When designing a modern data center network, a very common architecture today is L3 underlay + VXLAN overlay + EVPN.
Sooner or later, however, the following question comes up:
Do I really need EVPN L3 routing (L3 VNI) if I only need Layer 2 connectivity over a Layer 3 network?
The short answer is: no, you don’t.
The longer and more important answer is when it makes sense and when it doesn’t.
That’s exactly what this article explains.
What “L2 over L3” Means in Practice
L2 over L3 is an architecture where:
- The physical network (underlay) is purely Layer 3
- Layer 2 segments are transported by encapsulating Ethernet frames into an overlay tunnel that runs over a Layer 3 network. In modern data center fabrics, the transport mechanism is almost always VXLAN.
- MAC and IP reachability information is distributed via EVPN-BGP
The result is that a VLAN can span multiple leaf switches without running STP and without relying on multicast flooding.
EVPN Without L3 Routing (L2-only EVPN)
EVPN is not only about routing. It can be used purely as a Layer 2 control plane.
What You Use
- EVPN Route Type 2 (MAC/IP Advertisement)
- EVPN Route Type 3 (VNI membership)
- VLAN to VNI mapping
- Unicast VXLAN tunnels
What You Do Not Use
- L3 VNI
- EVPN Route Type 5
- Distributed routing
- Anycast gateway inside the fabric
From a logical perspective, the network behaves like a large distributed Layer 2 switch, but it runs on top of a routed Layer 3 fabric.
When L2-only EVPN is a Good Choice
Using EVPN purely for Layer 2 is absolutely valid in many real-world scenarios:
- You have an external router or firewall handling routing
- You need L2 stretch (for example, VM mobility)
- You operate storage VLANs (iSCSI, NFS, vMotion)
- You are migrating from a traditional L2 network
- You are building a small enterprise data center or a lab
In these cases, introducing EVPN L3 routing often adds complexity without delivering any real benefit.
How Traffic Flows in L2-only EVPN
- A server sends a frame into its VLAN
- The leaf switch knows the destination MAC location from EVPN
- The frame is encapsulated into VXLAN
- It is sent unicast directly to the destination leaf
- The destination leaf decapsulates and delivers the frame
There is no:
- flooding
- Spanning Tree
- multicast dependency in the underlay
What You Lose Without EVPN L3 Routing
It is only fair to look at the trade-offs. Without EVPN L3 routing:
- inter-VLAN traffic must go through an external router or firewall
- there is no anycast gateway on every leaf
- scalability is limited with a large number of VLANs
- east–west traffic paths are less optimal
As the network grows, these limitations may become significant.
When EVPN L3 Routing Starts to Make Sense
EVPN L3 routing (L3 VNI) is usually the better choice if:
- you have many VLANs or tenants
- east–west traffic dominates
- you want routing to happen locally on the leaf switches
- you are building a new data center from scratch
- you aim for a cloud-like or multi-tenant architecture
In those scenarios, going all-in with EVPN L3 from the start is often the cleanest design.
PicOS, AmpCon, and Netris: L2 vs L3 EVPN Perspective
With PicOS (https://f5.com)
- L2-only EVPN is fully supported
- L3 VNI is optional
- AmpCon deploys what you design and it does not enforce L3 EVPN
With Netris (https://netris.io/)
- the architecture strongly favors EVPN L3 routing
- L2-only designs are limited
- the philosophy is “routing everywhere, no large L2 domains”
Conclusion
EVPN L3 routing is not mandatory. If L2 over L3 is sufficient and routing is handled elsewhere, L2-only EVPN is a perfectly valid and widely deployed design.
The key is understanding:
- what your network needs today
- how it may evolve tomorrow
EVPN is not a dogma, it is a toolbox.
No comments:
Post a Comment