• A loopback address is required when using the source-interface config command. The loopback address represents the local VTEP IP.

• To establish IP multicast routing in the core, IP multicast configuration, PIM configuration, and RP configuration is required.

• VTEP to VTEP unicast reachability can be configured through any IGP protocol.

• When configuring BGP-EVPN on Cisco Nexus 9300-EX switches and Cisco Nexus 9500 switches with N9K-X9732C-EX line cards, use the system routing template-vxlan-scale command. Performing this step requires a reload of the switch. This command is not applicable on Cisco Nexus 9200 switches, Cisco Nexus 9300 switches, and Cisco Nexus 9500 switches with N9K-X9564PX, N9K-X9564TX, and N9K-X9536PQ line cards.

• As a best practice when changing the IP address of a VTEP device, shut the NVE interface before changing the IP address.

• Configuring an Rendezvous Point (RP) on a leaf node is not supported. As a best practice, the RP for the multicast group should be configured only on the spine layer. Use the anycast RP for RP load balancing and redundancy.

  The following is an example of an anycast RP configuration on spines:

  ip pim rp-address 1.1.1.10 group-list 224.0.0.0/4   
  ip pim anycast-rp 1.1.1.10 1.1.1.1
  ip pim anycast-rp 1.1.1.10 1.1.1.2 
  
  

  Note	1.1.1.10 is the anycast RP IP address that is configured on all RPs participating in the anycast RP set. 1.1.1.1 is the local RP IP. 1.1.1.2 is the peer RP IP.

• Bind NVE to a loopback address that is separate from other loopback addresses that are required by Layer 3 protocols. A best practice is to use a dedicated loopback address for VXLAN.

• On VPC VXLAN, it is recommended to increase the delay restore interface-vlan timer under the VPC configuration, if the number of SVIs are scaled up. For example, if there are 1000 VNIs with 1000 SVIs, it is recommended to increase the delay restore interface-vlan timer to 45 Seconds.

• The loopback address used by NVE needs to be configured to have a primary IP address and a secondary IP address.

  The secondary IP address is used for all VxLAN traffic that includes multicast and unicast encapsulated traffic.

• VPC peers must have identical configurations.

  • Consistent VLAN to VN-segment mapping.

  • Consistent NVE1 binding to the same loopback interface

    • Using the same secondary IP address.

    • Using different primary IP addresses.

  • Consistent VNI to group mapping.

• For multicast, the VPC node that receives the (S, G) join from the RP (rendezvous point) becomes the DF (designated forwarder). On the DF node, encap routes are installed for multicast.

  Decap routes are installed based on the election of a decapper from between the VPC primary node and the VPC secondary node. The winner of the decap election is the node with the least cost to the RP. However, if the cost to the RP is the same for both nodes, the VPC primary node is elected.

  The winner of the decap election has the decap mroute installed. The other node does not have a decap route installed.

• On a VPC device, BUM traffic (broadcast, unknown-unicast, and multicast traffic) from hosts is replicated on the peer-link. A copy is made of every native packet and each native packet is sent across the peer-link to service orphan-ports connected to the peer VPC switch.

  To prevent traffic loops in VXLAN networks, native packets ingressing the peer-link cannot be sent to an uplink. However, if the peer switch is the encapper, the copied packet traverses the peer-link and is sent to the uplink.

  Note	Each copied packet is sent on a special internal VLAN (VLAN 4041).

• When peer-link is shut, the loopback interface used by NVE on the VPC secondary is brought down and the status is Admin Shut. This is done so that the route to the loopback is withdrawn on the upstream and that the upstream can divert all traffic to the VPC primary.

  Note	Orphans connected to the VPC secondary will experience loss of traffic for the period that the peer-link is shut. This is similar to Layer 2 orphans in a VPC secondary of a traditional VPC setup.

• When peer-link is no-shut, the NVE loopback address is brought up again and the route is advertised upstream, attracting traffic.

• For VPC, the loopback interface has 2 IP addresses: the primary IP address and the secondary IP address.

  The primary IP address is unique and is used by Layer 3 protocols.

  The secondary IP address on loopback is necessary because the interface NVE uses it for the VTEP IP address. The secondary IP address must be same on both vPC peers.

• The VPC peer-gateway feature must be enabled on both peers.

  As a best practice, use peer-switch, peer gateway, ip arp sync, ipv6 nd sync configurations for improved convergence in VPC topologies.

  In addition, increase the STP hello timer to 4 seconds to avoid unnecessary TCN generations when VPC role changes occur.

  The following is an example (best practice) of a VPC configuration:

  switch# sh ru vpc
  
  version 6.1(2)I3(1)
  feature vpc
  vpc domain 2
    peer-switch
    peer-keepalive destination 172.29.206.65 source 172.29.206.64
    peer-gateway
    ipv6 nd synchronize
    ip arp synchronize
  
  

• On a VPC pair, shutting down NVE or NVE loopback on one of the VPC nodes is not a supported configuration. This means that traffic failover on one-side NVE shut or one-side loopback shut is not supported.

• When the NVE or loopback is shut in VPC configurations:

  • If the NVE or loopback is shut only on the primary VPC switch, the global VxLAN VPC consistency checker fails. Then the NVE, loopback, and VPCs are taken down on the secondary VPC switch.

  • If the NVE or loopback is shut only on the secondary VPC switch, the global VXLAN VPC consistency checker fails. Then the NVE, loopback, and secondary VPC are brought down on the secondary. Traffic continues to flow through the primary VPC switch.

  As a best practice, you should keep both the NVE and loopback up on both the primary and secondary VPC switches.

• Redundant anycast RPs configured in the network for multicast load-balancing and RP redundancy are supported on VPC VTEP topologies.

• Enabling vpc peer-gateway configuration is mandatory. For peer-gateway functionality, at least one SVI is required to be enabled across peer-link and also configured with PIM. This provides a backup path in the case when VTEP loses complete connectivity to the spine. Remote peer reachability is re-routed over peer-link in this case.

  The following is an example of SVI with PIM enabled:

  swithch# sh ru int vlan 2
  
  interface Vlan2
    description special_svi_over_peer-link
    no shutdown
    ip address 30.2.1.1/30
    ip pim sparse-mode
  
  // example config for backup SVI:
  
  interface Vlan2000
    description backup_svi_over_peer-link  //change “special” into “backup”
    no shutdown
    no ip redirects
    ip address 20.20.20.1/24
    no ipv6 redirects
    ip router ospf 1 area 0.0.0.0
    ip pim sparse-mode
    ip igmp static-oif route-map match-mcast-groups
  
  route-map match-mcast-groups permit 1
    match ip multicast group 225.1.1.1/32
  
  

  Note	In BUD node topologies, the backup SVI needs to be added as a static OIF for each underlay multicast group.

  Note	The SVI must be configured on both VPC peers and requires PIM to be enabled.

• As a best practice when changing the secondary IP address of an anycast VPC VTEP, the NVE interfaces on both the VPC primary and the VPC secondary should be shut before the IP changes are made.

• DHCP relay is supported when the DHCP server is reachable through a default VRF. However, DHCP relay is not supported when the DHCP client and DHCP server are in the same non-default VRF.

• MTU Size in the Transport Network

  Due to the MAC-to-UDP encapsulation, VXLAN introduces 50-byte overhead to the original frames. Therefore, the maximum transmission unit (MTU) in the transport network needs to be increased by 50 bytes. If the overlays use a 1500-byte MTU, the transport network needs to be configured to accommodate 1550-byte packets at a minimum. Jumbo-frame support in the transport network is required if the overlay applications tend to use larger frame sizes than 1500 bytes.

• ECMP and LACP Hashing Algorithms in the Transport Network

  As described in a previous section, Cisco Nexus 9000 Series Switches introduce a level of entropy in the source UDP port for ECMP and LACP hashing in the transport network. As a way to augment this implementation, the transport network uses an ECMP or LACP hashing algorithm that takes the UDP source port as an input for hashing, which achieves the best load-sharing results for VXLAN encapsulated traffic.

• Multicast Group Scaling

  The VXLAN implementation on Cisco Nexus 9000 Series Switches uses multicast tunnels for broadcast, unknown unicast, and multicast traffic forwarding. Ideally, one VXLAN segment mapping to one IP multicast group is the way to provide the optimal multicast forwarding. It is possible, however, to have multiple VXLAN segments share a single IP multicast group in the core network. VXLAN can support up to 16 million logical Layer 2 segments, using the 24-bit VNID field in the header. With one-to-one mapping between VXLAN segments and IP multicast groups, an increase in the number of VXLAN segments causes a parallel increase in the required multicast address space and the amount of forwarding states on the core network devices. At some point, multicast scalability in the transport network can become a concern. In this case, mapping multiple VXLAN segments to a single multicast group can help conserve multicast control plane resources on the core devices and achieve the desired VXLAN scalability. However, this mapping comes at the cost of suboptimal multicast forwarding. Packets forwarded to the multicast group for one tenant are now sent to the VTEPs of other tenants that are sharing the same multicast group. This causes inefficient utilization of multicast data plane resources. Therefore, this solution is a trade-off between control plane scalability and data plane efficiency.

  Despite the suboptimal multicast replication and forwarding, having multiple-tenant VXLAN networks to share a multicast group does not bring any implications to the Layer 2 isolation between the tenant networks. After receiving an encapsulated packet from the multicast group, a VTEP checks and validates the VNID in the VXLAN header of the packet. The VTEP discards the packet if the VNID is unknown to it. Only when the VNID matches one of the VTEP’s local VXLAN VNIDs, does it forward the packet to that VXLAN segment. Other tenant networks will not receive the packet. Thus, the segregation between VXLAN segments is not compromised.

The following are considerations for the configuration of the transport network:

• On the VTEP device:

  • Enable and configure IP multicast.

  • Create and configure a loopback interface with a /32 IP address.

    (For vPC VTEPs, you must configure primary and secondary /32 IP addresses.)

  • Enable IP multicast on the loopback interface.

  • Advertise the loopback interface /32 addresses through the routing protocol (static route) that runs in the transport network.

  • Enable IP multicast on the uplink outgoing physical interface.

• Throughout the transport network:

  • Enable and configure IP multicast.