Day #92 PyATS Series] Automate EVPN Fabric Validation Across Cisco/Arista/Paloalto/Fortigate Using pyATS for Cisco [Python for Network Engineer]

[Day #92 PyATS Series] Automate EVPN Fabric Validation Across Cisco/Arista/Paloalto/Fortigate Using pyATS for Cisco [Python for Network Engineer]


Introduction: Automating EVPN Fabric Validation with Python for Network Engineer

In modern data center architectures, EVPN (Ethernet VPN) overlays are critical for scalable Layer 2 and Layer 3 services. Validating EVPN fabric health after changes or periodic audits is essential to ensure network stability, performance, and policy compliance. Manual validation of EVPN fabric status across multi-vendor devices like Cisco, Arista, Palo Alto, and Fortigate is time-consuming and error-prone.

In this masterclass Article, we will focus on automating the EVPN fabric validation workflow using pyATS in a production-ready manner. By implementing automation through Python scripts and pyATS test frameworks, we guarantee accurate, repeatable validation with CLI and GUI-supported outputs. The validation framework we build will check BGP EVPN sessions, MAC-VTEP mappings, route consistency, and fabric reachability, delivering structured reports in JSON and HTML.

This Article demonstrates a realistic step-by-step guide for network engineers aiming to implement automation in a multi-vendor environment.


Topology Overview

My test topology simulates a typical data center EVPN deployment with the following devices:

Device RoleVendorPurpose
Spine 1Cisco NexusEVPN Fabric Spine
Spine 2AristaEVPN Fabric Spine
Leaf 1Cisco NexusEVPN Fabric Leaf with VTEP
Leaf 2AristaEVPN Fabric Leaf with VTEP
FirewallPalo AltoPerimeter Security Appliance
ManagementFortigateNetwork security management
OrchestrationpyATS Test ServerHosts testbed and automation scripts

The fabric consists of VXLAN tunnels forming EVPN overlays with BGP control-plane connectivity for route distribution and MAC-VTEP mappings.


Topology & Communications

Device IP Addressing and Access

DeviceManagement IPCLI Access Protocol
Spine 1192.168.1.10SSH
Spine 2192.168.1.11SSH
Leaf 1192.168.1.20SSH
Leaf 2192.168.1.21SSH
Firewall192.168.1.30SSH/API
Management192.168.1.40HTTPS

Communication Workflow

  • pyATS test server connects over SSH/API to network devices.
  • CLI commands and API calls are used for configuration/state retrieval.
  • Structured data is parsed and validated against expected golden fabric state.

Workflow Script

from genie.testbed import load
from genie.libs.parser.utils import get_parser_exclude
from genie.libs.clean import clean_all
from genie.libs.sdk.apis.utils import get_parser_exclude
import json

def validate_evpn_fabric(testbed_file):
    testbed = load(testbed_file)

    # List of devices to validate
    devices = ['spine1', 'spine2', 'leaf1', 'leaf2']

    results = {}

    for device_name in devices:
        device = testbed.devices[device_name]
        device.connect()

        # Validate BGP EVPN sessions
        evpn_bgp_output = device.parse('show bgp evpn summary')

        # Validate MAC-VTEP mappings
        mac_vtep_output = device.parse('show evpn mac')

        # Validate fabric reachability
        fabric_ping_output = device.parse('ping fabric 10.0.0.1')

        results[device_name] = {
            'bgp_summary': evpn_bgp_output,
            'mac_vtep': mac_vtep_output,
            'ping_fabric': fabric_ping_output
        }

        device.disconnect()

    # Export results to JSON file
    with open('evpn_fabric_validation_results.json', 'w') as f:
        json.dump(results, f, indent=4)

    return results

if __name__ == '__main__':
    testbed_file = 'testbed.yml'
    results = validate_evpn_fabric(testbed_file)
    print('EVPN Fabric Validation Completed. Results saved in evpn_fabric_validation_results.json')

Explanation by Line

  • Line 1–3: Imports necessary pyATS modules and standard libraries.
  • Line 5: Loads the testbed file which defines device connections.
  • Line 8: List of devices for validation.
  • Line 10–23:
    • Connect to each device.
    • Run show bgp evpn summary to validate BGP EVPN sessions.
    • Run show evpn mac to extract MAC-VTEP mappings.
    • Run ping fabric 10.0.0.1 to verify fabric reachability.
    • Save structured output per device.
  • Line 25: Export the results to a JSON file for reporting.
  • Line 29: Executes validation and prints completion status.

testbed.yml Example

testbed:
  name: evpn_validation_testbed
  devices:
    spine1:
      type: router
      os: iosxr
      connections:
        cli:
          protocol: ssh
          ip: 192.168.1.10
      credentials:
        default:
          username: admin
          password: admin123

    spine2:
      type: router
      os: eos
      connections:
        cli:
          protocol: ssh
          ip: 192.168.1.11
      credentials:
        default:
          username: admin
          password: admin123

    leaf1:
      type: switch
      os: iosxr
      connections:
        cli:
          protocol: ssh
          ip: 192.168.1.20
      credentials:
        default:
          username: admin
          password: admin123

    leaf2:
      type: switch
      os: eos
      connections:
        cli:
          protocol: ssh
          ip: 192.168.1.21
      credentials:
        default:
          username: admin
          password: admin123

Post-validation CLI (Real Expected Output)

Example 1: BGP EVPN Summary

Device: spine1
EVPN BGP Neighbor       State    Messages
192.168.2.1             Established 15000
192.168.2.2             Established 14800

Example 2: MAC-VTEP Mapping

Device: leaf1
MAC Address    VTEP IP        VLAN
aa:bb:cc:dd   10.0.1.1     100
ee:ff:gg:hh   10.0.1.2     200

Example 3: Fabric Ping Result

Device: spine2
Ping 10.0.0.1 (fabric controller): Success (5 packets transmitted, 5 received)

FAQS

Q1. Why automate EVPN fabric validation instead of manual checks?
A1. Automation ensures consistency, eliminates human error, speeds up validation, and provides structured reports, enabling faster troubleshooting and continuous monitoring.


Q2. Can this pyATS framework support non-Cisco devices?
A2. Yes. By leveraging pyATS parsers and APIs for multi-vendor support (Arista EOS, Palo Alto, Fortigate), this framework enables consistent validation across heterogeneous environments.


Q3. How does the testbed.yml contribute to the automation workflow?
A3. It defines the device inventory, OS types, credentials, and connections. This enables seamless and repeatable device access for pyATS jobs without hardcoded configurations.


Q4. What happens if an EVPN BGP session is down during validation?
A4. The script logs the session state as “Not Established” and flags it as a failure in the JSON report. This triggers alerts in automated CI/CD pipelines for fast remediation.


Q5. Is the output suitable for integration into CI/CD pipelines?
A5. Yes. The structured JSON and HTML outputs can easily be consumed by tools like Jenkins, GitHub Actions, or GitLab CI to automate network validation checks after code pushes.


Q6. Can the framework validate underlay as well as overlay separately?
A6. Yes. Separate tests can be written to validate underlay IP reachability and overlay EVPN BGP sessions independently, giving full control over validation granularity.


Q7. How frequently should EVPN fabric validation run in production?
A7. Ideally after any configuration change, regularly in scheduled intervals (e.g., nightly), and before/after software upgrades to ensure fabric integrity at all times.


YouTube Link

Watch the Complete Python for Network Engineer: Automate EVPN Fabric Validation Across Cisco/Arista/Paloalto/Fortigate Using pyATS for Cisco [Python for Network Engineer] Lab Demo & Explanation on our channel:

Master Python Network Automation, Ansible, REST API & Cisco DevNet
Master Python Network Automation, Ansible, REST API & Cisco DevNet
Master Python Network Automation, Ansible, REST API & Cisco DevNet
Why Robot Framework for Network Automation?

Join Our Training

If you are serious about mastering network automation with industry-proven practices and production-ready frameworks, join our 3-month instructor-led Python + Ansible + API course for network engineers.
Learn real-world use cases, hands-on labs, and deep dives

into automating multi-vendor network environments using Python for Network Engineer.

Join Now – Python + Ansible + API for Network Engineers

Enroll Now & Future‑Proof Your Career
Emailinfo@networkjourney.com
WhatsApp / Call: +91 97395 21088