Time to read: 8 minutes 47 seconds | Published: October 16, 2025
EVPN-VXLAN What is EVPN-VXLAN?
EVPN-VXLAN is a network fabric that extends layer 2 connectivity as a network overlay over an existing physical network. It is an open standards technology that creates more agile, secure, and scalable networks in campuses and data centers.
EVPN-VXLAN explained
EVPN-VXLAN is an open standards technology that solves the limitations of traditional VLAN-based networks by creating a network fabric that extends layer 2 connectivity as a network overlay over an existing physical network. EVPN-VXLAN consists of:
- Ethernet VPN (EVPN) is used as the overlay control plane and provides virtual connectivity between different layer 2/3 domains over an IP or MPLS network
- Virtual extensible LANs (VXLAN), a common network virtualization overlay protocol that expands the layer 2 network address space from 4,000 to 16 million
Understanding EVPN
In traditional Layer 2 networks, reachability information is distributed in the data plane through flooding. With EVPN-VXLAN networks, this activity moves to the control plane.
EVPN is an extension to Border Gateway Protocol (BGP) that allows the network to carry endpoint reachability information such as Layer 2 MAC addresses and Layer 3 IP addresses. This control plane technology uses MP-BGP for MAC and IP address endpoint distribution, where MAC addresses are treated as routes.
EVPN also provides multipath forwarding and redundancy through an all-active multihoming model. An endpoint or device can connect to two or more upstream devices and forward traffic using all the links. If a link or device fails, traffic continues to flow using the remaining active links.
Because MAC learning is now handled in the control plane, it avoids flooding that’s common with layer 2 networks. EVPN can support different data-plane encapsulation technologies between EVPN-VXLAN-enabled switches. With EVPN-VXLAN architectures, VXLAN provides the overlay data-plane encapsulation.
Network overlays are created by encapsulating traffic and tunneling it over a physical network. The VXLAN tunneling protocol encapsulates Layer 2 Ethernet frames in Layer 3 UDP packets, enabling Layer 2 virtual networks or subnets that can span the underlying physical Layer 3 network. The device that performs VXLAN encapsulation and decapsulation is called a VXLAN tunnel endpoint (VTEP). EVPN enables devices acting as VTEPs to exchange reachability information with each other about their endpoints.
In a VXLAN overlay network, each Layer 2 subnet or segment is uniquely identified by a virtual network identifier (VNI). A VNI segments traffic the same way that a VLAN ID segments traffic— endpoints within the same virtual network can communicate directly with each other, while endpoints in different virtual networks require a device that supports inter-VNI (inter-VXLAN) routing.
How does EVPN-VXLAN work?
EVPN-VXLAN enables businesses to connect geographically dispersed locations using layer 2 virtual bridging. EVPN-VXLAN provides the scale required by cloud service providers and is often the preferred technology for data center interconnections.
EVPN, as an overlay, supports multi-tenancy and is highly extensible, often using resources from different data centers to deliver a single service. It can provide layer 2 connectivity over physical infrastructure for devices in a virtual network or enable layer 3 routing.
Because it serves as a MAC address learning control plane for overlay networks, EVPN can support different data plane encapsulation technologies. This flexibility is especially appealing for network fabrics that aren’t strictly based on MPLS.
VXLAN encapsulates layer 2 Ethernet frames in layer 3 UDP packets, meaning virtual layer 2 subnets can span underlying layer 3 networks. A VXLAN network identifier (VNI) is used to segment each layer 2 subnet similarly to traditional VLAN IDs.
A VXLAN tunnel endpoint (VTEP) is a VXLAN-capable device that encapsulates and de-encapsulates packets. In the physical network, a switch typically functions as a layer 2 or layer 3 VXLAN gateway and is considered a hardware VTEP. The virtual network equivalents are known as software VTEPs, which are hosted in hypervisors such as VMware ESXi or vSphere.
Why EVPN-VXLAN now?
EVPN-VXLAN has emerged as a popular networking framework largely due to the limitations of traditional VLAN-based networks.
Within campus environments, the proliferation of endpoints due to BYOD, workplace mobility, and IoT is driving a need for more fine-grained segmentation strategies to separate different profiles of users, devices, and traffic.
It’s a similar story in data centers, where steadily increasing workloads are being deployed to support digital transformation. IT needs to protect and manage workloads on an individual basis while preventing hackers from moving laterally from server to server if a breach occurs.
Building an EVPN-VXLAN fabric overlay with HPE Aruba Networking
The HPE Aruba Networking CX portfolio of network switches is designed for the evolving, complex demands of modern campus and data center networks, including EVPN-VXLAN-based fabrics. Based on a distributed, non-blocking architecture and powered by AOS-CX, HPE Aruba Networking CX switches deliver enhanced IT operational efficiency and high availability from the access layer, to aggregation, to core, and to the data center.
HPE Aruba Networking CX switches that support EVPN-VXLAN
HPE Aruba Networking Central NetConductor is the next generation solution for increasingly complex networks, enabling organizations of all types and sizes to automatically configure LAN, WLAN, and WAN infrastructure to deliver optimal network performance while enforcing granular access control security policies that are the foundation of Zero Trust and SASE architectures.
Central NetConductor uses widely adopted protocols, such as EVPN/VXLAN, to produce an intelligent network overlay suitable for rapid enterprise network deployment and massive scalability. It comprises cloud-native services delivered by HPE Aruba Networking Central, a cloud-native platform that is the foundation of the HPE Aruba Networking Edge Services Platform (ESP), and can be deployed without a rip-and-replace of current network infrastructure.
EVPN-VXLAN in the enterprise
There are several benefits of a standards-based EVPN-VXLAN architecture in campus:
1. Enterprises can easily add more core, distribution, and access layer devices to a growing business without having to redesign with a new set of devices to update the architecture. By using a Layer 3 IP-based underlay with an EVPN-VXLAN overlay, campus network operators can deploy much larger networks than are otherwise available with traditional Layer 2 Ethernet-based architectures.
2. EVPN-VXLAN allows customers to easily configure same VLANS across buildings and different sites, thus reducing operational complexity. Same VLANs can be stretched across buildings and across sites.
3. EVPN-VXLAN allows enterprises to make use of group-based policies to deploy a common set of policies and services across campuses. This reduces ACL/firewall filter bloat on switches across the enterprise network.
4. Group-based policies also enable microsegmentation to provide better control to enterprise customers on which end-users or devices can talk to devices across the campus network.
EVPN-VXLAN in the Data Center
Modern data centers running at scale typically use an IP fabric architecture with an EVPN-VXLAN overlay.
The IP fabric enables you to collapse traditional networking layers into a two-tier spine-and-leaf architecture optimized for large-scale environments. This highly interconnected Layer 3 network acts as an underlay to provide high resiliency and low latency across your network and can easily be scaled out horizontally as needed.
The EVPN-VXLAN overlay sits on top of the IP fabric, enabling you to extend and interconnect your Layer 2 data center domains and place endpoints (such as servers or virtual machines) anywhere in the network, including across data centers.
HPE Aruba Networking CX switches that support EVPN-VXLAN
- HPE Aruba Networking CX 6200 Switch Series: (Static VXLAN only): Layer 3 stackable access switches with PoE and 10 Gigabit uplinks
- HPE Aruba Networking CX 6300 Switch Series: Stackable access and aggregation switches with 10/25GbE uplinks (50GbE DAC) and support for Smart Rate and high power PoE
- HPE Aruba Networking CX 6400 Switch Series: High-availability modular switches for versatile edge access to data center deployments with up to 28Tbps capacity
- HPE Aruba Networking CX 8325 Switch Series: Compact switches with 1/10/25/40/100GbE connectivity ideal for leaf and spine use cases
- HPE Aruba Networking CX 8360 Switch Series: High-performance 1/10/25/40/100GbE connectivity in a compact 1U form factor
- HPE Aruba Networking CX 8400 Switch Series: Highly resilient 8-slot modular switch with up to 19.2Tbps capacity ideal for campus core
- HPE Aruba Networking CX 9300 Switch Series: High performance 400GbE data center switch with 32-ports of 100/200/400GbE
- HPE Aruba Networking CX 10000 Switch Series: 800G of distributed stateful firewall for east-west traffic, zero-trust segmentation, and pervasive telemetry
FAQs
Why is EVPN-VXLAN becoming popular?
EVPN and VXLAN work together to create highly scalable, efficient, and agile campus and data center networks. EVPN-VXLAN decouples the network infrastructure from the services and applications germane to each department or each customer. This concept of network virtualization provides native traffic isolation and the ability to extend services to any part of the network without introducing costly operational methods such as plumbing VLANs.
What is EVPN technology?
Traditional networks require the use of switching hardware to learn and maintain MAC addresses as devices move across a network. Broadcasts are required to update all devices in the same VLAN or broadcast domain each time a new MAC address is learned or withdrawn, irrespective of where the devices are located. Extending VLANs across a network also requires loop avoidance which is supported by protocols like Spanning Tree. Loop avoidance requires the network to operate at 50 percent efficiency by blocking ports on each device. Vendors have also implemented proprietary technologies to mitigate the need for loop avoidance protocols. However, this introduces vendor lock-in through a lack of standards.
These inefficiencies create challenges for customers who plan on growth and service expansion.
Ethernet VPN or EVPN addresses these issues through standards-based MP-BGP. EVPN supports MAC learning and withdrawal through BGP without the need to broadcast across the network. EVPN supports active-active multi-homing mitigating loop avoidance or proprietary vendor lock-in mechanisms.
Where is EVPN used?
Modern data centers running at scale typically use an IP Fabric architecture with EVPN-VXLAN.Enterprise networks that require scalability without having to redesign with a new set of devices leverage EVPN-VXLAN.
Enterprises that require common sets of policies and services across campuses deploy EVPN-VXLAN. This allows network operators to deploy much larger networks than are otherwise available with traditional Layer 2 Ethernet-based architectures.
Service providers have been migrating from virtual private LAN service (VPLS) to EVPN to take advantage of EVPN’s native support of active-active multihoming, reduced Address Resolution Protocol (ARP) and MAC flooding, and greater network efficiency.
What is the difference between VPLS and EVPN?
Control-based protocols like EVPN, VPLS, and even L2VPN solve the legacy flood-and-learn problem; however, they have predominantly been MPLS driven. Given the advent of VXLAN as an overlay protocol of choice for IP fabrics, EVPN breaks away from the traditional MPLS transport requirement by using VXLAN as the transport.
EVPN’s advantages over VPLS include:
- Improved network efficiency
- Reduced unknown-unicast flooding due to control-plane MAC learning
- Reduced ARP flooding due to MAC-to-IP binding in the control plane
- Multipath traffic over multiple spine switches (VXLAN entropy)
- Multipath traffic to active-active dual-homed server
- Distributed Layer 3 gateway: VMTO fast convergence
- Faster reconvergence when linked to dual-homed server fails (aliasing)
- Faster reconvergence when a VM moves scalability
- Very scalable BGP-based control plane flexibility
- Easy integration with L3VPNs and L2VPNs for Data Center Interconnect (DCI)
- BGP-based control plane that provides the ability to apply fine-grained policies
What is the difference between VPN and EVPN?
VPN technologies have been deployed in service provider networks to allow multiple customers or tenants the ability to share a single network infrastructure using virtual networks for logical traffic separation requirements. BGP is used to separate virtual networks into Virtual Route Forwarders (VRFs) while the underlying transport has been MPLS.
Service providers continue to use MPLS as they tend to own the large section of network infrastructure their customers leverage. This allows for end-to-end QoS and stringent network policy to be controlled by each service provider, respectively. Hence, service providers offer L2VPN and L3VPN as services to customers with the assumption of MPLS transport.
In the case of data centers and enterprise networks, QoS and network policy control are critical and best served internally rather than by a third-party entity such as a service provider. Layer 2 extensibility and cloud accessibility are other factors that require data centers and enterprises to leverage a native IP transport.
VXLAN is a standard tunneling protocol that allows Layer 2 traffic to flow on top of any IP network. VXLAN also supports up to 16 million logical networks while allowing Layer 2 adjacency through IP networks. VXLAN has been adopted by data center and enterprise networks for these reasons, as well as the ability to control their QoS and network policies without third-party dependence.
Given the advent of VXLAN as an overlay protocol of choice for IP fabrics, EVPN breaks away from the traditional MPLS transport requirement by using VXLAN as the transport. The following illustrates the advantages of EVPN in data center and campus deployments and the differences from MPLS-based deployments:
- Improved network efficiency
- Reduced unknown-unicast flooding due to control-plane MAC learning
- Reduced ARP flooding due to MAC-to-IP binding in the control plane
- Multipath traffic over multiple spine switches (VXLAN entropy)
- Multipath traffic to active-active dual-homed server
- Distributed Layer 3 gateway: Virtual Machine Traffic Optimization (VMTO)
- Fast convergence
- Faster reconvergence when link to dual-homed server fails (aliasing)
- Faster reconvergence when a VM moves
- Scalability
- Very scalable BGP-based control plane
- Flexibility
- Easy integration with L3VPNs and L2VPNs for DCI
- BGP-based control plane that provides ability to apply fine-grained policies
EVPN is the only completely standards-based solution that offers these benefits for a data center and campus control plane protocol.
Why is a VXLAN overlay used?
VXLAN enables network administrators to create logical Layer 2 networks across different Layer 3 networks. VXLAN has a 24-bit Virtual Network ID (VNID) space, which allows for 16 million logical networks. Implemented in hardware, VXLAN supports transport of native Ethernet packets inside a tunnel encapsulation. VXLAN has become the de facto standard for overlays terminated on physical switches and is supported in Juniper Networks Campus and Data Center switching platforms.
VXLAN overlays offer several benefits:
- Elimination of Spanning Tree Protocol (STP)
- Increased scalability
- Improved resiliency
- Fault containment/traffic isolation
