{"id":2984,"date":"2026-05-11T17:31:59","date_gmt":"2026-05-11T16:31:59","guid":{"rendered":"https:\/\/www.safekom.pl\/blog\/?p=2984"},"modified":"2026-05-11T17:31:59","modified_gmt":"2026-05-11T16:31:59","slug":"tgw-evpn-vxlan-configuration","status":"publish","type":"post","link":"https:\/\/www.safekom.pl\/blog\/en\/vmware-en\/nsx-en\/tgw-evpn-vxlan-configuration\/","title":{"rendered":"TGW EVPN\/VXLAN Configuration"},"content":{"rendered":"<style>\n<p>\/* DTGW post \u2014 SafeKom style, minimal overrides *\/<yoastmark class='yoast-text-mark'><br \/>.dtgw-post { max-width:800px; font-size:15px; line-height:1.7; color:#<\/yoastmark><yoastmark class='yoast-text-mark'>333; }<br \/>.dtgw-post p::first-letter { float:none; font-size:inherit; font-weight:inherit; line-height:inherit; margin:0; <\/yoastmark><yoastmark class='yoast-text-mark'>padding:0; }<br \/>.dtgw-post h4 { font-size:1.05rem; font-weight:700; margin:28px 0 <\/yoastmark><yoastmark class='yoast-text-mark'>8px; color:#111; }<br \/>.dtgw-post h5 { font-size:.95rem; font-weight:700; margin:2<\/yoastmark><yoastmark class='yoast-text-mark'>2px 0 6px; color:#222; }<br \/>.dtgw-post h6 { font-size:.9rem; font-weight:700; ma<\/yoastmark><yoastmark class='yoast-text-mark'>rgin:18px 0 4px; color:#333; }<br <\/yoastmark><yoastmark class='yoast-text-mark'>\/>.dtgw-post p  { margin:0 0 12px; }<br \/>.dtgw-post ul, .dtgw-post<\/yoastmark><yoastmark class='yoast-text-mark'> ol { margin:8px 0 14px 22px; paddin<\/yoastmark><yoastmark class='yoast-text-mark'>g:0; }<br \/>.dtgw-post li { marg<\/yoastmark><yoastmark class='yoast-text-mark'>in-bottom:4px; }<br \/>.dtgw-post a  { color:#0066cc; }<br \/>.dtgw-post h<\/yoastmark>r { border:n<yoastmark class='yoast-text-mark'>one; border-top:1px solid #ddd; margin:32px 0; }<br \/>\/* tables *\/<br \/>.dtgw-post table { bor<\/yoastmark><yoastmark class='yoast-text-mark'>der-collapse:collapse; width:100%; margin:12px 0 20px; font-size:14px; }<br \/>.dtgw-post t<\/yoastmark><yoastmark class='yoast-text-mark'>h, .dtgw-post td { border:1px solid #ccc; padding:7px <\/yoastmark>10px; text<yoastmark class='yoast-text-mark'>-align:left; }<br \/>.dtgw-post th { background:#f2f2f2; font-weight:700; }<br \/>\/* code *\/<br \/>.dtgw-post pre  { <\/yoastmark><yoastmark class='yoast-text-mark'>background:#1a1e2e; border-radius:5px; padding:14px 16px; overflow-x:auto; margin:10px 0 18px; }<br \/>.dtgw-post pre code { font-family:'Courier New',monospace;<\/yoastmark><yoastmark class='yoast-text-mark'> font-size:13px; line-height:1.6; color:#cdd6f4; background:transparent; white-space:pre; padding:0; }<br \/>.dtgw-post code { font-family:'Couri<\/yoastmark><yoastmark class='yoast-text-mark'>er New',monospace; font-size:.88em; background:#f0f0f0; padding:1px 5px; border-radi<\/yoastmark>us:3px; color:#c0392b; }<br \/>.dtgw-post pre code { background:transparent !important; color:#cdd6f4 !important; }<br \/>\/* screenshot placeholder \u2014 green border, replace with your own *\/<br \/>.dtgw-post .ph { border:2px dashed #27ae60; background:#f0fff4; border-radius:4px; padding:14px 16px; margin:10px 0 16px; font-size:13.5px; color:#1a6b38; }<br \/>.dtgw-post .ph strong { display:block; font-size:11px; text-transform:uppercase; letter-spacing:.06em; color:#27ae60; margin-bottom:4px; }<br \/>\/* highlight values from your own lab *\/<br \/>.dtgw-post .lab { background:#d4edda; border:1px solid #a3d9a5; border-radius:3px; padding:1px 6px; font-family:'Courier New',monospace; font-size:.85em; color:#155724; font-weight:600; }<br \/>\/* VyOS config to replace \u2014 green border *\/<br \/>.dtgw-post .pre-own { border:2px dashed #27ae60 !important; position:relative; }<br \/>.dtgw-post .pre-own::before { content:'\u2193 replace with your own config \/ output'; display:block; font-size:11px; color:#27ae60; font-weight:700; text-transform:uppercase; letter-spacing:.06em; margin-bottom:8px; font-family:'Courier New',monospace; }<\/p>\n<\/style>\n<div class=\"dtgw-post\">\n<p>In a previous post I showed <a href=\"https:\/\/www.safekom.pl\/blog\/vmware\/nsx\/nsx-t-evpn\/\">how to configure EVPN in NSX-T 3.0 with Juniper vMX<\/a>, where the MP-BGP session originated from an Edge node through the T0 Gateway and VRFs were terminated on T0 and connected to T1. Today I&#8217;ll cover the next step in the evolution of that feature in VCF 9.1 \u2014 <strong>Distributed Transit Gateway with EVPN\/VXLAN<\/strong>, where Edge nodes disappear from the picture entirely and N\/S traffic flows directly from each ESX host through a VXLAN tunnel to an external BGW.<\/p>\n<p>Below is the full configuration from my test environment using VyOS as the BGW and four ESXi hosts in the homelab.int domain.<\/p>\n<hr \/>\n<h4>What is DTGW with EVPN\/VXLAN<\/h4>\n<p>DTGW (Distributed Transit Gateway) is a new option for connecting VCF to the physical network, available since VCF 9.0. VCF 9.1 adds support for EVPN\/VXLAN as the uplink type instead of a traditional VLAN \u2014 the same BGP EVPN Type-5 mechanism familiar from physical fabrics like Arista, Cisco Nexus, and Juniper.<\/p>\n<p>In short, the differences compared to the old NSX-T 3.0 approach:<\/p>\n<table>\n<thead>\n<tr>\n<th>NSX-T 3.0 \/ EVPN on T0<\/th>\n<th>VCF 9.1 \/ DTGW EVPN\/VXLAN<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>BGP EVPN originates from Edge node<\/td>\n<td>BGP EVPN originates from Route Controller (VNA)<\/td>\n<\/tr>\n<tr>\n<td>Traffic: VM \u2192 Edge \u2192 BGW<\/td>\n<td>Traffic: VM \u2192 Host TEP \u2192 BGW (no Edge)<\/td>\n<\/tr>\n<tr>\n<td>VXLAN tunnels terminate on Edge<\/td>\n<td>VXLAN tunnels terminate on each ESX host (TEP)<\/td>\n<\/tr>\n<tr>\n<td>VRFs on T0 Gateway<\/td>\n<td>VRFs managed by DTGW + Route Controller<\/td>\n<\/tr>\n<tr>\n<td>Edge node lifecycle required<\/td>\n<td>No Edge \u2014 no Edge lifecycle<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>The BGP EVPN Type-5 mechanism, Route Distinguisher, and Route Target work identically to what I described in the <a href=\"https:\/\/www.safekom.pl\/blog\/vmware\/nsx\/nsx-t-evpn\/\">previous NSX-T EVPN post<\/a> \u2014 only the tunnel termination point and management model change.<\/p>\n<h4>Requirements and limitations<\/h4>\n<table>\n<thead>\n<tr>\n<th>Requirements<\/th>\n<th>Limitations in VCF 9.1<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>VCF 9.1 \/ NSX 9.1<\/td>\n<td>No N-S Services (SNAT, LB) \u2014 planned for a future VCF release<\/td>\n<\/tr>\n<tr>\n<td>BGW supporting BGP EVPN Type-5 (MP-BGP)<\/td>\n<td>L3 only (Route Type-5) \u2014 no L2 extension to the fabric<\/td>\n<\/tr>\n<tr>\n<td>Underlay MTU min. 1600 (VXLAN overhead ~50 B)<\/td>\n<td>Access Mode: Private requires manual NAT on the BGW side<\/td>\n<\/tr>\n<tr>\n<td>DVS port group required for the RC BGP peering network<\/td>\n<td>VyOS VRF table ID must be &lt;1\u2013200 if you plan to use NAT<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h4>Test environment<\/h4>\n<table>\n<thead>\n<tr>\n<th>Element<\/th>\n<th>Value<\/th>\n<th>Note<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Hosty ESXi<\/td>\n<td><code>ESXi11 \u2013 ESXi14<\/code><\/td>\n<td>domain homelab.int<\/td>\n<\/tr>\n<tr>\n<td>VLAN TEP Host<\/td>\n<td><code>10.231.104.0\/24<\/code><\/td>\n<td>vmk Host TEP<\/td>\n<\/tr>\n<tr>\n<td>VLAN BGP Peering<\/td>\n<td><code>10.231.106.0\/24<\/code><\/td>\n<td>eth2.506 on VyOS<\/td>\n<\/tr>\n<tr>\n<td>Peer VyOS (BGW)<\/td>\n<td><code>10.231.106.1<\/code><\/td>\n<td>BGP update-source<\/td>\n<\/tr>\n<tr>\n<td>Peer RC (BGP VIP)<\/td>\n<td><code>10.231.106.10<\/code><\/td>\n<td>Route Controller floating IP<\/td>\n<\/tr>\n<tr>\n<td>ASN VyOS<\/td>\n<td><code>64515<\/code><\/td>\n<td>BGP system-as<\/td>\n<\/tr>\n<tr>\n<td>ASN Route Controller<\/td>\n<td><code>64520<\/code><\/td>\n<td>remote-as in VyOS<\/td>\n<\/tr>\n<tr>\n<td>L3VNI \/ VNI<\/td>\n<td><code>65000<\/code><\/td>\n<td>tenant VRF identifier<\/td>\n<\/tr>\n<tr>\n<td>VRF (VyOS)<\/td>\n<td><code>test<\/code><\/td>\n<td>table 65000<\/td>\n<\/tr>\n<tr>\n<td>Subnet VM (External IP Block)<\/td>\n<td><code>10.231.200.0\/24<\/code><\/td>\n<td>VM addresses in Public mode<\/td>\n<\/tr>\n<tr>\n<td>RD VyOS (global)<\/td>\n<td><code>64515:10<\/code><\/td>\n<td><\/td>\n<\/tr>\n<tr>\n<td>RD VyOS (VRF)<\/td>\n<td><code>10.231.106.1:10<\/code><\/td>\n<td>unique per-VRF<\/td>\n<\/tr>\n<tr>\n<td>Export RT VyOS<\/td>\n<td><code>64515:10<\/code><\/td>\n<td><\/td>\n<\/tr>\n<tr>\n<td>Import RT VyOS<\/td>\n<td><code>64515:10 + 64520:10<\/code><\/td>\n<td>also imports RT from RC<\/td>\n<\/tr>\n<tr>\n<td>Export RT RC<\/td>\n<td><code>64520:10<\/code><\/td>\n<td>configured in NSX External Connectivity<\/td>\n<\/tr>\n<tr>\n<td>Import RT RC<\/td>\n<td><code>64515:10<\/code><\/td>\n<td>imports RT from VyOS<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h5>Diagram<\/h5>\n<p><a href=\"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/vxlan-tgw.png?ssl=1\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" data-attachment-id=\"2962\" data-permalink=\"https:\/\/www.safekom.pl\/blog\/?attachment_id=2962\" data-orig-file=\"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/vxlan-tgw.png?fit=751%2C931&amp;ssl=1\" data-orig-size=\"751,931\" data-comments-opened=\"0\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"vxlan-tgw\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/vxlan-tgw.png?fit=751%2C931&amp;ssl=1\" class=\"alignnone size-full wp-image-2962\" src=\"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/vxlan-tgw.png?resize=751%2C931&#038;ssl=1\" alt=\"TGW home lab with vxlan\" width=\"751\" height=\"931\" srcset=\"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/vxlan-tgw.png?w=751&amp;ssl=1 751w, https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/vxlan-tgw.png?resize=242%2C300&amp;ssl=1 242w, https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/vxlan-tgw.png?resize=600%2C744&amp;ssl=1 600w\" sizes=\"auto, (max-width: 751px) 100vw, 751px\" \/><\/a><\/p>\n<h5>Connectivity check before configuration<\/h5>\n<p>Before deploying the RC it is worth verifying that the ESXi hosts can reach the address that will be used as the VXLAN <code>source-address<\/code> on the VyOS side. Ping from vmk0 and vmk1 to the BGW address:<\/p>\n<pre class=\"pre-own\"><code>[root@ESXi11:~] ping -I vmk10 10.231.106.1 -S vxlan\r\nPING 10.231.106.1 (10.231.106.1): 56 data bytes\r\n64 bytes from 10.231.106.1: icmp_seq=0 ttl=64 time=0.425 ms\r\n64 bytes from 10.231.106.1: icmp_seq=1 ttl=64 time=0.424 ms\r\n64 bytes from 10.231.106.1: icmp_seq=2 ttl=64 time=0.394 ms\r\n3 packets transmitted, 3 packets received, 0% packet loss\r\n\r\n[root@ESXi11:~] ping -I vmk11 10.231.106.1 -S vxlan\r\nPING 10.231.106.1 (10.231.106.1): 56 data bytes\r\n64 bytes from 10.231.106.1: icmp_seq=0 ttl=64 time=0.748 ms\r\n64 bytes from 10.231.106.1: icmp_seq=1 ttl=64 time=0.820 ms\r\n64 bytes from 10.231.106.1: icmp_seq=2 ttl=64 time=0.340 ms\r\n3 packets transmitted, 3 packets received, 0% packet loss<\/code><\/pre>\n<p>No response at this stage means VXLAN tunnels will not work even if the BGP session is Established. We set the MTU to 9000; VXLAN adds ~50 B of overhead so there is plenty of headroom.<\/p>\n<hr \/>\n<h4>VyOS configuration (BGW)<\/h4>\n<h5>Interfaces \u2014 VXLAN, bridge<\/h5>\n<pre class=\"pre-own\"><code># trunk VLAN on eth2, MTU 9000 (underlay)\r\nset interfaces ethernet eth2 mtu '9000'\r\nset interfaces ethernet eth2 vif 506 address '10.231.106.1\/24'\r\nset interfaces ethernet eth2 vif 504 address '10.231.104.1\/24'\r\n\r\n# VXLAN \u2014 VNI 65000 = tenant L3VNI\r\n# source-address = BGP peering address\r\nset interfaces vxlan vxlan65000 mtu '1500'\r\nset interfaces vxlan vxlan65000 port '4789'\r\nset interfaces vxlan vxlan65000 source-address '10.231.106.1'\r\nset interfaces vxlan vxlan65000 vni '65000'\r\n\r\n# bridge connects VXLAN to VRF \"test\"\r\nset interfaces bridge br1 address '10.231.251.1\/24'\r\nset interfaces bridge br1 member interface vxlan65000\r\nset interfaces bridge br1 vrf 'test'<\/code><\/pre>\n<h5>Global BGP and Route Controller session<\/h5>\n<pre class=\"pre-own\"><code>set protocols bgp system-as '64515'\r\nset protocols bgp parameters router-id '10.231.106.1'\r\nset protocols bgp parameters bestpath as-path multipath-relax\r\n\r\nset protocols bgp address-family ipv4-unicast redistribute connected\r\nset protocols bgp address-family ipv4-unicast redistribute static\r\nset protocols bgp address-family ipv4-unicast import vrf 'test'\r\n\r\nset protocols bgp address-family l2vpn-evpn advertise ipv4 unicast\r\nset protocols bgp address-family l2vpn-evpn advertise-all-vni\r\nset protocols bgp address-family l2vpn-evpn advertise-default-gw\r\nset protocols bgp address-family l2vpn-evpn advertise-svi-ip\r\nset protocols bgp address-family l2vpn-evpn default-originate ipv4\r\n\r\n# sesja BGP z Route Controllerem (BGP VIP)\r\nset protocols bgp neighbor 10.231.106.10 remote-as '64520'\r\nset protocols bgp neighbor 10.231.106.10 update-source '10.231.106.1'\r\nset protocols bgp neighbor 10.231.106.10 address-family ipv4-unicast default-originate\r\nset protocols bgp neighbor 10.231.106.10 address-family ipv4-vpn route-server-client\r\nset protocols bgp neighbor 10.231.106.10 address-family l2vpn-evpn soft-reconfiguration inbound<\/code><\/pre>\n<p>A few notes on the RC neighbor parameters:<\/p>\n<ul>\n<li><code>default-originate<\/code> \u2014 VyOS advertises the default route to the RC which then distributes it to ESX hosts<\/li>\n<li><code>soft-reconfiguration inbound<\/code> \u2014 reset BGP policy without dropping the session, useful during testing<\/li>\n<li><code>route-server-client<\/code> \u2014 facilitates route propagation between BGP clients through the RC<\/li>\n<\/ul>\n<h5>VRF &#8222;test&#8221;<\/h5>\n<p>Note \u2014 VyOS requires the table ID to be in the range 1\u2013200 if you plan to use <code>connection-mark<\/code> for NAT from within the VRF. In this example I use <code>table '65000'<\/code> which works fine for routing, but consider changing it to e.g. <code>100<\/code> if you plan to add NAT later.<\/p>\n<pre class=\"pre-own\"><code>set vrf name test table '65000'\r\nset vrf name test vni '65000'\r\n\r\nset vrf name test protocols bgp system-as '64515'\r\nset vrf name test protocols bgp parameters router-id '10.231.106.1'\r\n\r\nset vrf name test protocols bgp address-family ipv4-unicast import vrf 'default'\r\nset vrf name test protocols bgp address-family ipv4-unicast redistribute connected\r\nset vrf name test protocols bgp address-family ipv4-unicast redistribute static\r\n\r\n# RD and RT per-VRF \u2014 different from global!\r\nset vrf name test protocols bgp address-family l2vpn-evpn rd '10.231.106.1:10'\r\nset vrf name test protocols bgp address-family l2vpn-evpn route-target export '64515:10'\r\nset vrf name test protocols bgp address-family l2vpn-evpn route-target import '64520:10'\r\nset vrf name test protocols bgp address-family l2vpn-evpn route-target import '64515:10'\r\nset vrf name test protocols bgp address-family l2vpn-evpn vni 65000\r\n\r\nset vrf name test protocols bgp address-family l2vpn-evpn advertise ipv4 unicast\r\nset vrf name test protocols bgp address-family l2vpn-evpn advertise-default-gw\r\nset vrf name test protocols bgp address-family l2vpn-evpn advertise-svi-ip<\/code><\/pre>\n<p>Route Target logic:<\/p>\n<table>\n<thead>\n<tr>\n<th>Side<\/th>\n<th>Export RT<\/th>\n<th>Import RT<\/th>\n<th>Effect<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>VyOS (BGW)<\/td>\n<td><code>64515:10<\/code><\/td>\n<td><code>64515:10<\/code>, <code>64520:10<\/code><\/td>\n<td>VyOS imports routes from RC and its own<\/td>\n<\/tr>\n<tr>\n<td>Route Controller (NSX)<\/td>\n<td><code>64520:10<\/code><\/td>\n<td><code>64515:10<\/code><\/td>\n<td>RC imports routes from VyOS (default route and external networks)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h5>VyOS configuration verification \u2014 VNI and bridge<\/h5>\n<p>After finishing the VyOS configuration, verify that the VNI is active and the bridge is properly set up:<\/p>\n<pre><code>vyos@vyos:~$ show bgp l2vpn evpn vni\r\nAdvertise Gateway Macip: Enabled\r\nAdvertise SVI Macip: Enabled\r\nAdvertise All VNI flag: Enabled\r\nBUM flooding: Head-end replication\r\nVXLAN flooding: Enabled\r\nNumber of L2 VNIs: 1\r\nNumber of L3 VNIs: 1\r\nFlags: * - Kernel\r\n  VNI        Type RD                    Import RT                 Export RT                 Tenant VRF\r\n  65000      L2   10.231.106.1:2        64515:10                  64515:10                  default\r\n* 65000      L3   10.231.106.1:10       64515:10, ...             64515:10                  test\r\n\r\n# * = Kernel = active in kernel table (L3 VNI)\r\n# L2 VNI without asterisk = bridge with no VPC subnet assigned (normal before adding a VM)<\/code><\/pre>\n<pre><code>vyos@vyos:~$ show evpn vni 65000\r\nVNI: 65000\r\n  Type: L3\r\n  Tenant VRF: test\r\n  Vlan: 1\r\n  Bridge: br1\r\n  Local Vtep Ip: 10.231.106.1\r\n  Vxlan-Intf: vxlan65000\r\n  SVI-If: br1\r\n  State: Up\r\n  VNI Filter: none\r\n  System MAC: c2:8f:db:73:82:3c\r\n  Router MAC: c2:8f:db:73:82:3c\r\n  L2 VNIs:<\/code><\/pre>\n<p><code>State: Up<\/code> and <code>Local Vtep Ip<\/code> matching the <code>source-address<\/code> of the vxlan65000 interface \u2014 this is the address that will appear as the VTEP in BGP EVPN Type-5 advertisements to the RC.<\/p>\n<pre><code>vyos@vyos:~$ show bridge br1 detail\r\nInterface br1 is up, line protocol is up\r\n  Link ups:      13    last: 2026\/05\/07 10:28:54.00\r\n  Link downs:    14    last: 2026\/05\/07 10:28:54.00\r\n  vrf: test\r\n  index 17 metric 0 mtu 1500 speed 0 txqlen 1000\r\n  flags: &lt;UP,LOWER_UP,BROADCAST,RUNNING,MULTICAST&gt;\r\n  Type: Ethernet\r\n  HWaddr: c2:8f:db:73:82:3c   # this MAC == Router MAC in EVPN\r\n  inet 10.231.251.1\/24\r\n  Interface Type Bridge\r\n  Interface Slave Type Vrf\r\n  Bridge VLAN-aware: no\r\n  protodown: off<\/code><\/pre>\n<p>The MAC address of bridge br1 (<code>c2:8f:db:73:82:3c<\/code>) is used as the Router MAC in RT-5 advertisements. This is why the RD on the VyOS side and on the RC side must be different \u2014 each side needs its own unique values.<\/p>\n<hr \/>\n<h4>NSX \/ VCF configuration<\/h4>\n<h5>Step 1 \u2014 Deploy the Route Controller<\/h5>\n<p>Navigate to NSX Manager &#8211;&gt; Network &#8211;&gt; EVPN &#8211;&gt; Route Controllers and click Add Route Controller.<\/p>\n<p><a href=\"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw01.jpg?ssl=1\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" data-attachment-id=\"2963\" data-permalink=\"https:\/\/www.safekom.pl\/blog\/?attachment_id=2963\" data-orig-file=\"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw01.jpg?fit=900%2C305&amp;ssl=1\" data-orig-size=\"900,305\" data-comments-opened=\"0\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"evpn_vxlan_tgw01\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw01.jpg?fit=770%2C261&amp;ssl=1\" class=\"alignnone size-full wp-image-2963\" src=\"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw01.jpg?resize=770%2C261&#038;ssl=1\" alt=\"Add Route Controller\" width=\"770\" height=\"261\" srcset=\"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw01.jpg?w=900&amp;ssl=1 900w, https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw01.jpg?resize=300%2C102&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw01.jpg?resize=768%2C260&amp;ssl=1 768w, https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw01.jpg?resize=600%2C203&amp;ssl=1 600w\" sizes=\"auto, (max-width: 770px) 100vw, 770px\" \/><\/a><\/p>\n<p>Fill in the details:<\/p>\n<ul>\n<li>Route Controller Name: <span class=\"lab\">evpn-test<\/span><\/li>\n<li>Node Form Factor: small<\/li>\n<\/ul>\n<p>Click <strong>Add<\/strong> and fill in the Node 1 details \u2014 Management Network information for the virtual appliance:<\/p>\n<p><a href=\"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw02.jpg?ssl=1\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" data-attachment-id=\"2965\" data-permalink=\"https:\/\/www.safekom.pl\/blog\/?attachment_id=2965\" data-orig-file=\"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw02.jpg?fit=461%2C556&amp;ssl=1\" data-orig-size=\"461,556\" data-comments-opened=\"0\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"evpn_vxlan_tgw02\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw02.jpg?fit=461%2C556&amp;ssl=1\" class=\"alignnone size-full wp-image-2965\" src=\"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw02.jpg?resize=461%2C556&#038;ssl=1\" alt=\"evpn-router_controller\" width=\"461\" height=\"556\" srcset=\"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw02.jpg?w=461&amp;ssl=1 461w, https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw02.jpg?resize=249%2C300&amp;ssl=1 249w\" sizes=\"auto, (max-width: 461px) 100vw, 461px\" \/><\/a><\/p>\n<ul>\n<li>Management IP, Gateway, DNS \u2014 <span class=\"lab\">values from your mgmt network<\/span><\/li>\n<li>Datastore, Cluster, Host \u2014 <span class=\"lab\">select from your vCenter<\/span><\/li>\n<\/ul>\n<p>After filling in the node details click <strong>Next<\/strong> (I use a single node in the lab). On the next screen configure the BGP interface:<\/p>\n<ul>\n<li>Port Group \u2014 <span class=\"lab\">DVS port group for VLAN 506 (BGP peering)<\/span>, must exist before deployment<\/li>\n<li>Node 1 IP \/ Node 2 IP \u2014 node addresses on the BGP network<\/li>\n<li>BGP Floating IP \u2014 <span class=\"lab\">10.231.106.10<\/span> \u2014 active RC VIP, this address goes into VyOS as the <code>neighbor<\/code><\/li>\n<li>Prefix length \u2014 <code>\/24<\/code><\/li>\n<\/ul>\n<p><a href=\"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw04.jpg?ssl=1\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" data-attachment-id=\"2967\" data-permalink=\"https:\/\/www.safekom.pl\/blog\/?attachment_id=2967\" data-orig-file=\"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw04.jpg?fit=1607%2C755&amp;ssl=1\" data-orig-size=\"1607,755\" data-comments-opened=\"0\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"evpn_vxlan_tgw04\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw04.jpg?fit=770%2C362&amp;ssl=1\" class=\"alignnone size-full wp-image-2967\" src=\"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw04.jpg?resize=770%2C362&#038;ssl=1\" alt=\"\" width=\"770\" height=\"362\" srcset=\"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw04.jpg?w=1607&amp;ssl=1 1607w, https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw04.jpg?resize=300%2C141&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw04.jpg?resize=1024%2C481&amp;ssl=1 1024w, https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw04.jpg?resize=768%2C361&amp;ssl=1 768w, https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw04.jpg?resize=1536%2C722&amp;ssl=1 1536w, https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw04.jpg?resize=600%2C282&amp;ssl=1 600w\" sizes=\"auto, (max-width: 770px) 100vw, 770px\" \/><\/a><\/p>\n<p>After clicking Finish the RC is deployed automatically. Wait 5\u201310 minutes, then verify the status:<\/p>\n<p><a href=\"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw05.jpg?ssl=1\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" data-attachment-id=\"2972\" data-permalink=\"https:\/\/www.safekom.pl\/blog\/?attachment_id=2972\" data-orig-file=\"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw05.jpg?fit=1737%2C636&amp;ssl=1\" data-orig-size=\"1737,636\" data-comments-opened=\"0\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"evpn_vxlan_tgw05\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw05.jpg?fit=770%2C282&amp;ssl=1\" class=\"alignnone size-full wp-image-2972\" src=\"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw05.jpg?resize=770%2C282&#038;ssl=1\" alt=\"\" width=\"770\" height=\"282\" srcset=\"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw05.jpg?w=1737&amp;ssl=1 1737w, https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw05.jpg?resize=300%2C110&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw05.jpg?resize=1024%2C375&amp;ssl=1 1024w, https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw05.jpg?resize=768%2C281&amp;ssl=1 768w, https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw05.jpg?resize=1536%2C562&amp;ssl=1 1536w, https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw05.jpg?resize=600%2C220&amp;ssl=1 600w\" sizes=\"auto, (max-width: 770px) 100vw, 770px\" \/><\/a><\/p>\n<p>Click on BGP Neighbors:<\/p>\n<p><a href=\"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw06.jpg?ssl=1\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" data-attachment-id=\"2971\" data-permalink=\"https:\/\/www.safekom.pl\/blog\/?attachment_id=2971\" data-orig-file=\"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw06.jpg?fit=1696%2C322&amp;ssl=1\" data-orig-size=\"1696,322\" data-comments-opened=\"0\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"evpn_vxlan_tgw06\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw06.jpg?fit=770%2C146&amp;ssl=1\" class=\"alignnone size-full wp-image-2971\" src=\"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw06.jpg?resize=770%2C146&#038;ssl=1\" alt=\"\" width=\"770\" height=\"146\" srcset=\"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw06.jpg?w=1696&amp;ssl=1 1696w, https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw06.jpg?resize=300%2C57&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw06.jpg?resize=1024%2C194&amp;ssl=1 1024w, https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw06.jpg?resize=768%2C146&amp;ssl=1 768w, https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw06.jpg?resize=1536%2C292&amp;ssl=1 1536w, https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw06.jpg?resize=600%2C114&amp;ssl=1 600w\" sizes=\"auto, (max-width: 770px) 100vw, 770px\" \/><\/a><\/p>\n<p>An Idle state on one node is normal \u2014 the active RC shows Established, the standby shows Idle. If the active node also shows Idle or Active, do Disable &#8211;&gt; Enable on the BGP Neighbor in the NSX UI and wait a moment.<\/p>\n<p>Verify on the VyOS side \u2014 <code>State\/PfxRcd<\/code> shown as a number (not &#8222;Active&#8221; \/ &#8222;Connect&#8221;) = session established:<\/p>\n<pre><code>vyos@vyos:~$ show bgp l2vpn evpn summary\r\nBGP router identifier 10.231.106.1, local AS number 64515 VRF default vrf-id 0\r\n\r\nNeighbor        V         AS   MsgRcvd   MsgSent   TblVer  Up\/Down  State\/PfxRcd PfxSnt\r\n10.231.106.10   4      64520      2991      3024       15    22:20:56            2     16  N\/A\r\n\r\n# State\/PfxRcd as a number \u2014 session Established, RC receives 2 prefixes from VyOS\r\n# other neighbors (10.231.107.11, .12 etc.) \u2014 Active = other segments, not this EVPN\/VXLAN setup<\/code><\/pre>\n<h5>Step 2 \u2014 External Connectivity (Distributed VXLAN Connection)<\/h5>\n<p>Navigate to Network &#8211;&gt; VPC Connectivity &#8211;&gt; External Connectivity and click Add External Connectivity.<\/p>\n<p><a href=\"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw08.jpg?ssl=1\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" data-attachment-id=\"2974\" data-permalink=\"https:\/\/www.safekom.pl\/blog\/?attachment_id=2974\" data-orig-file=\"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw08.jpg?fit=872%2C246&amp;ssl=1\" data-orig-size=\"872,246\" data-comments-opened=\"0\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"evpn_vxlan_tgw08\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw08.jpg?fit=770%2C217&amp;ssl=1\" class=\"alignnone size-full wp-image-2974\" src=\"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw08.jpg?resize=770%2C217&#038;ssl=1\" alt=\"\" width=\"770\" height=\"217\" srcset=\"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw08.jpg?w=872&amp;ssl=1 872w, https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw08.jpg?resize=300%2C85&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw08.jpg?resize=768%2C217&amp;ssl=1 768w, https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw08.jpg?resize=600%2C169&amp;ssl=1 600w\" sizes=\"auto, (max-width: 770px) 100vw, 770px\" \/><\/a><\/p>\n<p><a href=\"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw07.jpg?ssl=1\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" data-attachment-id=\"2973\" data-permalink=\"https:\/\/www.safekom.pl\/blog\/?attachment_id=2973\" data-orig-file=\"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw07.jpg?fit=1727%2C861&amp;ssl=1\" data-orig-size=\"1727,861\" data-comments-opened=\"0\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"evpn_vxlan_tgw07\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw07.jpg?fit=770%2C384&amp;ssl=1\" class=\"alignnone size-full wp-image-2973\" src=\"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw07.jpg?resize=770%2C384&#038;ssl=1\" alt=\"\" width=\"770\" height=\"384\" srcset=\"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw07.jpg?w=1727&amp;ssl=1 1727w, https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw07.jpg?resize=300%2C150&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw07.jpg?resize=1024%2C511&amp;ssl=1 1024w, https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw07.jpg?resize=768%2C383&amp;ssl=1 768w, https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw07.jpg?resize=1536%2C766&amp;ssl=1 1536w, https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw07.jpg?resize=600%2C299&amp;ssl=1 600w\" sizes=\"auto, (max-width: 770px) 100vw, 770px\" \/><\/a><\/p>\n<p>Fill in the form:<\/p>\n<ul>\n<li>Type \u2014 <code>Distributed VXLAN Connection<\/code><\/li>\n<li>Route Controller \u2014 <span class=\"lab\">evpn-test<\/span> (deployed in Step 1)<\/li>\n<li>EVPN L3 VNI \u2014 <span class=\"lab\">65000<\/span> \u2014 must match <code>vni 65000<\/code> in VyOS<\/li>\n<li>Route Distinguisher \u2014 <span class=\"lab\">10.231.106.10:65000<\/span> \u2014 BGP VIP : VNI; must differ from the VyOS RD (<code>10.231.106.1:10<\/code>)<\/li>\n<li>Import Route Target \u2014 <span class=\"lab\">64515:10<\/span> \u2014 import routes exported by VyOS<\/li>\n<li>Export Route Target \u2014 <span class=\"lab\">64520:10<\/span> \u2014 VyOS must import this<\/li>\n<\/ul>\n<p>The creation task completes within a few seconds.<\/p>\n<p><a href=\"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw09.jpg?ssl=1\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" data-attachment-id=\"2975\" data-permalink=\"https:\/\/www.safekom.pl\/blog\/?attachment_id=2975\" data-orig-file=\"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw09.jpg?fit=1732%2C350&amp;ssl=1\" data-orig-size=\"1732,350\" data-comments-opened=\"0\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"evpn_vxlan_tgw09\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw09.jpg?fit=770%2C156&amp;ssl=1\" class=\"alignnone size-full wp-image-2975\" src=\"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw09.jpg?resize=770%2C156&#038;ssl=1\" alt=\"\" width=\"770\" height=\"156\" srcset=\"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw09.jpg?w=1732&amp;ssl=1 1732w, https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw09.jpg?resize=300%2C61&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw09.jpg?resize=1024%2C207&amp;ssl=1 1024w, https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw09.jpg?resize=768%2C155&amp;ssl=1 768w, https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw09.jpg?resize=1536%2C310&amp;ssl=1 1536w, https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw09.jpg?resize=600%2C121&amp;ssl=1 600w\" sizes=\"auto, (max-width: 770px) 100vw, 770px\" \/><\/a><\/p>\n<h5>Step 3 \u2014 Configure DTGW<\/h5>\n<p>Navigate to Network &#8211;&gt; VPC Connectivity &#8211;&gt; Transit Gateway. You can edit the default TGW or add a new one.<\/p>\n<p><a href=\"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw10.jpg?ssl=1\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" data-attachment-id=\"2976\" data-permalink=\"https:\/\/www.safekom.pl\/blog\/?attachment_id=2976\" data-orig-file=\"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw10.jpg?fit=864%2C345&amp;ssl=1\" data-orig-size=\"864,345\" data-comments-opened=\"0\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"evpn_vxlan_tgw10\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw10.jpg?fit=770%2C307&amp;ssl=1\" class=\"alignnone size-full wp-image-2976\" src=\"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw10.jpg?resize=770%2C307&#038;ssl=1\" alt=\"\" width=\"770\" height=\"307\" srcset=\"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw10.jpg?w=864&amp;ssl=1 864w, https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw10.jpg?resize=300%2C120&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw10.jpg?resize=768%2C307&amp;ssl=1 768w, https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw10.jpg?resize=600%2C240&amp;ssl=1 600w\" sizes=\"auto, (max-width: 770px) 100vw, 770px\" \/><\/a><\/p>\n<p>In the TGW edit form:<\/p>\n<ul>\n<li>Connectivity (Uplink Type) \u2014 change to <code>Distributed VXLAN<\/code><\/li>\n<li>External Connectivity \u2014 <span class=\"lab\">select the record matching our RC<\/span><\/li>\n<\/ul>\n<p><a href=\"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw11.jpg?ssl=1\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" data-attachment-id=\"2977\" data-permalink=\"https:\/\/www.safekom.pl\/blog\/?attachment_id=2977\" data-orig-file=\"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw11.jpg?fit=844%2C774&amp;ssl=1\" data-orig-size=\"844,774\" data-comments-opened=\"0\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"evpn_vxlan_tgw11\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw11.jpg?fit=770%2C706&amp;ssl=1\" class=\"alignnone size-full wp-image-2977\" src=\"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw11.jpg?resize=770%2C706&#038;ssl=1\" alt=\"\" width=\"770\" height=\"706\" srcset=\"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw11.jpg?w=844&amp;ssl=1 844w, https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw11.jpg?resize=300%2C275&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw11.jpg?resize=768%2C704&amp;ssl=1 768w, https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw11.jpg?resize=600%2C550&amp;ssl=1 600w\" sizes=\"auto, (max-width: 770px) 100vw, 770px\" \/><\/a><\/p>\n<p>After saving, open the VPC Connectivity Profile associated with the TGW and edit it. Define the address pools:<\/p>\n<ul>\n<li>External IP Address Block \u2014 <span class=\"lab\">10.231.200.0\/24<\/span> \u2014 pool routable from the BGW, used to assign IPs to VMs in Public mode<\/li>\n<li>Private TGW IP Address Block \u2014 <span class=\"lab\">172.26.0.0\/16<\/span> \u2014 private pool within the TGW<\/li>\n<\/ul>\n<hr \/>\n<h4>Creating a VPC and Subnet<\/h4>\n<h5>VPC<\/h5>\n<p>In vSphere Client navigate to Virtual Private Clouds &#8211;&gt; New Virtual Private Cloud.<\/p>\n<ul>\n<li>Name \u2014 <span class=\"lab\">test-vpc<\/span><\/li>\n<li>Private VPC IP CIDR \u2014 <span class=\"lab\">192.168.0.0\/16<\/span><\/li>\n<li>Advanced Settings &#8211;&gt; Connectivity Profile \u2014 verify that the profile linked to the DTGW is selected<\/li>\n<\/ul>\n<h5>Optional \u2014 Default VPC Service Profile<\/h5>\n<p>Before creating a subnet you can edit the Default VPC Service Profile to have DHCP advertise DNS and NTP. Navigate to VPC &#8211;&gt; Profiles &#8211;&gt; VPC Service Profiles &#8211;&gt; edit Default VPC Service Profile.<\/p>\n<ul>\n<li>DNS Server \u2014 <span class=\"lab\">10.231.106.1<\/span> (VyOS)<\/li>\n<li>NTP Server \u2014 <span class=\"lab\">10.231.106.1<\/span> (VyOS)<\/li>\n<\/ul>\n<h5>Subnet (Public mode)<\/h5>\n<p>In the VPC view click New Subnet\u2026<\/p>\n<p><a href=\"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw13.jpg?ssl=1\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" data-attachment-id=\"2978\" data-permalink=\"https:\/\/www.safekom.pl\/blog\/?attachment_id=2978\" data-orig-file=\"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw13.jpg?fit=1666%2C804&amp;ssl=1\" data-orig-size=\"1666,804\" data-comments-opened=\"0\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"evpn_vxlan_tgw13\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw13.jpg?fit=770%2C371&amp;ssl=1\" class=\"alignnone size-full wp-image-2978\" src=\"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw13.jpg?resize=770%2C372&#038;ssl=1\" alt=\"\" width=\"770\" height=\"372\" srcset=\"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw13.jpg?w=1666&amp;ssl=1 1666w, https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw13.jpg?resize=300%2C145&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw13.jpg?resize=1024%2C494&amp;ssl=1 1024w, https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw13.jpg?resize=768%2C371&amp;ssl=1 768w, https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw13.jpg?resize=1536%2C741&amp;ssl=1 1536w, https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw13.jpg?resize=600%2C290&amp;ssl=1 600w\" sizes=\"auto, (max-width: 770px) 100vw, 770px\" \/><\/a><\/p>\n<ul>\n<li>Subnet Name \u2014 <span class=\"lab\">public-sub-01<\/span><\/li>\n<li>VLAN Extension \u2014 <code>No<\/code> (L2 extension feature, not applicable for EVPN\/VXLAN)<\/li>\n<li>Access Mode \u2014 <span class=\"lab\">Public<\/span><\/li>\n<li>IP Block \u2014 select from External IP Address Block <span class=\"lab\">10.231.200.8\/29<\/span><\/li>\n<\/ul>\n<p>In Advanced Settings:<\/p>\n<ul>\n<li>VPC Gateway Connectivity \u2014 <code>Yes<\/code> (default, leave as is)<\/li>\n<li>DHCP \u2014 <span class=\"lab\">DHCP Server<\/span><\/li>\n<\/ul>\n<hr \/>\n<h4>Connecting a VM and verification<\/h4>\n<h5>Connecting the vNIC to the VPC subnet<\/h5>\n<p>In the VM settings under the VPC Subnets tab select <span class=\"lab\">test<\/span> and save.<\/p>\n<h5>Verification from the Guest OS<\/h5>\n<p>After powering on the VM verify the DHCP address and default gateway:<\/p>\n<p><a href=\"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw14.jpg?ssl=1\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" data-attachment-id=\"2979\" data-permalink=\"https:\/\/www.safekom.pl\/blog\/?attachment_id=2979\" data-orig-file=\"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw14.jpg?fit=1626%2C856&amp;ssl=1\" data-orig-size=\"1626,856\" data-comments-opened=\"0\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"evpn_vxlan_tgw14\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw14.jpg?fit=770%2C405&amp;ssl=1\" class=\"alignnone size-full wp-image-2979\" src=\"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw14.jpg?resize=770%2C405&#038;ssl=1\" alt=\"\" width=\"770\" height=\"405\" srcset=\"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw14.jpg?w=1626&amp;ssl=1 1626w, https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw14.jpg?resize=300%2C158&amp;ssl=1 300w, https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw14.jpg?resize=1024%2C539&amp;ssl=1 1024w, https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw14.jpg?resize=768%2C404&amp;ssl=1 768w, https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw14.jpg?resize=1536%2C809&amp;ssl=1 1536w, https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2026\/05\/evpn_vxlan_tgw14.jpg?resize=600%2C316&amp;ssl=1 600w\" sizes=\"auto, (max-width: 770px) 100vw, 770px\" \/><\/a><\/p>\n<h5>VyOS verification \u2014 BGP EVPN routes<\/h5>\n<p>After powering on the VM, \/32 routes to each VM should appear in the VyOS VRF test routing table with next-hop = TEP of the ESX host running the VM:<\/p>\n<pre><code>vyos@vyos:~$ show bgp l2vpn evpn summary\r\nBGP router identifier 10.231.106.1, local AS number 64515 VRF default vrf-id 0\r\nRIB entries 9, using 1296 bytes of memory\r\nPeers 1, using 29 KiB of memory\r\n\r\nNeighbor        V         AS   MsgRcvd   MsgSent   TblVer  Up\/Down  State\/PfxRcd PfxSnt\r\n10.231.106.10   4      64520      2991      3024       15    22:20:56            2     16  N\/A\r\n\r\n# State\/PfxRcd = 2 \u2014 RC is advertising 2 prefixes (\/32 for 2 VMs)\r\n# PfxSnt = 16 \u2014 VyOS is advertising 16 prefixes (connected + default route)<\/code><\/pre>\n<pre><code>vyos@vyos:~$ show ip route vrf test\r\nB&gt;* 10.231.200.3\/32  [20\/0] via 10.231.104.3, br1 onlink   # VM1 \u2014 TEP 10.231.104.3\r\nB&gt;* 10.231.200.11\/32 [20\/0] via 10.231.104.7, br1 onlink   # VM2 \u2014 TEP 10.231.104.7\r\n\r\n# After vMotion VM1 to another host:\r\n# B&gt;* 10.231.200.3\/32 [20\/0] via 10.231.104.X, br1 onlink  \u2014 next-hop changes automatically<\/code><\/pre>\n<p>A \/32 entry with next-hop = ESXi TEP address confirms that the Route Controller is correctly reporting VM location. After a vMotion the next-hop changes automatically \u2014 the same GARP-to-RC mechanism as in NSX-T 3.0, just without the Edge node.<\/p>\n<h5>RT-5 details in BGP EVPN \u2014 mapping VMs to TEPs<\/h5>\n<p>Full BGP EVPN table on the VyOS side \u2014 two Route Distinguishers are visible: local VyOS and the RC:<\/p>\n<pre><code>vyos@vyos:~$ show bgp l2vpn evpn\r\nBGP table version is 2, local router ID is 10.231.106.1\r\nStatus codes: s suppressed, d damped, h history, * valid, &gt; best, i - internal\r\nEVPN type-5 prefix: [5]:[EthTag]:[IPlen]:[IP]\r\n\r\n   Network          Next Hop            Metric LocPrf Weight Path\r\n\r\nRoute Distinguisher: 64520:10          # routes from RC (VMs in VPC)\r\n *&gt;  [5]:[0]:[32]:[10.231.200.3]       # \/32 VM1\r\n                    10.231.104.3                           0 64520 i\r\n                    RT:64520:10 ET:8 Rmac:00:50:56:6a:68:38\r\n *&gt;  [5]:[0]:[32]:[10.231.200.11]      # \/32 VM2\r\n                    10.231.104.7                           0 64520 i\r\n                    RT:64520:10 ET:8 Rmac:00:50:56:65:18:e5\r\n\r\nRoute Distinguisher: 10.231.106.1:10   # local VyOS routes\r\n *&gt;  [5]:[0]:[0]:[0.0.0.0]             # default route \u2014 advertised to RC\r\n                    10.231.106.1             0         32768 ?\r\n                    ET:8 RT:64515:10 Rmac:c2:8f:db:73:82:3c\r\n *&gt;  [5]:[0]:[24]:[10.231.104.0]       # TEP VLAN\r\n                    10.231.106.1             0         32768 ?\r\n                    ET:8 RT:64515:10 Rmac:c2:8f:db:73:82:3c\r\n *&gt;  [5]:[0]:[24]:[10.231.106.0]       # BGP peering VLAN\r\n                    10.231.106.1             0         32768 ?\r\n                    ET:8 RT:64515:10 Rmac:c2:8f:db:73:82:3c\r\n # ... remaining connected networks\r\n\r\nDisplayed 16 out of 16 total prefixes<\/code><\/pre>\n<p>Each \/32 under RD 64520:10 is one VM in the NSX VPC. Next-hop (10.231.104.3, 10.231.104.7) = ESX host TEP. Router MAC (Rmac) = TEP MAC address. After a vMotion the RC updates the advertisement via GARP \u2014 the next-hop change is visible within a few seconds.<\/p>\n<p>Note \u2014 the output shows RD <code>64520:10<\/code> (from the RC), not <code>10.231.106.10:65000<\/code>. The Route Distinguisher on the RC side is set as <code>ASN_RC:VNI<\/code> \u2014 the value comes from the External Connectivity configuration in NSX.<\/p>\n<h5>ESX verification \u2014 nsxcli<\/h5>\n<pre class=\"pre-own\"><code>[root@ESXi11:~] nsxcli\r\nesxi11.homelab.int&gt; get gateway\r\n  87b192f1-a8c4-40f7-b9e6-1e905aa259c8  Gateway (Logical Router) UUID\r\n  bdc694b7-d236-47c3-93b0-8d2ba4f04608  Gateway (Logical Router) UUID\r\n\r\nesxi11.homelab.int&gt; get gateway 87b192f1-a8c4-40f7-b9e6-1e905aa259c8 forwarding\r\nMon May 11 2026 UTC 12:04:05.454\r\nFlags: [U: Up], [G: Gateway], [S1|S2|S3: TGW Private|Public|External Route Scope]\r\n\r\n                   Network                  Gateway          Type    Interface UUID\r\n===================================================================================\r\n0.0.0.0\/0                             10.231.106.1          UGS3    2d08b262-...\r\n10.231.200.8\/29                        100.64.0.1           UGS2    a56ae99c-...\r\n100.64.0.0\/31                           0.0.0.0             UCI     a56ae99c-...\r\n\r\n# S3 = External Route Scope (from RC\/gateway)\r\n# S2 = Public Route Scope (VM subnet)<\/code><\/pre>\n<h5>Verification via net-vdr (ESX)<\/h5>\n<p><code>net-vdr<\/code> is a low-level ESX command that shows the internal routing tables of the Distributed Router:<\/p>\n<pre class=\"pre-own\"><code>[root@esxi11:~] net-vdr -Il --brief\r\n\r\nDR Id      #Lifs   #Routesv4  State   DR UUID\r\n-------    -----   ---------  -----   ---------\r\n0x1        2       3          A       87b192f1-a8c4-40f7-b9e6-1e905aa259c8 (\/transit-gateways\/default)\r\n0xa        3       4          A       bdc694b7-d236-47c3-93b0-8d2ba4f04608 (\/vpcs\/test-vpc,default)\r\n\r\n[root@esxi11:~] net-vdr -Rl 87b192f1-a8c4-40f7-b9e6-1e905aa259c8\r\nDR 87b192f1-... Route Table\r\nLegend: [S1|S2|S3: TGW Private|Public|External Route Scope]\r\n\r\nDestination      GenMask          Gateway          Flags    Ref  UpTime   HitCount\r\n0.0.0.0          0.0.0.0          10.231.106.1     UGS3     1    314380   28\r\n10.231.200.8     255.255.255.248  100.64.0.1       UGS2     1    314380   39\r\n100.64.0.0       255.255.255.254  0.0.0.0          UCI      1    314380   5\r\n\r\n# S3 = default route from RC\/BGW (10.231.106.1 = VyOS)\r\n# S2 = Public subnet 10.231.200.8\/29<\/code><\/pre>\n<p>Ping test from ESX host to VM:<\/p>\n<pre class=\"pre-own\"><code>[root@ESXi11:~] ping -I vmk0 10.231.200.3\r\n64 bytes from 10.231.200.3: icmp_seq=0 ttl=61 time=1.8 ms\r\n# ttl=61 = 3 hops (VM -&gt; ESX TEP -&gt; VyOS -&gt; ping source)<\/code><\/pre>\n<p><code><\/code><\/p>\n<hr \/>\n<h4>Common issues<\/h4>\n<table>\n<thead>\n<tr>\n<th>Problem<\/th>\n<th>Likely cause<\/th>\n<th>Where to look<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>BGP Neighbor in Idle state<\/td>\n<td>Wrong remote-as, no route to BGP VIP, MTU issue<\/td>\n<td><code>show bgp neighbor 10.231.106.10<\/code>, ping from update-source<\/td>\n<\/tr>\n<tr>\n<td>No \/32 in VRF after VM power-on<\/td>\n<td>RT mismatch, wrong L3VNI, RC not receiving notifications<\/td>\n<td><code>show bgp l2vpn evpn<\/code>, logi NSX Manager<\/td>\n<\/tr>\n<tr>\n<td>VM cannot ping outside<\/td>\n<td>Default route not propagated to ESX host, missing NAT<\/td>\n<td><code>nsxcli: get gateway forwarding<\/code>, <code>show ip route vrf test<\/code><\/td>\n<\/tr>\n<tr>\n<td>RT-5 routes visible but traffic not flowing<\/td>\n<td>Underlay MTU issue, VTEP unreachable, encapsulation problem<\/td>\n<td>ping from ESXi to GW-VTEP, <code>tcpdump -i vxlan65000<\/code><\/td>\n<\/tr>\n<tr>\n<td>BGP Active on VyOS side<\/td>\n<td>RC still starting up, wrong BGP VIP<\/td>\n<td>Disable &#8211;&gt; Enable BGP Neighbor in NSX UI, wait 2\u20133 min<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h4>Summary<\/h4>\n<p>The VCF side of the configuration is straightforward \u2014 Route Controller, External Connectivity, and DTGW are just a few screens in NSX Manager. The real challenge is the BGW side. VyOS works very well for testing thanks to its debugging capabilities through vtysh and FRR.<\/p>\n<p>A few things worth keeping in mind:<\/p>\n<ul>\n<li>Route Target must be configured symmetrically \u2014 what the RC exports (64520:10), VyOS must import, and vice versa<\/li>\n<li>L3VNI must be identical on both sides<\/li>\n<li>Underlay MTU must account for the ~50 B VXLAN overhead<\/li>\n<li>The VXLAN interface source-address must be reachable from the ESX host TEPs<\/li>\n<li>Keep the VyOS VRF table ID in the range 1\u2013200 if you plan to use NAT with connection-mark<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>In a previous post I showed how to configure EVPN in NSX-T 3.0 with Juniper vMX, where the MP-BGP session originated from an Edge node through the T0 Gateway and VRFs were terminated on T0 and connected to T1. Today I&#8217;ll cover the next step in the evolution of that feature in VCF 9.1 \u2014 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":2762,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"jetpack_post_was_ever_published":false},"categories":[84,1252,1307,1330],"tags":[1266,1333,1315,1278,1335,1337],"class_list":["post-2984","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-lab","category-nsx-en","category-vcf","category-vyos-en","tag-evpn-en","tag-tgw","tag-vcf-en","tag-vrf-en","tag-vxlan-en","tag-vyos-en"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>TGW EVPN\/VXLAN Configuration - SafeKom Blog<\/title>\n<meta name=\"description\" content=\"Here&#039;s a description of how to configure TGWEVPN\/VXLAN in the new VCF 9.1 version. I encourage you to read on. Implementing this isn&#039;t difficult.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.safekom.pl\/blog\/en\/vmware-en\/nsx-en\/tgw-evpn-vxlan-configuration\/\" \/>\n<meta property=\"og:locale\" content=\"pl_PL\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"TGW EVPN\/VXLAN Configuration - SafeKom Blog\" \/>\n<meta property=\"og:description\" content=\"Here&#039;s a description of how to configure TGWEVPN\/VXLAN in the new VCF 9.1 version. I encourage you to read on. Implementing this isn&#039;t difficult.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.safekom.pl\/blog\/en\/vmware-en\/nsx-en\/tgw-evpn-vxlan-configuration\/\" \/>\n<meta property=\"og:site_name\" content=\"SafeKom Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/safekompl\" \/>\n<meta property=\"article:published_time\" content=\"2026-05-11T16:31:59+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2020\/04\/vmware-nsx-t.jpg?fit=551%2C218&ssl=1\" \/>\n\t<meta property=\"og:image:width\" content=\"551\" \/>\n\t<meta property=\"og:image:height\" content=\"218\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Micha\u0142 Iwa\u0144czuk\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@MIwaczuk\" \/>\n<meta name=\"twitter:site\" content=\"@MIwaczuk\" \/>\n<meta name=\"twitter:label1\" content=\"Napisane przez\" \/>\n\t<meta name=\"twitter:data1\" content=\"Micha\u0142 Iwa\u0144czuk\" \/>\n\t<meta name=\"twitter:label2\" content=\"Szacowany czas czytania\" \/>\n\t<meta name=\"twitter:data2\" content=\"14 minut\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.safekom.pl\\\/blog\\\/en\\\/vmware-en\\\/nsx-en\\\/tgw-evpn-vxlan-configuration\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.safekom.pl\\\/blog\\\/en\\\/vmware-en\\\/nsx-en\\\/tgw-evpn-vxlan-configuration\\\/\"},\"author\":{\"name\":\"Micha\u0142 Iwa\u0144czuk\",\"@id\":\"https:\\\/\\\/www.safekom.pl\\\/blog\\\/#\\\/schema\\\/person\\\/fd4cc931b624af4b7353d36d92ba7181\"},\"headline\":\"TGW EVPN\\\/VXLAN Configuration\",\"datePublished\":\"2026-05-11T16:31:59+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.safekom.pl\\\/blog\\\/en\\\/vmware-en\\\/nsx-en\\\/tgw-evpn-vxlan-configuration\\\/\"},\"wordCount\":1697,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/www.safekom.pl\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.safekom.pl\\\/blog\\\/en\\\/vmware-en\\\/nsx-en\\\/tgw-evpn-vxlan-configuration\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/i0.wp.com\\\/www.safekom.pl\\\/blog\\\/wp-content\\\/uploads\\\/2020\\\/04\\\/vmware-nsx-t.jpg?fit=551%2C218&ssl=1\",\"keywords\":[\"evpn\",\"TGW\",\"vcf\",\"vrf\",\"vxlan\",\"vyos\"],\"articleSection\":[\"Lab\",\"NSX\",\"VCF\",\"Vyos\"],\"inLanguage\":\"pl-PL\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.safekom.pl\\\/blog\\\/en\\\/vmware-en\\\/nsx-en\\\/tgw-evpn-vxlan-configuration\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.safekom.pl\\\/blog\\\/en\\\/vmware-en\\\/nsx-en\\\/tgw-evpn-vxlan-configuration\\\/\",\"url\":\"https:\\\/\\\/www.safekom.pl\\\/blog\\\/en\\\/vmware-en\\\/nsx-en\\\/tgw-evpn-vxlan-configuration\\\/\",\"name\":\"TGW EVPN\\\/VXLAN Configuration - SafeKom Blog\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.safekom.pl\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.safekom.pl\\\/blog\\\/en\\\/vmware-en\\\/nsx-en\\\/tgw-evpn-vxlan-configuration\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.safekom.pl\\\/blog\\\/en\\\/vmware-en\\\/nsx-en\\\/tgw-evpn-vxlan-configuration\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/i0.wp.com\\\/www.safekom.pl\\\/blog\\\/wp-content\\\/uploads\\\/2020\\\/04\\\/vmware-nsx-t.jpg?fit=551%2C218&ssl=1\",\"datePublished\":\"2026-05-11T16:31:59+00:00\",\"description\":\"Here's a description of how to configure TGWEVPN\\\/VXLAN in the new VCF 9.1 version. I encourage you to read on. Implementing this isn't difficult.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.safekom.pl\\\/blog\\\/en\\\/vmware-en\\\/nsx-en\\\/tgw-evpn-vxlan-configuration\\\/#breadcrumb\"},\"inLanguage\":\"pl-PL\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.safekom.pl\\\/blog\\\/en\\\/vmware-en\\\/nsx-en\\\/tgw-evpn-vxlan-configuration\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"pl-PL\",\"@id\":\"https:\\\/\\\/www.safekom.pl\\\/blog\\\/en\\\/vmware-en\\\/nsx-en\\\/tgw-evpn-vxlan-configuration\\\/#primaryimage\",\"url\":\"https:\\\/\\\/i0.wp.com\\\/www.safekom.pl\\\/blog\\\/wp-content\\\/uploads\\\/2020\\\/04\\\/vmware-nsx-t.jpg?fit=551%2C218&ssl=1\",\"contentUrl\":\"https:\\\/\\\/i0.wp.com\\\/www.safekom.pl\\\/blog\\\/wp-content\\\/uploads\\\/2020\\\/04\\\/vmware-nsx-t.jpg?fit=551%2C218&ssl=1\",\"width\":551,\"height\":218,\"caption\":\"nsx-t logo\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.safekom.pl\\\/blog\\\/en\\\/vmware-en\\\/nsx-en\\\/tgw-evpn-vxlan-configuration\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Strona g\u0142\u00f3wna\",\"item\":\"https:\\\/\\\/www.safekom.pl\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"TGW EVPN\\\/VXLAN Configuration\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.safekom.pl\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.safekom.pl\\\/blog\\\/\",\"name\":\"SafeKom Blog\",\"description\":\"Notatki Architekta i in\u017cyniera zwi\u0105zanego rozwi\u0105zaniami on-prem\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.safekom.pl\\\/blog\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.safekom.pl\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"pl-PL\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.safekom.pl\\\/blog\\\/#organization\",\"name\":\"SafeKom Blog\",\"url\":\"https:\\\/\\\/www.safekom.pl\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"pl-PL\",\"@id\":\"https:\\\/\\\/www.safekom.pl\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/i0.wp.com\\\/www.safekom.pl\\\/blog\\\/wp-content\\\/uploads\\\/2015\\\/05\\\/cropped-logo.png?fit=512%2C512&ssl=1\",\"contentUrl\":\"https:\\\/\\\/i0.wp.com\\\/www.safekom.pl\\\/blog\\\/wp-content\\\/uploads\\\/2015\\\/05\\\/cropped-logo.png?fit=512%2C512&ssl=1\",\"width\":512,\"height\":512,\"caption\":\"SafeKom Blog\"},\"image\":{\"@id\":\"https:\\\/\\\/www.safekom.pl\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/safekompl\",\"https:\\\/\\\/x.com\\\/MIwaczuk\",\"https:\\\/\\\/www.linkedin.com\\\/in\\\/michaliwanczuk\\\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.safekom.pl\\\/blog\\\/#\\\/schema\\\/person\\\/fd4cc931b624af4b7353d36d92ba7181\",\"name\":\"Micha\u0142 Iwa\u0144czuk\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"pl-PL\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/cc6dda4ee8d21d1f254147e5ee6f5e38881b88a4a12a5774ca42380597e52014?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/cc6dda4ee8d21d1f254147e5ee6f5e38881b88a4a12a5774ca42380597e52014?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/cc6dda4ee8d21d1f254147e5ee6f5e38881b88a4a12a5774ca42380597e52014?s=96&d=mm&r=g\",\"caption\":\"Micha\u0142 Iwa\u0144czuk\"},\"description\":\"Pasjonat komputerowy od zawsze oraz maniak w zakresie sieci, wirtualizacji oraz bezpiecze\u0144stwa IT. Kompetentny in\u017cynier z du\u017cym do\u015bwiadczeniem w realizacji projekt\u00f3w informatycznych i telekomunikacyjnych. Wieloletni administrator IT, kt\u00f3ry utrzymuje systemy informatyczne dostosowuj\u0105c je do wymog\u00f3w biznesowych z zapewnieniem dost\u0119pno\u015bci 24\\\/7\\\/365.\",\"url\":\"https:\\\/\\\/www.safekom.pl\\\/blog\\\/author\\\/admin\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"TGW EVPN\/VXLAN Configuration - SafeKom Blog","description":"Here's a description of how to configure TGWEVPN\/VXLAN in the new VCF 9.1 version. I encourage you to read on. Implementing this isn't difficult.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.safekom.pl\/blog\/en\/vmware-en\/nsx-en\/tgw-evpn-vxlan-configuration\/","og_locale":"pl_PL","og_type":"article","og_title":"TGW EVPN\/VXLAN Configuration - SafeKom Blog","og_description":"Here's a description of how to configure TGWEVPN\/VXLAN in the new VCF 9.1 version. I encourage you to read on. Implementing this isn't difficult.","og_url":"https:\/\/www.safekom.pl\/blog\/en\/vmware-en\/nsx-en\/tgw-evpn-vxlan-configuration\/","og_site_name":"SafeKom Blog","article_publisher":"https:\/\/www.facebook.com\/safekompl","article_published_time":"2026-05-11T16:31:59+00:00","og_image":[{"width":551,"height":218,"url":"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2020\/04\/vmware-nsx-t.jpg?fit=551%2C218&ssl=1","type":"image\/jpeg"}],"author":"Micha\u0142 Iwa\u0144czuk","twitter_card":"summary_large_image","twitter_creator":"@MIwaczuk","twitter_site":"@MIwaczuk","twitter_misc":{"Napisane przez":"Micha\u0142 Iwa\u0144czuk","Szacowany czas czytania":"14 minut"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.safekom.pl\/blog\/en\/vmware-en\/nsx-en\/tgw-evpn-vxlan-configuration\/#article","isPartOf":{"@id":"https:\/\/www.safekom.pl\/blog\/en\/vmware-en\/nsx-en\/tgw-evpn-vxlan-configuration\/"},"author":{"name":"Micha\u0142 Iwa\u0144czuk","@id":"https:\/\/www.safekom.pl\/blog\/#\/schema\/person\/fd4cc931b624af4b7353d36d92ba7181"},"headline":"TGW EVPN\/VXLAN Configuration","datePublished":"2026-05-11T16:31:59+00:00","mainEntityOfPage":{"@id":"https:\/\/www.safekom.pl\/blog\/en\/vmware-en\/nsx-en\/tgw-evpn-vxlan-configuration\/"},"wordCount":1697,"commentCount":0,"publisher":{"@id":"https:\/\/www.safekom.pl\/blog\/#organization"},"image":{"@id":"https:\/\/www.safekom.pl\/blog\/en\/vmware-en\/nsx-en\/tgw-evpn-vxlan-configuration\/#primaryimage"},"thumbnailUrl":"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2020\/04\/vmware-nsx-t.jpg?fit=551%2C218&ssl=1","keywords":["evpn","TGW","vcf","vrf","vxlan","vyos"],"articleSection":["Lab","NSX","VCF","Vyos"],"inLanguage":"pl-PL","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.safekom.pl\/blog\/en\/vmware-en\/nsx-en\/tgw-evpn-vxlan-configuration\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.safekom.pl\/blog\/en\/vmware-en\/nsx-en\/tgw-evpn-vxlan-configuration\/","url":"https:\/\/www.safekom.pl\/blog\/en\/vmware-en\/nsx-en\/tgw-evpn-vxlan-configuration\/","name":"TGW EVPN\/VXLAN Configuration - SafeKom Blog","isPartOf":{"@id":"https:\/\/www.safekom.pl\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.safekom.pl\/blog\/en\/vmware-en\/nsx-en\/tgw-evpn-vxlan-configuration\/#primaryimage"},"image":{"@id":"https:\/\/www.safekom.pl\/blog\/en\/vmware-en\/nsx-en\/tgw-evpn-vxlan-configuration\/#primaryimage"},"thumbnailUrl":"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2020\/04\/vmware-nsx-t.jpg?fit=551%2C218&ssl=1","datePublished":"2026-05-11T16:31:59+00:00","description":"Here's a description of how to configure TGWEVPN\/VXLAN in the new VCF 9.1 version. I encourage you to read on. Implementing this isn't difficult.","breadcrumb":{"@id":"https:\/\/www.safekom.pl\/blog\/en\/vmware-en\/nsx-en\/tgw-evpn-vxlan-configuration\/#breadcrumb"},"inLanguage":"pl-PL","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.safekom.pl\/blog\/en\/vmware-en\/nsx-en\/tgw-evpn-vxlan-configuration\/"]}]},{"@type":"ImageObject","inLanguage":"pl-PL","@id":"https:\/\/www.safekom.pl\/blog\/en\/vmware-en\/nsx-en\/tgw-evpn-vxlan-configuration\/#primaryimage","url":"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2020\/04\/vmware-nsx-t.jpg?fit=551%2C218&ssl=1","contentUrl":"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2020\/04\/vmware-nsx-t.jpg?fit=551%2C218&ssl=1","width":551,"height":218,"caption":"nsx-t logo"},{"@type":"BreadcrumbList","@id":"https:\/\/www.safekom.pl\/blog\/en\/vmware-en\/nsx-en\/tgw-evpn-vxlan-configuration\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Strona g\u0142\u00f3wna","item":"https:\/\/www.safekom.pl\/blog\/"},{"@type":"ListItem","position":2,"name":"TGW EVPN\/VXLAN Configuration"}]},{"@type":"WebSite","@id":"https:\/\/www.safekom.pl\/blog\/#website","url":"https:\/\/www.safekom.pl\/blog\/","name":"SafeKom Blog","description":"Notatki Architekta i in\u017cyniera zwi\u0105zanego rozwi\u0105zaniami on-prem","publisher":{"@id":"https:\/\/www.safekom.pl\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.safekom.pl\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"pl-PL"},{"@type":"Organization","@id":"https:\/\/www.safekom.pl\/blog\/#organization","name":"SafeKom Blog","url":"https:\/\/www.safekom.pl\/blog\/","logo":{"@type":"ImageObject","inLanguage":"pl-PL","@id":"https:\/\/www.safekom.pl\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2015\/05\/cropped-logo.png?fit=512%2C512&ssl=1","contentUrl":"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2015\/05\/cropped-logo.png?fit=512%2C512&ssl=1","width":512,"height":512,"caption":"SafeKom Blog"},"image":{"@id":"https:\/\/www.safekom.pl\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/safekompl","https:\/\/x.com\/MIwaczuk","https:\/\/www.linkedin.com\/in\/michaliwanczuk\/"]},{"@type":"Person","@id":"https:\/\/www.safekom.pl\/blog\/#\/schema\/person\/fd4cc931b624af4b7353d36d92ba7181","name":"Micha\u0142 Iwa\u0144czuk","image":{"@type":"ImageObject","inLanguage":"pl-PL","@id":"https:\/\/secure.gravatar.com\/avatar\/cc6dda4ee8d21d1f254147e5ee6f5e38881b88a4a12a5774ca42380597e52014?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/cc6dda4ee8d21d1f254147e5ee6f5e38881b88a4a12a5774ca42380597e52014?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/cc6dda4ee8d21d1f254147e5ee6f5e38881b88a4a12a5774ca42380597e52014?s=96&d=mm&r=g","caption":"Micha\u0142 Iwa\u0144czuk"},"description":"Pasjonat komputerowy od zawsze oraz maniak w zakresie sieci, wirtualizacji oraz bezpiecze\u0144stwa IT. Kompetentny in\u017cynier z du\u017cym do\u015bwiadczeniem w realizacji projekt\u00f3w informatycznych i telekomunikacyjnych. Wieloletni administrator IT, kt\u00f3ry utrzymuje systemy informatyczne dostosowuj\u0105c je do wymog\u00f3w biznesowych z zapewnieniem dost\u0119pno\u015bci 24\/7\/365.","url":"https:\/\/www.safekom.pl\/blog\/author\/admin\/"}]}},"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2020\/04\/vmware-nsx-t.jpg?fit=551%2C218&ssl=1","jetpack_shortlink":"https:\/\/wp.me\/p7i9ri-M8","jetpack-related-posts":[{"id":2783,"url":"https:\/\/www.safekom.pl\/blog\/en\/vmware-en\/nsx-en\/nsx-t-evpn-inline-mode\/","url_meta":{"origin":2984,"position":0},"title":"NSX-T EVPN Inline Mode","author":"Micha\u0142 Iwa\u0144czuk","date":"06.03.2023","format":false,"excerpt":"From the NSX 3.0 version, we can configure the EVPN function between the T0 router and the physical router. This post will be devoted to how to configure EVPN step by step in inline mode. What is EVPN? EVPN (Ethernet VPN) is an IEEE standard that allows for the creation\u2026","rel":"","context":"W \u201eJuniper&quot;","block_context":{"text":"Juniper","link":"https:\/\/www.safekom.pl\/blog\/en\/category\/juniper-en\/"},"img":{"alt_text":"nsx-t logo","src":"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2020\/04\/vmware-nsx-t.jpg?fit=551%2C218&ssl=1&resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2020\/04\/vmware-nsx-t.jpg?fit=551%2C218&ssl=1&resize=350%2C200 1x, https:\/\/i0.wp.com\/www.safekom.pl\/blog\/wp-content\/uploads\/2020\/04\/vmware-nsx-t.jpg?fit=551%2C218&ssl=1&resize=525%2C300 1.5x"},"classes":[]}],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.safekom.pl\/blog\/wp-json\/wp\/v2\/posts\/2984","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.safekom.pl\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.safekom.pl\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.safekom.pl\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.safekom.pl\/blog\/wp-json\/wp\/v2\/comments?post=2984"}],"version-history":[{"count":4,"href":"https:\/\/www.safekom.pl\/blog\/wp-json\/wp\/v2\/posts\/2984\/revisions"}],"predecessor-version":[{"id":2988,"href":"https:\/\/www.safekom.pl\/blog\/wp-json\/wp\/v2\/posts\/2984\/revisions\/2988"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.safekom.pl\/blog\/wp-json\/wp\/v2\/media\/2762"}],"wp:attachment":[{"href":"https:\/\/www.safekom.pl\/blog\/wp-json\/wp\/v2\/media?parent=2984"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.safekom.pl\/blog\/wp-json\/wp\/v2\/categories?post=2984"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.safekom.pl\/blog\/wp-json\/wp\/v2\/tags?post=2984"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}