EVPN/VXLAN Network Health Verification: A Comprehensive Guide

In today's data center environments, EVPN/VXLAN has become the de facto standard for building scalable and flexible network fabrics. As these deployments grow in complexity, having a structured approach to verify fabric health becomes crucial. This guide walks through a systematic verification process to ensure your EVPN/VXLAN fabric is operating optimally.
Understanding EVPN/VXLAN Fabric Architecture
EVPN (Ethernet VPN) combined with VXLAN (Virtual Extensible LAN) provides a robust overlay technology that addresses many traditional data center networking challenges:
- Layer 2 extension across Layer 3 boundaries
- Efficient handling of BUM (Broadcast, Unknown Unicast, and Multicast) traffic
- MAC and IP mobility support
- Multi-tenancy capabilities
- Control plane-based learning for scalability
A typical EVPN/VXLAN fabric consists of spine and leaf switches in a Clos topology. The underlying network (underlay) provides IP connectivity between the switches, while the overlay network handles the end-to-end tenant communication.

Network Fabric Verification: A Layered Approach
Effective troubleshooting of EVPN/VXLAN networks requires a bottom-up methodology. We'll work through each layer systematically, starting with the underlay and progressing to the overlay components.
1. Underlay Network Verification
A. Check IGP Peering State
The foundation of any EVPN/VXLAN fabric is the underlay network. In our example, we're using OSPF, but it could be IS-IS, BGP, or even static routing.
Start by verifying OSPF neighbor relationships between spine and leaf switches:
What to look for: All neighbors should be in the FULL state, which indicates a fully established adjacency.
B. Confirm Loopback Reachability
Next, check if all loopback interfaces are reachable across the fabric:
What to look for: Each loopback address should have valid routes. For leaf switches in VPC pairs, you'll see multiple paths to the same loopback (for redundancy).
Pro Tip: Enable name lookup for your IGP to simplify troubleshooting:
2. Overlay Network Verification
A. Check BGP EVPN Peering State
Once you've verified the underlay, move to the overlay by checking BGP EVPN peerings:
What to look for: All neighbors should be established with prefixes being received (State/PfxRcd column). Note that some leafs might show 0 prefixes if they don't have any VNIs configured.
B. Verify NVE Interface Status
The NVE (Network Virtualization Edge) interface is the VTEP (VXLAN Tunnel Endpoint) that handles encapsulation and decapsulation:
What to look for: The NVE interface should be up with the proper source interface configured.
For VPC deployments, verify both switches in the pair:
Key insight: For VPC pairs, note the secondary IP address that serves as the common VTEP IP for both switches.
C. Check VNI Mappings and Status
VNIs (VXLAN Network Identifiers) are mapped to VLANs (for L2 VNIs) or VRFs (for L3 VNIs):
What to look for: All VNIs should show Up state with the correct mode (typically CP for Control Plane).
For detailed information about specific VNIs:
Critical check: The Provision State should show vni-add-complete, indicating successful configuration.
3. Verify VTEP Peering
Examine NVE peering to ensure proper connectivity between VTEPs:
Important note: NVE peers only show as Up when EVPN routes are learned from that peer. The absence of a peer doesn't necessarily indicate a problem if no shared VNIs exist.
4. Examine BGP EVPN Routes
The final and most detailed verification is examining the BGP EVPN routes:
- Valid routes (marked with * and >)
- Proper RD (Route Distinguisher) and RT (Route Target) values
- Expected route types for your use case:
- Type 2 routes for MAC/IP learning
- Type 3 routes for multicast
- Type 5 routes for IP prefix advertisement
For detailed inspection of specific routes:
Advanced verification: Check for proper import/export of routes, correct extended communities (RT values), and EVPN encapsulation types.
Common Issues and Troubleshooting Tips
- Underlay connectivity problems:
- Check physical interfaces for errors
- Verify MTU consistency across the fabric
- Ensure IGP adjacencies are stable
- EVPN peering issues:
- Verify BGP authentication if used
- Check for route-map policies that might be filtering routes
- Confirm ASNs are configured correctly
- VNI provisioning failures:
- Look for configuration mismatches between switches
- Verify VLAN to VNI mappings are consistent
- Check for resource constraints (hardware limitations)
- Traffic forwarding problems:
- Verify end-to-end MTU (jumbo frames typically required)
- Check hardware programming of MAC/IP entries
- Confirm symmetric routing for L3 traffic
Best Practices for EVPN/VXLAN Deployments
- Use consistent naming conventions across your fabric
- Implement proper IP addressing scheme with dedicated ranges for underlay and overlay
- Standardize VNI allocation (e.g., L2VNI = VLAN ID + prefix)
- Document RD/RT allocation strategy to avoid conflicts
- Configure BFD for faster failure detection where appropriate
- Monitor fabric for MTU issues as they can be difficult to troubleshoot
- Back up configurations regularly using automation tools
Conclusion
EVPN/VXLAN fabric verification requires a methodical approach, working from the underlay up through the overlay components. By following this structured checklist, you can ensure your fabric is healthy and operating as expected.
Remember that while individual commands are useful, the real power comes from correlating information across different layers of the fabric. Developing a good understanding of how EVPN routes translate to forwarding decisions will make you much more effective at troubleshooting complex issues.
For your specific environment, consider building automated verification scripts that can regularly check the health of your fabric and alert on any deviations from the expected state.