Skip to main content

 

Cisco Meraki Documentation

Cloud EVPN Fabric Overview

  1. Last updated
  2. Save as PDF

Fundamentals of Fabric 

  • Underlay Network: The physical IP-based infrastructure that provides connectivity between fabric nodes, typically using routing protocols like OSPF for unicast forwarding. It handles the transport of encapsulated overlay traffic without awareness of the overlay services. 

  • Overlay Network: Built on top of the underlay using VXLAN encapsulation to extend Layer 2 and Layer 3 services. VXLAN Network Identifiers (VNIs) segment traffic into virtual networks, allowing for multi-tenancy and isolation. 

  • Control Plane: Leverages BGP EVPN (Ethernet VPN) for distributing MAC and IP reachability information. EVPN Route Types (e.g., Type 2 for MAC/IP advertisements, Type 3 for Inclusive Multicast Ethernet Tag, Type 5 IP Prefix route) enable efficient learning and reduce flooding. 

  • Data Plane: VXLAN tunneling encapsulates Ethernet frames in UDP/IP packets, with VTEPs (VXLAN Tunnel Endpoints) on fabric devices handling encapsulation/decapsulation. Supports symmetric IRB (Integrated Routing and Bridging) for L3 gateways. 

  • Fabric Roles:  

  • Spine: Acts as BGP Route Reflectors for control plane scalability. 

  • Leaf: Serves as VTEPs for endpoint connectivity. 

  • Border: Provides external connectivity to non-fabric networks. 

  • Nodes can also be multi-role (ie. Border/Spine) 

  • Key Protocols: BGP for peering and EVPN address family; optional multicast (PIM) for Broadcast, Unknown unicast, and Multicast (BUM) traffic optimization. 

  • Overlay Network Types: An overlay networks are abstracted from underlying physical network topology providing best-in-class flexible secure, segmented or extended overlay networks. Cisco Cloud Fabric supports following structured overlay network types aligning to enterprise-grade Wired and Wireless networks: 

  • Routed Overlay: Each Distribution-layer providing unified IP gateway point for Underlay and Overlay network Wired and Wireless VLANs. The Underlay IPv4 subnets routed via OSPF protocol, while the Overlay IPv4/IPv6 subnets are routed via BGP EVPN VXLAN fabric networks. Recommended overlay network type for scalable, secure fabric Wired and Wireless networks. 

  • Distributed AnyCast Gateway – Routed: A flood-free extended IP subnet stretch between targeted Distribution-layer Leaf switches sharing common IP gateway while reducing the blast radius size. Alternate overlay type in fabric to support selective IP subnet stretch, i.e., seamless and non-disruptive Wireless mobility. Suggested to align indoor/outdoor Wireless RF coverage, or other use-case between targeted Leaf on selective VLAN(s) for IPv4/IPv6 endpoints. The non-IP endpoints not supported. 

  • Distributed AnyCast Gateway – Bridged: A Layer 2 flooded bridge-domain/VLAN and IP subnet stretch between targeted Distribution-layer Leaf switches sharing common IP gateway while increasing size of blast radius size. Alternate overlay type in fabric to support selective VLAN/IP subnet stretch with Layer 2 flood, i.e., VLAN with non-IP legacy endpoint, silent hosts, etc. Suggested to implement selective VLAN and extend flood-boundary between targeted Distribution layer Leaf switch. 

  • Security and Policy: Integrates with tools like Cisco ISE for micro-segmentation using Adaptive Policy (SGTs) and Group-Policies. 

 

Fabric Switch Roles  

Fabric roles in an EVPN VXLAN fabric refer to the designated functions and positions that switches occupy within a spine-leaf architecture to enable efficient, scalable, and redundant overlay networking on top of an IP underlay. These roles dictate how switches manage traffic encapsulation/decapsulation, control plane signaling via BGP EVPN, Layer 2 bridging, Layer 3 routing, and external connectivity. 

Border switches serve as gateways between the EVPN VXLAN fabric and external networks, facilitating Layer 2 or Layer 3 connectivity to non-fabric domains. They handle tasks like route leaking, multicast handoff, and dynamic routing peering 

Spine switches act as the backbone of the fabric, interconnecting all leaf switches and providing redundant paths for traffic forwarding without direct attachment to endpoints. They typically function as BGP route reflectors or servers to distribute EVPN routes efficiently across the network, focusing on underlay transport of VXLAN-encapsulated packets. 

Leaf switches are edge devices that connect directly to hosts or access devices, operating as VTEPs to encapsulate and decapsulate VXLAN traffic for overlay networks. They support Layer 2 bridging within VNIs, Layer 3 routing via integrated routing and bridging (IRB), and features like ARP suppression and host mobility to ensure local optimization. 

Cisco Catalyst 9300 and 9500 series switches can operate in multi-role configurations, combining functions like spine, leaf, and border on a single device to offer greater flexibility, especially in smaller or consolidated deployments. This hybrid approach reduces the number of physical devices required while preserving full fabric capabilities, such as EVPN control plane management, VTEP operations, and external gateways. 

Supported roles include Spine, Leaf, Border, Border-Spine, and Border-Spine-Leaf, Border-Leaf (Phase 2) allowing for tailored topologies that balance scale, redundancy, and simplicity. 

Dependencies and Requirements

Hardware Requirements  

Cloud Fabric Wired Supported Matrix  

Network Layer 

Cisco Catalyst Switch Support Matrix 

Minimum Software Version*

Fabric Role 

Access (CS)

Cisco 9350 

Catalyst 9300/L/LM/X Series 

Catalyst 9200/L Series 

Catalyst 9200CX Compact

MS390 Series 

17.18.2
 

Layer 2
Access (MS)

MS130X/R

MS150

 CS17+ Layer 2

Distribution 

Cisco Catalyst 9300-X 

17.18.2

Leaf 

Core 

Catalyst 9500-H Series

Cisco Catalyst 9300-X 

Spine 

Border-Spine 

Network Edge  

( WAN, DMZ, etc.) 

Catalyst 9500-H Series 

Cisco Catalyst 9300-X 

Border 

* - Advanced Licensing required for Adaptive Policy

Cloud Fabric Wireless Supported Matrix  

Wireless Vendor 

Wireless AP Support Matrix 

Operational 

Mod 

Forwarding Mode 

Cisco Catalyst 

Catalyst CW916X 

Cloud , Flex

Distributed 

Cisco Meraki 

MR Wireless, Cloud CW916x 

Cloud 

Distributed

Recommendations  

  • Spine Switches: Cisco Catalyst 9500-24Y4C/48Y4C/32C or Cisco Catalyst 9300X-12Y/24Y. 

  • Border Switches: Cisco Catalyst 9500-24Y4C/48Y4C/32C or Cisco Catalyst 9300X family   

  • Leaf Switches: Cisco Catalyst 9300X family 

  • Access Switches: Cisco or Meraki Layer2 switches that supports SGT/Trustsec. Some recommendations are c9350,c9300/L/LM/X, c9200/L/CX, MS390 and MS150X/MS130X families. 

  • Wireless Access Points: Cisco Catalyst CW916X models running in Cloud Mode. Cisco Catalyst 9162i-M, 9164i-M, or 9166i (WiFi 6/6E support with mGig uplinks). 

  • Connectivity: High-speed interfaces (e.g., 10/25/40/100 Gbps for spine-leaf links using compatible modules on 9300X or 9500H). 

 

Compatible* Switches  

  • Spine Switches: Cisco Catalyst 9500-H(high-capacity), Cisco Catalyst 9300/L/LM/X and MS390 series switches

  • Border Switches: Cisco Catalyst 9500-H(high-capacity), Cisco Catalyst 9300/L/LM/X and MS390 series switches

  • Leaf Switches: Cisco Catalyst 9300/L/LM/X and MS390 family switches. Catalyst C9500-H are not supported in IOS-XE 17.18.2, they will be supported in future releases

* "Compatible" means 'it will work' but not supported in production environments or at the posted scale limits. This will change with future releases. This is not blocked to facilitate demo and lab use with small scale testing. Please keep this in mind when using non-recommended switches.

Software Requirements 

  • OS Version: IOS XE 17.18.2 or later 

  • Licensing: Cloud Switching Advanced Licensing required for EVPN and Adaptive Policy 

  • Management Tools: Cisco Meraki Dashboard (for cloud monitoring/management; requires API key and internet access via TCP 443). For devices, see dashboard "Firewall info" help for details. 

  • Authentication: Cisco Identity Services Engine (ISE) version 3.2+ or Cisco Meraki Access Manager. 

  • Underlay Protocols: OSPFv2 for unicast routing 

  • Prerequisites: Layer 3 underlay network with point-to-point interfaces. 

Fabric Reserved Interfaces and Address 

For auto-underlay creation these interfaces are used during the Fabric deployment. Make sure existing interfaces don’t overlap and are unused prior to the fabric deployment. You can customize the subnets in use during fabric creation or opt for a "custom underlay" which bypasses the auto-underlay creation allowing for DIY underlays.

  • VLANs 900-915 for underlay. This is for Underlay Routed SVI deployment scenarios only. Custom underlays do not need this reservation.  

  • Core Vlans 965-997 for core vlans (965 base + VRF#).

  • Loopbacks 100,200-231,300-331. Loopback assignment is base + VRF count, also depends on multicast config.  

  • Subnet (172.16.0.0/16) used for underlay, this subnet can be changed by support on the backend using an NFO.  

 

Fabric Deployment Use-Cases / Phases 

Scale and Capacity: 

Supported Scale in Phase1:  300APs, 3000 Clients over 16 distribution blocks with 32 VRFs and 500 access switches

Fabric Phase Access Points Access Switches Fabric Clients VRFs Distribution Blocks
IOS-XE 17.18.2 300* 500* 3000* 32 16

* Scale numbers subject to change pending scale testing and validation. These are safe numbers for guidance at this time.

 

Phase 1 (IOS-XE 17.18.2): Distribution Level Fabric

This architecture focuses on deploying the EVPN fabric at the distribution layer, where Catalyst 9500/9300x switches act as leaf nodes connected to traditional Layer 2 access switches. It enables overlay services for segmentation and mobility while maintaining existing access layer designs. Ideal for initial migrations, providing quick wins in scalability for multi-tenant environments like office buildings or campuses.  
  

 

Phase 2 (IOS-XE 26.2.X): Loop-Free Routed Access

Building on Phase 1, this extends the fabric to the access layer by implementing routed connections (Layer 3) from access switches to distribution leaves, eliminating spanning tree loops and enabling full IP-based forwarding. Catalyst 9300 series access switches become fabric edges with VTEP capabilities, supporting end-to-end EVPN for enhanced redundancy and efficiency. Suited for greenfield deployments or advanced optimizations in high-density environments, such as data centers or large enterprises, with future-proofing for zero-trust policies and IoT integration. 

 

 

Fabric Overlay Routing  

This architecture supports three primary types of overlay subnets: RoutedDAG Routed, and DAG Bridged. Each type addresses different requirements for inter-subnet forwarding, scalability, and operational efficiency. The main differences are the use of a Distributed Anycast Gateway (“DAG”) and Broadcast, Unknown-unicast and multicast traffic (“BUM Traffic”) 

A screenshot of a computer screen AI-generated content may be incorrect.

Routed Subnet  

  • Layer3 subnet located solely on a single leaf and cannot be stretched across multiple leaves 

Requirements: Subnets must be unique and do not require matching Vlan-ids 

Scale: Highly scalable 

 

DAG Routed  

  • Layer3 subnet stretched across multiple leaves using a Distributed Anycast Gateway 

  • BUM Traffic replication is restricted to access switch and does not bridge between switches attached to the same leaf 

Requirements: Subnets require the same Vlan-id and share the same L3 subnet 

Scale: Scalable across large networks 

 

DAG Bridged (DAG Routed + BUM Traffic)  

  • Layer3 subnet stretched across multiple leaves using a Distributed Anycast Gateway 

  • Layer2 BUM Traffic replication is distributed across all leaves   

Requirements: Subnets require the same Vlan-id and share the same L3 subnet 

Scale: Resource intensive and should be used only as required 

 

 

 

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Reference
    Stage
    Final
  2. Tags
    This page has no tags.