How EVPN-VXLAN Powers Scalable, Multi-Tenant Data Center Networks
Modern data centers face relentless pressure, more workloads, more tenants, more east-west traffic, and the constant need to scale without complexity. If you are still running a traditional three-tier network or relying on VLANs and Spanning Tree, you have likely already hit those limits.
EVPN-VXLAN is the industry-standard answer. In this guide, we break down exactly how it works, why the leaf-spine topology is its natural partner, and how to choose between symmetric and asymmetric IRB for your environment.
Need help designing your data center fabric? Talk to our engineers →
Why Traditional Data Center Architectures Struggle at Scale
Traditional three-tier data center architectures (core–distribution–access) were engineered for a world dominated by north-south traffic, client-to-server flows. Today, that model is reversed. Modern cloud workloads generate massive east-west traffic between servers, containers, and microservices.
The result is a mismatch that shows up as real operational pain:
- VLAN exhaustion, the 802.1Q standard caps VLANs at 4,094. A large multi-tenant environment exhausts this in a single data center.
- Spanning Tree Protocol (STP) inefficiency, STP blocks redundant links, wastes bandwidth, and causes slow convergence during failures.
- Complex configuration, each change touches multiple devices, increasing human error and change windows.
- Poor fault isolation, a broadcast storm or loop in one VLAN can affect all tenants.
- Rigid workload mobility, in traditional setups, moving a Virtual Machine (VM) between hosts often requires complex VLAN extending, which is prone to configuration drift and network loops.
These are not edge cases. They are architectural constraints that limit how far traditional designs can scale.
What Is EVPN-VXLAN? (Control Plane + Data Plane Explained)
EVPN-VXLAN solves the scalability problem by cleanly separating two concerns:
VXLAN handles the data plane. It encapsulates Layer 2 Ethernet frames inside UDP/IP packets, creating a logical overlay that stretches across any Layer 3 underlay. The key enabler is the 24-bit VXLAN Network Identifier (VNI), which supports over 16 million unique network segments, compared to the 4,094-segment VLAN ceiling.
EVPN handles the control plane. Instead of learning MAC addresses by flooding frames and observing replies (the traditional “flood-and-learn” method), EVPN uses Multi-Protocol BGP (MP-BGP) to distribute MAC and IP reachability information in a controlled, scalable way. This eliminates unnecessary broadcast traffic, speeds up convergence, and gives operators visibility into the network at all times.
Together, they give you a fabric that scales to hundreds of thousands of endpoints without the operational chaos of traditional designs.
Leaf-Spine Architecture: The Ideal Underlay for EVPN-VXLAN
EVPN-VXLAN is almost always deployed on a leaf-spine topology, and for good reason. Leaf-spine provides:
- Predictable latency, any server-to-server path is always leaf → spine → leaf, giving you a fixed, consistent hop count.
- ECMP load balancing, multiple equal-cost paths are available simultaneously, distributing traffic and eliminating bottlenecks.
- Easy horizontal scaling, adding capacity means adding leaf switches, not redesigning the core.
Spine switches in this design focus purely on Layer 3 IP forwarding. They are not VXLAN-aware, they simply route IP packets between leaf nodes as fast as possible.
Leaf switches are where the intelligence lives. They act as VXLAN Tunnel Endpoints (VTEPs), encapsulating and decapsulating VXLAN traffic at the network edge. With Integrated Routing and Bridging (IRB) enabled, a leaf switch serves as both a Layer 2 bridge for intra-subnet traffic and a Layer 3 gateway for inter-subnet traffic, all within the same tenant VRF.
The design separates the underlay (a simple eBGP-routed IP network that moves packets between VTEPs) from the overlay (EVPN-VXLAN, which carries tenant traffic and enforces isolation). This separation makes troubleshooting dramatically easier, underlay problems are IP routing problems; overlay problems are EVPN problems.
EVPN Route Types That Make It Work
EVPN uses different BGP route types, each serving a specific purpose:
| Route Type | Purpose |
|---|---|
| Type 2 (MAC/IP Advertisement) | Advertises a host’s MAC address and IP address to all VTEPs so they can forward traffic directly without flooding |
| Type 3 (Inclusive Multicast Ethernet Tag / IMET) | Allows VTEPs to discover each other and build BUM (Broadcast, Unknown unicast, Multicast) replication lists |
| Type 5 (IP Prefix Route) | Advertises IP prefixes into the fabric for inter-subnet routing; essential for symmetric IRB |
In practice, Type 2 handles known unicast traffic, Type 3 bootstraps the fabric, and Type 5 enables tenant routing to scale across the fabric.
Symmetric IRB vs. Asymmetric IRB: Which Should You Use?
When traffic must cross subnets within a tenant (inter-subnet routing), the leaf switch performs Integrated Routing and Bridging (IRB). There are two models:
Asymmetric IRB
The ingress leaf performs both routing and bridging in one step. The egress leaf only bridges. This is simpler to configure, but it requires the ingress leaf to hold MAC/IP bindings for every host across all remote subnets, control plane state that grows linearly with host count.
Best for: Small to medium deployments with limited subnet counts.
Symmetric IRB
Both ingress and egress leaves perform routing. An additional Layer 3 VNI carries the traffic between them, and Type 5 routes advertise IP prefixes rather than individual host routes. Control plane state is much lower because each VTEP only needs to know about its directly attached subnets.
Best for: Large-scale, multi-tenant environments, the recommended approach for most enterprise and cloud data centers.
Summary: If you are building for scale, use symmetric IRB. The operational overhead of managing per-host state in asymmetric mode quickly outweighs its initial simplicity.
Have questions about symmetric vs. asymmetric IRB for your environment? Talk to an AAANetworkX engineer →
Key Benefits of EVPN-VXLAN for Enterprise and Cloud Data Centers
| Benefit | How EVPN-VXLAN Delivers It |
|---|---|
| Scalability | 24-bit VNIs support 16M+ segments; distributed routing avoids centralized bottlenecks |
| Multi-tenancy | VRFs provide per-tenant routing tables; VNIs enforce data plane isolation |
| High Availability | ECMP across multiple spine paths; fast BGP convergence on failure |
| Operational Simplicity | Control plane learning eliminates flooding; centralized BGP visibility |
| Vendor Interoperability | Open standards (BGP, VXLAN) work across Cisco, Juniper, Arista, Nokia, and others |
EVPN-VXLAN vs. Traditional VLAN and MPLS
| Feature | Traditional VLAN | MPLS | EVPN-VXLAN |
|---|---|---|---|
| Scale | 4,094 segments | High | 16M+ segments |
| Control Plane | Flood-and-learn / STP | LDP / RSVP | MP-BGP |
| Deployment Complexity | Low (but operationally painful at scale) | High | Moderate |
| Cloud/Data Center Fit | Poor | Poor | Excellent |
| Multi-tenancy | Limited | Yes (with L3VPN) | Yes (VRF + VNI) |
EVPN-VXLAN fills the gap between the simplicity of VLANs and the power of MPLS, without requiring a dedicated MPLS transport infrastructure.
Ready to Build a Scalable Data Center Network?
At AAANetworkX, we design and implement modern data center fabrics for enterprises and service providers. Whether you are evaluating EVPN-VXLAN for the first time or planning a migration from a traditional three-tier design, our team can help.
Contact AAANetworkX for a free consultation →
Read next: SD-WAN Explained, Connecting Your Sites to the Cloud →
