXLAN VTEPs.
multipoint Layer 3 and SVI uplinks are not supported. Since both uplink types
can only be enabled point-to-point, they cannot span across more than two
For EBGP, it is
recommended to use a single overlay EBGP EVPN session between loopbacks.
Bind NVE to a
loopback address that is separate from other loopback addresses that are
required by Layer 3 protocols. A best practice is to use a dedicated loopback
address for VXLAN.
VXLAN BGP EVPN
does not support an NVE interface in a non-default VRF.
recommended to configure a single BGP session over the loopback for an overlay
The VXLAN UDP
port number is used for VXLAN encapsulation. For Cisco Nexus NX-OS, the UDP
port number is 4789. It complies with IETF standards and is not configurable.
7.0(3)I4(1) and later, VXLAN supports In Service Software Upgrade (ISSU).
not support co-existence with the GRE tunnel feature or the MPLS (static or
segment-routing) feature on Cisco Nexus 9000 Series switches with a Network
Forwarding Engine (NFE).
connected to FEX host interface ports is not supported (7.0(3)I2(1) and later).
NX-OS Release 7.0(3)I4(1), resilient hashing (port-channel load-balancing
resiliency) and VXLAN configurations are not compatible with VTEPs using ALE
hashing is disabled by default.