Skip to content

RT5-only L3 EVPN Tutorial#

Tutorial name RT5-only (aka Interface-less) L3 EVPN-VXLAN with SR Linux
Lab components 3 SR Linux nodes, 2 FRR, 2 Alpine nodes
Resource requirements 2vCPU
8 GB
Lab Repo srl-rt5-l3evpn-basics-lab
Packet captures EVPN IP Prefix routes exchange
Main ref documents RFC 7432 - BGP MPLS-Based Ethernet VPN
RFC 8365 - A Network Virtualization Overlay Solution Using Ethernet VPN (EVPN)
RFC 9136 - IP Prefix Advertisement in Ethernet VPN (EVPN)
Nokia 7220 SR Linux Advanced Solutions Guide
Nokia 7220 SR Linux EVPN-VXLAN Guide
Version information1 containerlab:v0.56.0, srlinux:24.3.3, frr:9.0.2 docker-ce:26.1.4
Authors Korhan Kayhan
Roman Dodin
and reviewers3

While EVPN originally emerged as a Layer 2 VPN technology to overcome VPLS limitations, it has since evolved to become a unified control plane for many services, Layer 3 VPN included. Founded upon the BGP protocol, EVPN has lots of flexibility and features to become a one-stop-shop for all VPN services in various network deployments, but especially fit for the IP fabrics.

In the Layer 2 EVPN Basics Tutorial we discussed how to configure EVPN to provide a layer 2 service across an IP fabric. Today' focus will be on deploying a Layer 3 Ethernet VPN (EVPN) in the SR Linux-powered DC fabric. We will be working with an interface-less2 flavor of an L3 EVPN service that does not require the use of Integrated Routing and Bridging (IRB) interfaces, and as such has no need MAC VRF instances, ARP/ND entries synchronization, MAC/IP (RT2) and IMET routes.

As you might expect, the Layer 3 EVPN is designed to provide Layer 3 services across the fabric. As such, there are no stretched broadcast domains across the fabric and the customer equipment is directly connected via L3 interfaces to the leafs and often runs a PE-CE routing protocol to exchange IP prefixes.

To explain the Layer 3 EVPN configuration and concepts we will use a lab representing a tiny fabric built with two leafs, one spine and two pairs of clients devices connected to the leafs; one pair per each tenant. The first pair of clients will represent L3 servers connected to leaf ports directly, while the second pair will be represented by an FRRouting routers that act a CE router and announce routes.

As part of this tutorial we will go over two L3 EVPN scenarios. First, we will demonstrate how we can provide connectivity for directly attached L3 clients of Tenant 1. These are the clients that are addressed with L3 interfaces and connected to the leaf devices directly.

Directly attached L3 clients

The second scenario will demonstrate how to connect CE devices of Tenant 2 that establish a BGP session with the leaf devices to exchange IP prefixes. The BGP EVPN will make sure that the client prefixes are distributed to the participants of the same L3 EVPN service of this tenant.

BGP-enabled CE clients

From the data plane perspective we will be using VXLAN tunnels to transport the encapsulated tenant packets through the IP fabric.

As part of this tutorial we will configure the SR Linux-based DC fabric underlay with BGP Unnumbered. Then we will setup the overlay routing using iBGP with EVPN address family and proceed with the creation of an L3 EVPN service for the two tenants of our fabric.

Lab deployment#

To let you follow along the configuration steps of this tutorial we created a lab that you can deploy on any Linux VM with containerlab or run in the cloud with Codespaces:

sudo containerlab deploy -c -t srl-labs/srl-l3evpn-basics-lab

Containerlab will pull the git repo to your current working directory and start deploying the lab.

If you want to run the lab in a free cloud instance, click the button below to open the lab in GitHub Codespaces:

Run this lab in GitHub Codespaces for free.
Learn more about Containerlab for Codespaces.
Machine type: 2 vCPU · 8 GB RAM

The lab comes up online with the FRR nodes configured, and no configuration is present on the SR Linux nodes besides the basic setup. During the course of this tutorial we will configure the SR Linux nodes and explain the FRR config bits.

If you want to deploy the lab with all configs already applied, just uncomment the startup-config knobs in the topology file.

Once the deployment process is finished you'll see a table with the deployed nodes.
Using the names provided in the table you can SSH into the nodes to start the configuration process. For example, to connect to the l3evpn-leaf1 node you can use the following command:

ssh l3evpn-leaf1 #(1)!
  1. If you happen to have an SSH key the login will be passwordless. If not, admin:NokiaSrl1! is the default username and password.

With the lab deployed we are ready to embark on our learn-by-doing EVPN configuration journey!

Are you new to SR Linux?

We advise the newcomers not to skip the Configuration Basics Guide as it provides just enough details to survive in the configuration waters we are about to get in.


  1. the following versions have been used to create this tutorial. The newer versions might work, but if they don't, please pin the version to the mentioned ones. 

  2. Two L3 EVPN service models are defined in RFC 9136 - namely Interface-less and Interface-full. The focus of this tutorial is on the Interface-less model. 

  3. Michel Redondo, Sergey Fomin, Anton Zyablov, Jeroen van Bemmel, Jorge Rabadan

Comments