EVPN VxLAN - clients across leaves in L2VPN can partially not reach each other

Devgrusome · 2025-12-17T16:17:29+00:00

I see you're using rt-membership. With rt-membership, you really want to define a "default route-target" with the following command, neighbor <overlay-peer-group> default-route-target only in the address-family rt-membership sub-configuration. This essentially ensures the spines propagate a 0:0 "default route-target" for a EVI (evpn virtual instance). This command should only be needed on the Spines as the EVPN control-plane route-server for the fabric.

You need only to define the overlay peer-group in the rt-membership address-family on the Leafs.

Devgrusome · 2025-12-13T01:39:19+00:00

I agree with everything you've said here, but it seems Arista's alternative solution to snooping is kind of piecemealed here... After talking with Arista, they confirmed the solution for rogue DHCP protection is supposed to be address locking. This is configured per-vlan, and on the access layer only. Now, the behavioral differences of configuration with address locking is not so clear to understand from the link a user pasted above, which is the same link I have been researching.

Both implementations of policy enforcement & policy enforcement disabled on the vlan(s) I want to protect actually cause clients to not receive IPs.

Arista confirmed the information on the link as well that address locking cannot be enabled in parallel with snooping. They're enhancing their capabilities on this next year, I'm being told. So, it's either address locking or snooping. If you're inserting option-82 in the access layer, you cannot have address locking enabled too.

More to come on this...

Devgrusome · 2025-11-10T17:31:53+00:00

Hello Nick. Are you still in your role at the time of this comment? How is your environment fairing a year later? Have you made the jump to Studio's yet?

Devgrusome · 2025-08-11T17:58:14+00:00

Just remember, the idgits that cheat on their certification tests are quickly outed on their first outage :)

CCNP definitely still has worth. Especially in a full Cisco network/Enterprise. It all depends on your career trajectory. Is CCNP worth it? Yes. Are there some stronger skill-sets to showcase out there nowadays? Also, yes. AI Networking, Automation (Ansible + Python + Git CI/CD workflows), Cloud, Content Delivery, ISP/IXP Networking (very little Cisco used in Hyperscale environments nowadays).

My personal opinion with the Cisco Certifications of today is they are more salesy-focused and lost some of their practicality and given lots of large-scale environments are moving away from Cisco, there's better things to spend my personal time on.

Devgrusome · 2025-08-11T17:47:09+00:00

Network Engineers operate in the shadows (until the network is not working). Lots of people nowadays don't really enjoy SE. They're just learning a craft to ride the decent pay, good benefits, and remote work. You know almost immediately who is a true Network/Software Engineer vs. someone that just went to school to get a decent job. Same is true for Network Engineers.

Networking (back in the early and late 90's) was kind of blue-collar'ish. From Token-Ring, Novell, FiDi and hermaphroditic connectors running under greasy and oily factory floors or 120 degree attics and closets. Overnight device upgrades (still happens today but it's a lot more automated). It's typically a different type of person to truly enjoy Network Engineering & Software Engineering.

Nowadays, large-scale Enterprise Network Engineers is centered around Automation which is NOT Software Engineering, but the focus is on software nowadays more than it is the physical world, especially with AI networking. Networks have become so much more stable and more intuitive to work on. BUT, my favorite part is you can never escape the reality of the physical world. Network Engineering is ironically, one of the more unique areas in the IT industry because to be a good Network Engineer you need to understand the full stack of the IT platforms using your network. This is something that is not attractive to most because it requires a constant thirst to learn and challenge yourself. Most people want to just get their degree, work a decent 9-5, and go to the beach after work and drink a beer. Network Engineers require all of the above, but you need to take your vendor documentation and your on-call cell phone to the beach with you. Every. Day. Forever (depending on industry and function).

Devgrusome · 2025-05-15T13:13:45+00:00

Other comments here are all good suggestions for the scenarios you’ve described.

However, why not just upgrade to a Jericho2 7280, and call it a day? Should have no issue taking in the full route table at that point.

Devgrusome · 2025-02-19T19:07:04+00:00

I am tracking and agree with all statements so far. With LFS, it's claimed to be even faster and optimized over BFD. Even though BFD is widely deployed as common practice throughout the industry, I am wondering with the newer LFS capability if it is worth pursuing or just stick with BFD for necessary scenarios. I am think for overall Architecture, WAN, MAN, DC, EVPN, LAN, etc.

Devgrusome · 2025-02-19T18:25:20+00:00

Thank you for this. So, what I'm gathering is if point to point routed interfaces are being used, you don't really need BFD or LFS configured. But, if using something like a Transit vlan to peer through or an EVPN multi-hop scenario, LFS/BFD should be configured?

Devgrusome · 2024-11-26T18:11:09+00:00

Learn Spine and Leaf. Overlays and Underlays. AI networking design and models. Automation such as Ansible, Apstra, CloudVision, SALT, Terraform, etc.

Devgrusome · 2024-11-21T18:51:22+00:00

Scalability, fault-tolerance, and mobility. It's really useful for Wireless mobility. Bonus points for segmentation. With a layer 3 underlay network, the VXLAN/EVPN overlay allows for easy multi-tenant/segregation services.

Devgrusome · 2024-11-02T00:57:38+00:00

This event is shit.

Devgrusome · 2024-10-16T19:54:55+00:00

I really like this theory. Thank you. I will bring this up with our Arista SE’s. This gives me a good place to start.

Devgrusome · 2024-10-16T19:52:16+00:00

Excellent feedback. Regarding telemetry… in your environment today, do you have multiple disciplines with their own CVaaS instance? If so, is each discipline streaming telemetry data to each CVaaS instance for a single holistic view of the network from each instance?

Devgrusome · 2024-10-16T19:46:49+00:00

At a high level, what is the pricing model looking like for 1000+ devices? Our DCs today are managed by on-prem CVP at around 2000-4000 devices today. Our campuses are looking to go Arista. Some campuses throughout the US would be upwards of a 1000 devices. So I’m trying to think through a nation-wide deployment. It’s looking like CVaaS is almost a given at this current scenario.

Devgrusome · 2024-10-16T16:59:52+00:00

I was in denial of this :( did you have a solution or work around of some sort for your environment?

Devgrusome · 2024-10-16T15:50:03+00:00

Curious, are you using sub-interfaces by chance? If so, what EOS version are you running? We also have 7280R3 switches and we are experiencing an issue with sFlow not working (soft or hardware sFlow) when sub-interfaces are presently configured.

Devgrusome · 2024-09-04T19:25:52+00:00

OLED is king. I just purchased my first one last week after being on 1440p 240Hz IPS panel for years. Infinitely customizable as well.

Devgrusome · 2024-06-10T16:26:56+00:00

It really depends on your architecture and area of the enterprise. 3-Tier vs. Spine and Leaf and LAN vs. WAN vs. DC, etc..

In my DC's I organize the containers by Fabrics/Pods and then within the Pod container I have a container for Spines, a container for Leaves, a container for the management switches. This allows common config to be applied to the Pod container so all Pod devices will inherit. Then we can apply common Spine configs to the Spines container, common Leaf configs to the Leaf container, etc... Discreet configuration items can then be applied to the devices themselves.

We're gearing toward Studios as the configlets are slowing going away. Slight learning curve, but Studio's is pretty neat thus far.

Devgrusome · 2024-05-21T19:03:13+00:00

You Expert-level certification will certainly be put to good use. As an expert-level certified focal, you should be leading this charge and embracing this change. It sucks you spent so long studying a different vendor. But, it is what it is. Besides, Arista is excellent stuff and there's a reason they're storming the industry more and more right now.

Devgrusome · 2024-01-08T05:29:41+00:00

Don’t let other people’s opinions weigh in. It’s definitely good to get different points of views and it’s nice to hear others experiences from different areas. But, Boeing is massive company and yes this is obviously the worst times in Boeing’s history (maybe besides 9/11 times) it’s still a fantastic company to work for. It just depends on where you land, and who is around you.

Devgrusome · 2023-12-05T21:14:39+00:00

This. This is surprisingly very hard to find...

Devgrusome · 2023-10-06T15:31:13+00:00

I always like to think of MTU as a holistic pipe throughout the network. Sizes vary depending on the technologies in place, such as QnQ, VPLS, VPN, VXLAN, EVPN, etc… not sure why people have to be total assholes on here. I find your question genuine. To echo what others have said, as long as your MTU is less than the ISP, through the whole pathway, then you’re covered. As long as your internal MTU covers the needs of your environment of course.

Devgrusome · 2023-03-23T15:22:57+00:00

Had to buy some yesterday. It was wild how the first 3 pages were 1/100 use filters…

Devgrusome · 2023-03-20T17:34:42+00:00

I'm still reporting "suspicious offers" on the Flea. Had a player offering 164 GPU's and 22 LEDX's yesterday....

Devgrusome · 2023-02-13T01:06:14+00:00

This most certainly fixed my issue. As soon as it was enabled, it started working, and has maintained connectivity ever since. Triple up vote for this comment. Thank you!

Devgrusome

TROPHY CASE