Domain Path Attribute for VPRN BGP Routes

This chapter provides information about the domain path attribute for VPRN BGP routes.

Topics in this chapter include:

Applicability

The information and configuration in this chapter are based on SR OS Release 22.7.R1. The domain path (D-path) attribute is supported in SR OS Release 21.10.R1 and later.

Overview

The D-path attribute can be used for route traceability, BGP best path selection, and loop prevention in networks that expand multiple IP-VPN and EVPN domains.

The D-path attribute is a sequence of domain segments, where each domain segment is represented by a domain ID in combination with an inter-subnet forwarding (ISF) subaddress family indicator (SAFI). The D-path attribute is added or modified by gateways (GWs) that import BGP-EVPN route type 5 (RT-5) or IP-VPN routes into a VPRN route table and export these prefixes as BGP-EVPN RT-5 or IP-VPN routes to their neighbors. Any PE that imports a prefix route does not install the route in the VPRN route table if the D-path attribute contains a domain segment where the domain ID matches a local domain ID, as shown in the figure Loop prevention in networks with multiple IP-VPN and EVPN domains.

Figure 1. Loop prevention in networks with multiple IP-VPN and EVPN domains

All PEs in the figure Loop prevention in networks with multiple IP-VPN and EVPN domains are GWs. PE-4 exports local prefix 10.0.0.0/24 as an EVPN RT-5 route without the D-path attribute when no domain ID is configured for local routes. PE-3 accepts this route. Domain ID 64496:1 is defined in PE-4 and PE-3, but the domain segment 64496:1:(evpn) is only added by GW PE-3 where the prefix is exported as an IP-VPN route instead of an EVPN RT-5 route. GW PE-2 accepts this route and modifies the D-path attribute by prepending domain segment 64496:2:(ipvpn) when exporting prefix 10.0.0.0/24 as an EVPN RT-5 route. PE-1 accepts this route. When PE-1 exports the prefix as an EVPN RT-5 route to PE-4, it prepends domain segment 64496:3:(evpn) to the D-path attribute. The VRF on PE-4 cannot import this prefix because the D-path attribute contains domain ID 64496:1, which is defined on PE-4.

The figure D-path attribute shows the D-path attribute as defined in draft-ietf-bess-evpn-ipvpn-interworking.

Figure 2. D-path attribute

The D-path attribute is composed of a sequence of domain segments. Each domain segment consists of a domain ID and a SAFI type. The domain ID represents the domain and is composed of a 4-octet global administrator subfield and a 2-octet local administrator subfield. The global administrator subfield must have a value that is unique for the domain; for example, an autonomous system number (ASN). The 1-octet SAFI field can have the following values:

  • 0 for local ISF routes
  • 1 for PE-CE BGP domains
  • 70 for EVPN domains
  • 128 for IP-VPN domains

The domain ID can be configured on:

  • VPRN BGP-EVPN MPLS and BGP-EVPN SRv6 instances (EVPN interface-less (EVPN-IFL))
  • VPRN BGP-IPVPN MPLS and BGP-IPVPN SRv6 instances
  • R-VPLS BGP-EVPN MPLS and BGP-EVPN VXLAN instances (EVPN interface-ful (EVPN-IFF))
  • VPRN BGP neighbors (PE-CE)
  • VPRN level (for local routes). When configured on the VPRN level, using the optional local-routes-domain-id command, the PE advertises its direct, static, or IGP routes with a D-path attribute.

Domain IDs can be modified while the service is operational. Modifying the domain ID initiates a route refresh for all address families associated with the VPRN.

A PE receiving a prefix route with a D-path attribute containing one of its own domain IDs detects a routing loop and does not install the route in the VPRN route table.

The D-path attribute length can influence the BGP best path selection. In the BGP decision process, the shorter D-path is preferred, unless the d-path-length-ignore command is configured.

Configuration

The figure Example topology with VPRN 10 and its domain IDs shows an example topology where PE-6 exports EVPN RT-5 routes 172.31.6.0/24 and 2001:db8::31:6:0/120 to route reflector RR-5, whereas PE-7 exports IP-VPN routes 172.31.7.0/24 and 2001:db8::31:7:0/120 to RR-5. LDP tunnels are used between PE-4, RR-5, PE-6, and PE-7; SRv6 tunnels are used between PE-2, PE-3, and PE-4; SR-OSPF tunnels are used between PE-1, PE-2, and PE-3.

Figure 3. Example topology with VPRN 10 and its domain IDs

The initial configuration includes:

  • cards, MDAs, ports
  • router interfaces
  • OSPF as IGP on PE-1, PE-2, and PE-3
  • IS-IS as IGP on PE-2, PE-3, PE-4, RR-5, PE-6, and PE-7
  • SR-OSPF on PE-1, PE-2, and PE-3
  • SRv6 on PE-2, PE-3, and PE-4, configured as in the "Segment Routing over IPv6" chapter in the Segment Routing and PCE volume in the 7450 ESS, 7750 SR, and 7950 XRS MD-CLI Advanced Configuration Guide - Part I.
  • LDP on PE-4, RR-5, PE-6, and PE-7

The BGP configuration on PE-1 is as follows:

# on PE-1:
configure {
    router "Base" {
        autonomous-system 64496
        bgp {
            vpn-apply-export true
            vpn-apply-import true
            rapid-withdrawal true
            peer-ip-tracking true
            split-horizon true
            rapid-update {
                evpn true
            }
            group "internal1" {
                type internal
                family {
                    evpn true
                }
            }
            neighbor "192.0.2.2" {
                group "internal1"
            }
            neighbor "192.0.2.3" {
                group "internal1"
            }
        }
# on PE-2 (similar configuration on PE-3):
configure {
    router "Base" {
        autonomous-system 64496
        bgp {
            vpn-apply-export true
            vpn-apply-import true
            router-id 192.0.2.2             # on PE-3: 192.0.2.3
            advertise-inactive true
            rapid-withdrawal true
            peer-ip-tracking true
            split-horizon true
            rapid-update {
                vpn-ipv4 true
                vpn-ipv6 true
                evpn true
            }
            group "internal1" {
                next-hop-self true
                type internal
                local-address 192.0.2.2        # on PE-3: 192.0.2.3
                family {
                    evpn true
                }
            }
            group "internal2" {
                next-hop-self true
                type internal
                local-address 2001:db8::2:2     # on PE-3: 2001:db8::2:3
                family {
                    vpn-ipv4 true
                    vpn-ipv6 true
                }
                extended-nh-encoding {
                    vpn-ipv4 true
                    ipv4 true
                }
                advertise-ipv6-next-hops {
                    vpn-ipv6 true
                    vpn-ipv4 true
                }
            }
            neighbor "192.0.2.1" {
                group "internal1"
            }
            neighbor "192.0.2.3" {            # on PE-3: 192.0.2.2
                group "internal1"
            }
            neighbor "2001:db8::2:3" {        # on PE-3: 2001:db8::2:2
                group "internal2"
            }
            neighbor "2001:db8::2:4" {
                group "internal2"
            }
        }
# on PE-4:
configure {
    router "Base" {
        autonomous-system 64496
        bgp {
            vpn-apply-export true
            vpn-apply-import true
            router-id 192.0.2.4
            advertise-inactive true
            rapid-withdrawal true
            peer-ip-tracking true
            split-horizon true
            rapid-update {
                vpn-ipv4 true
                vpn-ipv6 true
                evpn true
            }
            group "internal2" {
                next-hop-self true
                type internal
                local-address 2001:db8::2:4
                family {
                    vpn-ipv4 true
                    vpn-ipv6 true
                }
                extended-nh-encoding {
                    vpn-ipv4 true
                    ipv4 true
                }
                advertise-ipv6-next-hops {
                    vpn-ipv6 true
                    vpn-ipv4 true
                }
            }
            group "internal3" {
                next-hop-self true
                type internal
                local-address 192.0.2.4
                family {
                    vpn-ipv4 true
                    vpn-ipv6 true
                    evpn true
                }
            }
            neighbor "192.0.2.5" {
                group "internal3"
            }
            neighbor "2001:db8::2:2" {
                group "internal2"
            }
            neighbor "2001:db8::2:3" {
                group "internal2"
            }
        }
# on RR-5: only EVPN toward PE-6; only IP-VPN toward PE-7:
configure {
    router "Base" {
        autonomous-system 64496
        bgp {
            vpn-apply-export true
            vpn-apply-import true
            rapid-withdrawal true
            peer-ip-tracking true
            split-horizon true
            rapid-update {
                vpn-ipv4 true
                vpn-ipv6 true
                evpn true
            }
            group "internal3" {
                type internal
                cluster {
                    cluster-id 192.0.2.5
                }
            }
            neighbor "192.0.2.4" {
                group "internal3"
                family {
                    vpn-ipv4 true
                    vpn-ipv6 true
                    evpn true
                }
            }
            neighbor "192.0.2.6" {
                group "internal3"
                family {
                    evpn true
                }
            }
            neighbor "192.0.2.7" {
                group "internal3"
                family {
                    vpn-ipv4 true
                    vpn-ipv6 true
                }
            }
        }
# on PE-6:
configure {
    router "Base" {
        autonomous-system 64496
        bgp {
            vpn-apply-export true
            vpn-apply-import true
            rapid-withdrawal true
            peer-ip-tracking true
            split-horizon true
            rapid-update {
                evpn true
            }
            group "internal3" {
                type internal
            }
            neighbor "192.0.2.5" {
                group "internal3"
                family {
                    evpn true
                }
            }
        }
# on PE-7:
configure {
    router "Base" {
        autonomous-system 64496
        bgp {
            vpn-apply-export true
            vpn-apply-import true
            rapid-withdrawal true
            peer-ip-tracking true
            split-horizon true
            rapid-update {
                vpn-ipv4 true
                vpn-ipv6 true
            }
            group "internal3" {
                type internal
            }
            neighbor "192.0.2.5" {
                group "internal3"
                family {
                    vpn-ipv4 true
                    vpn-ipv6 true
                }
            }
        }

Domain IDs in VPRN BGP-EVPN MPLS and SRv6 instances

On PE-1, VPRN 10 is configured without domain ID in the bgp-evpn mpls 1 context:

# on PE-1:
configure {
    service {
        vprn "VPRN 10" {
            admin-state enable
            service-id 10
            customer "1"
            autonomous-system 64496
            bgp-evpn {
                mpls 1 {
                    admin-state enable
                    route-distinguisher "192.0.2.1:10"
                    vrf-target {
                        community "target:64496:10"
                    }
                    auto-bind-tunnel {
                        resolution filter
                        resolution-filter {
                            sr-ospf true
                        }
                    }
                }
            }
            interface "int-PE-1-CE-11" {
                ipv4 {
                    primary {
                        address 172.31.1.1
                        prefix-length 24
                    }
                }
                sap 1/1/c5/1:10 {
                }
                ipv6 {
                    address 2001:db8::31:1:1 {
                        prefix-length 120
                    }
                }
            }
        }

Domain ID 64496:1010 is configured in the bgp-evpn mpls 1 context on GWs PE-2 and PE-3, whereas domain ID 64496:1020 is configured in the bgp-ipvpn segment-routing-v6 context on PE-2, PE-3, and PE-4. Domain ID 64496:1030 is configured for IP-VPN and for BGP-EVPN on PE-4.

On PE-2, VPRN 10 is configured as follows. The configuration on PE-3 is similar.

# on GW PE-2:
configure {
    service {
         vprn "VPRN 10" {
            admin-state enable
            service-id 10
            customer "1"
            autonomous-system 64496
            segment-routing-v6 1 {
                locator "PE-2_loc" {                      # on PE-3:"PE-3_loc"
                    function {
                        end-dt4 {
                        }
                        end-dt6 {
                        }
                    }
                }
            }
            bgp-evpn {
                mpls 1 {
                    admin-state enable
                    route-distinguisher "192.0.2.2:10"   # on PE-3: 192.0.2.3:10
                    domain-id "64496:1010"
                    vrf-target {
                        community "target:64496:10"
                    }
                    auto-bind-tunnel {
                        resolution filter
                        resolution-filter {
                            sr-ospf true
                        }
                    }
                }
            }
            bgp-ipvpn {
                segment-routing-v6 1 {
                    admin-state enable
                    route-distinguisher "192.0.2.2:16"   # on PE-3: 192.0.2.3:16
                    source-address 2001:db8::2:2         # on PE-3: 2001:db8::2:3
                    domain-id "64496:1020"
                    vrf-target {
                        community "target:64496:10"
                    }
                    srv6 {
                        instance 1
                        default-locator "PE-2_loc"       # on PE-3:"PE-3_loc"
                    }
                }
            }
        }

On GW PE-4, VPRN 10 is configured with two domain IDs: domain ID 1020 for IP-VPN over SRv6 and domain ID 1030 for IP-VPN over MPLS and for EVPN over MPLS.

# on GW PE-4:
configure {
    service {
        vprn "VPRN 10" {
            admin-state enable
            service-id 10
            customer "1"
            autonomous-system 64496
            allow-export-bgp-vpn true
            segment-routing-v6 1 {
                locator "PE-4_loc" {
                    function {
                        end-dt4 {
                        }
                        end-dt6 {
                        }
                    }
                }
            }
            bgp-evpn {
                mpls 1 {
                    admin-state enable
                    route-distinguisher "192.0.2.4:10"
                    domain-id "64496:1030"
                    vrf-target {
                        community "target:64496:10"
                    }
                    auto-bind-tunnel {
                        resolution filter
                        resolution-filter {
                            ldp true
                        }
                    }
                }
            }
            bgp-ipvpn {
                mpls {
                    admin-state enable
                    route-distinguisher "192.0.2.4:10"
                    domain-id "64496:1030"
                    vrf-target {
                        community "target:64496:10"
                    }
                    auto-bind-tunnel {
                        resolution filter
                        resolution-filter {
                            ldp true
                        }
                    }
                }
                segment-routing-v6 1 {
                    admin-state enable
                    route-distinguisher "192.0.2.4:16"
                    source-address 2001:db8::2:4
                    domain-id "64496:1020"
                    vrf-target {
                        community "target:64496:10"
                    }
                    srv6 {
                        instance 1
                        default-locator "PE-4_loc"
                    }
                }
            }
     

For completeness, the configuration on VPRN 10 on PE-6 and PE-7 is also shown. PE-6 has no domain ID configured:

# on PE-6:
configure {
    service {
        vprn "VPRN 10" {
            admin-state enable
            service-id 10
            customer "1"
            autonomous-system 64496
            bgp-evpn {
                mpls 1 {
                    admin-state enable
                    route-distinguisher "192.0.2.6:10"
                    vrf-target {
                        community "target:64496:10"
                    }
                    auto-bind-tunnel {
                        resolution filter
                        resolution-filter {
                            ldp true
                        }
                    }
                }
            }
            interface "int-PE-6-CE-16" {
                ipv4 {
                    primary {
                        address 172.31.6.1
                        prefix-length 24
                    }
                }
                sap 1/1/c5/1:10 {
                }
                ipv6 {
                    address 2001:db8::31:6:1 {
                        prefix-length 120
                    }
                }
            }
        }

PE-7 does not have a domain ID configured in the bgp-ipvpn mpls context, but it has a local domain ID configured: 64496:1007:

# on PE-7:
configure {
    service {
        vprn "VPRN 10" {
            admin-state enable
            service-id 10
            customer "1"
            autonomous-system 64496
            local-routes-domain-id "64496:1007"
            bgp-ipvpn {
                mpls {
                    admin-state enable
                    route-distinguisher "192.0.2.7:10"
                    vrf-target {
                        community "target:64496:10"
                    }
                    auto-bind-tunnel {
                        resolution filter
                        resolution-filter {
                            ldp true
                        }
                    }
                }
            }
            interface "int-PE-7-CE-17" {
                ipv4 {
                    primary {
                        address 172.31.7.1
                        prefix-length 24
                    }
                }
                sap 1/1/c5/1:10 {
                }
                ipv6 {
                    address 2001:db8::31:7:1 {
                        prefix-length 120
                    }
                }
            }
        }

The following commands on PE-4 display the domain ID for BGP-IPVPN and BGP-EVPN. For BGP-IPVPN, domain ID 64496:1030 is configured in the EVPN-MPLS domain and domain ID 64496:1020 is configured in the SRv6 domain:

[/]
A:admin@PE-4# show service id 10 bgp-ipvpn
 
===============================================================================
Service 10 BGP-IPVPN MPLS Information
===============================================================================
Admin State       : Up
VRF Import        : None
VRF Export        : None
Route Dist.       : None
Oper Route Dist   : 192.0.2.4:10
Oper RD Type      : configured
Route Target      : target:64496:10
Route Target Impor: None
Route Target Expor: None
Domain-Id         : 64496:1030
Dyn Egr Lbl Limit : Disabled
 
Auto-Bind Tunnel
Resolution        : disabled            Strict Tnl Tag    : False
ECMP              : 0                   Flex Algo FB      : False
Weighted ECMP     : False
BGP Instance      : 1
Filter Tunnel Type: (Not Specified)
===============================================================================
 
===============================================================================
Service 10 BGP-IPVPN Segment-Routing-V6 Information
===============================================================================
 
Admin State       : Up
VRF Import        : None
VRF Export        : None
Route Dist.       : 192.0.2.4:16
Oper Route Dist   : 192.0.2.4:16
Oper RD Type      : configured
Route Target      : target:64496:10
Route Target Expor: None
Route Target Impor: None
Def Route Tag     : 0x0
Route Resolution  : route-table
 
Srv6 Instance     : 1
Default Locator   : PE-4_loc
Source Address    : 2001:db8::2:4
Domain-Id         : 64496:1020
 
===============================================================================

For BGP-EVPN, domain ID 64496:1030 is configured in the EVPN-MPLS domain:

[/]
A:admin@PE-4# show service id 10 bgp-evpn
 
===============================================================================
BGP EVPN MPLS Table
===============================================================================
Admin State        : Up
VRF Import         : None
VRF Export         : None
Route Dist.        : 192.0.2.4:10
Oper Route Dist.   : 192.0.2.4:10
Oper RD Type       : configured
Route Target       : target:64496:10
Route Target Import: None
Route Target Export: None
Default Route Tag  : None
Domain-Id          : 64496:1030
Dyn Egr Lbl Limit  : Disabled
 
Advertise          : Disabled
Weighted ECMP      : Disabled
 
Auto-Bind Tunnel
Resolution         : filter                 Strict Tnl Tag : False
ECMP               : 1                      Flex Algo FB   : False
BGP Instance       : 1
Filter Tunnel Types: ldp
 
Tunnel Encap
MPLS               : True                   MPLSoUDP       : False
===============================================================================

VPRN BGP routes for prefix 172.31.6.0/24

PE-6 advertises prefix 172.31.6.0/24 as an EVPN-IFL route without the D-path attribute, as follows:

# on PE-6:
2 2022/09/06 10:46:07.053 UTC MINOR: DEBUG #2001 Base Peer 1: 192.0.2.5
"Peer 1: 192.0.2.5: UPDATE
Peer 1: 192.0.2.5 - Send BGP UPDATE:
    Withdrawn Length = 0
    Total Path Attr Length = 82
    Flag: 0x90 Type: 14 Len: 45 Multiprotocol Reachable NLRI:
        Address Family EVPN
        NextHop len 4 NextHop 192.0.2.6
        Type: EVPN-IP-PREFIX Len: 34 RD: 192.0.2.6:10, ESI: ESI-0, tag: 0, ip_prefix: 172.31.6.0/24 gw_ip 0.0.0.0 Label: 8388528 (Raw Label: 0x7fffb0)
    Flag: 0x40 Type: 1 Len: 1 Origin: 0
    Flag: 0x40 Type: 2 Len: 0 AS Path:
    Flag: 0x40 Type: 5 Len: 4 Local Preference: 100
    Flag: 0xc0 Type: 16 Len: 16 Extended Community:
        target:64496:10
        bgp-tunnel-encap:MPLS

RR-5 forwards prefix 172.31.6.0/24 as an EVPN-IFL route without the D-path attribute, as follows:

# on RR-5:
12 2022/09/06 10:46:07.053 CEST MINOR: DEBUG #2001 Base Peer 1: 192.0.2.4
"Peer 1: 192.0.2.4: UPDATE
Peer 1: 192.0.2.4 - Send BGP UPDATE:
    Withdrawn Length = 0
    Total Path Attr Length = 96
    Flag: 0x90 Type: 14 Len: 45 Multiprotocol Reachable NLRI:
        Address Family EVPN
        NextHop len 4 NextHop 192.0.2.6
        Type: EVPN-IP-PREFIX Len: 34 RD: 192.0.2.6:10, ESI: ESI-0, tag: 0, ip_prefix: 172.31.6.0/24 gw_ip 0.0.0.0 Label: 8388528 (Raw Label: 0x7fffb0)
    Flag: 0x40 Type: 1 Len: 1 Origin: 0
    Flag: 0x40 Type: 2 Len: 0 AS Path:
    Flag: 0x40 Type: 5 Len: 4 Local Preference: 100
    Flag: 0x80 Type: 9 Len: 4 Originator ID: 192.0.2.6
    Flag: 0x80 Type: 10 Len: 4 Cluster ID:
        192.0.2.5
    Flag: 0xc0 Type: 16 Len: 16 Extended Community:
        target:64496:10
        bgp-tunnel-encap:MPLS
"

PE-4 adds a D-path attribute when advertising prefix 172.31.6.0/24 as a VPN-IPv4 route to PE-2 (or PE-3):

29 2022/09/06 10:46:07.055 CEST MINOR: DEBUG #2001 Base Peer 1: 2001:db8::2:2
"Peer 1: 2001:db8::2:2: UPDATE
Peer 1: 2001:db8::2:2 - Send BGP UPDATE:
    Withdrawn Length = 0
    Total Path Attr Length = 98
    Flag: 0x90 Type: 14 Len: 44 Multiprotocol Reachable NLRI:
        Address Family VPN_IPV4
        NextHop len 24 NextHop 2001:db8::2:4
        172.31.6.0/24 RD 192.0.2.4:10 Label 524281 (Raw label 0x7fff91)
    Flag: 0x40 Type: 1 Len: 1 Origin: 0
    Flag: 0x40 Type: 2 Len: 0 AS Path:
    Flag: 0x40 Type: 5 Len: 4 Local Preference: 100
    Flag: 0x80 Type: 9 Len: 4 Originator ID: 192.0.2.6
    Flag: 0x80 Type: 10 Len: 4 Cluster ID:
        192.0.2.5
    Flag: 0xc0 Type: 16 Len: 8 Extended Community:
        target:64496:10
    Flag: 0xc0 Type: 36 Len: 8 D-PATH:[64496:1030:(evpn)]
"

PE-2 prepends domain segment 64496:1020:(ipvpn) to the D-path attribute when advertising prefix 172.31.6.0/24 in an EVPN-IFL route to PE-1:

# on PE-2:
21 2022/09/06 10:46:07.056 UTC MINOR: DEBUG #2001 Base Peer 1: 192.0.2.1
"Peer 1: 192.0.2.1: UPDATE
Peer 1: 192.0.2.1 - Send BGP UPDATE:
    Withdrawn Length = 0
    Total Path Attr Length = 115
    Flag: 0x90 Type: 14 Len: 45 Multiprotocol Reachable NLRI:
        Address Family EVPN
        NextHop len 4 NextHop 192.0.2.2
        Type: EVPN-IP-PREFIX Len: 34 RD: 192.0.2.2:10, ESI: ESI-0, tag: 0, ip_prefix: 172.31.6.0/24 gw_ip 0.0.0.0 Label: 8388528 (Raw Label: 0x7fffb0)
    Flag: 0x40 Type: 1 Len: 1 Origin: 0
    Flag: 0x40 Type: 2 Len: 0 AS Path:
    Flag: 0x40 Type: 5 Len: 4 Local Preference: 100
    Flag: 0x80 Type: 9 Len: 4 Originator ID: 192.0.2.6
    Flag: 0x80 Type: 10 Len: 4 Cluster ID:
        192.0.2.5
    Flag: 0xc0 Type: 16 Len: 16 Extended Community:
        target:64496:10
        bgp-tunnel-encap:MPLS
    Flag: 0xc0 Type: 36 Len: 16 D-PATH:[64496:1020:(ipvpn)][64496:1030:(evpn)]
"

The figure VPRN BGP routes for prefix 172.31.6.0/24 shows the D-path attribute in the BGP routes for prefix 172.31.6.0/24:

Figure 4. VPRN BGP routes for prefix 172.31.6.0/24

The figure VPRN BGP routes for prefix 172.31.7.0/24 similarly shows the D-path attribute in the BGP routes for prefix 172.31.7.0/24:

Figure 5. VPRN BGP routes for prefix 172.31.7.0/24

In VPRN 10 on PE-6, no local domain ID is configured, whereas in VPRN 10 on PE-7, the local domain ID 64496:1007 is configured for the routes local to PE-7.

The following BGP update shows that PE-7 advertises prefix 172.31.7.0/24 as a VPN-IPv4 route with a D-path attribute containing the domain segment 64496:1007:(local).

# on PE-7:
5 2022/09/06 10:46:12.896 CEST MINOR: DEBUG #2001 Base Peer 1: 192.0.2.5
"Peer 1: 192.0.2.5: UPDATE
Peer 1: 192.0.2.5 - Send BGP UPDATE:
    Withdrawn Length = 0
    Total Path Attr Length = 72
    Flag: 0x90 Type: 14 Len: 32 Multiprotocol Reachable NLRI:
        Address Family VPN_IPV4
        NextHop len 12 NextHop 192.0.2.7
        172.31.7.0/24 RD 192.0.2.7:10 Label 524282 (Raw label 0x7fffa1)
    Flag: 0x40 Type: 1 Len: 1 Origin: 0
    Flag: 0x40 Type: 2 Len: 0 AS Path:
    Flag: 0x40 Type: 5 Len: 4 Local Preference: 100
    Flag: 0xc0 Type: 16 Len: 8 Extended Community:
        target:64496:10
    Flag: 0xc0 Type: 36 Len: 8 D-PATH:[64496:1007:(local)]
"

RR-5 advertises prefix 172.31.7.0/24 as a VPN-IPv4 route with the same D-path attribute. PE-4 prepends the domain segment 64496:1030:(ipvpn) to the D-path attribute of the VPN-IPv4 routes for prefix 172.31.7.0/24 to PE-2 (and PE-3). PE-2 advertises prefix 172.31.7.0/24 as an EVPN-IFL route to PE-1 with domain segment 64496:1020:(ipvpn) added to the D-path attribute:

# on PE-2:
31 2022/09/06 10:46:12.900 CEST MINOR: DEBUG #2001 Base Peer 1: 192.0.2.1
"Peer 1: 192.0.2.1: UPDATE
Peer 1: 192.0.2.1 - Send BGP UPDATE:
    Withdrawn Length = 0
    Total Path Attr Length = 123
    Flag: 0x90 Type: 14 Len: 45 Multiprotocol Reachable NLRI:
        Address Family EVPN
        NextHop len 4 NextHop 192.0.2.2
        Type: EVPN-IP-PREFIX Len: 34 RD: 192.0.2.2:10, ESI: ESI-0, tag: 0, ip_prefix: 172.31.7.0/24 gw_ip 0.0.0.0 Label: 8388528 (Raw Label: 0x7fffb0)
    Flag: 0x40 Type: 1 Len: 1 Origin: 0
    Flag: 0x40 Type: 2 Len: 0 AS Path:
    Flag: 0x40 Type: 5 Len: 4 Local Preference: 100
    Flag: 0x80 Type: 9 Len: 4 Originator ID: 192.0.2.7
    Flag: 0x80 Type: 10 Len: 4 Cluster ID:
        192.0.2.5
    Flag: 0xc0 Type: 16 Len: 16 Extended Community:
        target:64496:10
        bgp-tunnel-encap:MPLS
    Flag: 0xc0 Type: 36 Len: 24 D-PATH:[64496:1020:(ipvpn)][64496:1030:(ipvpn)][64496:1007:(local)]
"

Loop prevention

Besides traceability, the D-path attribute provides loop prevention in the control plane. Redundant GWs PE-2 and PE-3 cause routing loops and the D-path attribute helps preventing these loops. When PE-2 receives the EVPN-IFL route from PE-3 with a D-path containing domain IDs configured on PE-2, such as 64496:1020, it does not install the route in the VPRN route table, as shown in the figure Loop prevention between PE-2 and PE-3:

Figure 6. Loop prevention between PE-2 and PE-3

The following command on PE-2 shows that in the EVPN-IFL route for prefix 172.31.6.0/24 that was received from PE-3, a D-path loop has been detected in VPRN 10:

[/]
A:admin@PE-2# show router bgp routes evpn ip-prefix prefix 172.31.6.0/24 hunt
===============================================================================
 BGP Router ID:192.0.2.2        AS:64496       Local AS:64496
===============================================================================
 Legend -
 Status codes  : u - used, s - suppressed, h - history, d - decayed, * - valid
                 l - leaked, x - stale, > - best, b - backup, p - purge
 Origin codes  : i - IGP, e - EGP, ? - incomplete

===============================================================================
BGP EVPN IP-Prefix Routes
===============================================================================
-------------------------------------------------------------------------------
RIB In Entries
-------------------------------------------------------------------------------
Network        : n/a
Nexthop        : 192.0.2.3
Path Id        : None
From           : 192.0.2.3
Res. Nexthop   : 192.168.23.2
Local Pref.    : 100                    Interface Name : int-PE-2-PE-3
Aggregator AS  : None                   Aggregator     : None
Atomic Aggr.   : Not Atomic             MED            : None
AIGP Metric    : None                   IGP Cost       : 10
Connector      : None
Community      : target:64496:10 bgp-tunnel-encap:MPLS
Cluster        : 192.0.2.5
Originator Id  : 192.0.2.6              Peer Router Id : 192.0.2.3
Flags          : Valid Best IGP
Route Source   : Internal
AS-Path        : No As-Path
D-Path         : [64496:1020:(ipvpn)][64496:1030:(evpn)]
EVPN type      : IP-PREFIX
ESI            : ESI-0
Tag            : 0
Gateway Address: 00:00:00:00:00:00
Prefix         : 172.31.6.0/24
Route Dist.    : 192.0.2.3:10
MPLS Label     : LABEL 524283
Route Tag      : 0
Neighbor-AS    : n/a
Orig Validation: N/A
Source Class   : 0                      Dest Class     : 0
Add Paths Send : Default
Last Modified  : 00h11m56s
DPath Loop VRFs:  10
---snip---

The preceding EVPN-IFL route from PE-3 for prefix 172.31.6.0/24 is not installed in the VPRN route table and is not forwarded to other PEs. The route table for VPRN 10 on PE-2 only has an IP-VPN route for prefix 172.31.6.0/24 with next hop PE-4:

[/]
A:admin@PE-2# show router 10 route-table
 
===============================================================================
Route Table (Service: 10)
===============================================================================
Dest Prefix[Flags]                            Type    Proto     Age        Pref
      Next Hop[Interface Name]                                    Metric
-------------------------------------------------------------------------------
172.31.1.0/24                                 Remote  EVPN-IFL  00h12m46s  170
       192.0.2.1 (tunneled:SR-OSPF:524290)                          10
	   172.31.6.0/24                                 Remote  BGP VPN   00h12m30s  170
       2001:db8:aaaa:104:7fff:9000:: (tunneled:SRV6)                20
172.31.7.0/24                                 Remote  BGP VPN   00h12m24s  170
       2001:db8:aaaa:104:7fff:9000:: (tunneled:SRV6)                20
-------------------------------------------------------------------------------
No. of Routes: 3
Flags: n = Number of times nexthop is repeated
       B = BGP backup route available
       L = LFA nexthop available
       S = Sticky ECMP requested
===============================================================================

Domain IDs in R-VPLS BGP-EVPN MPLS and BGP-EVPN VXLAN instances

Loops can also be prevented in Layer 3 EVPN data center gateway (DC GW) scenarios where EVPN-IFF routes are translated into IP-VPN routes, and vice versa. Because redundant GWs are used, the scenario is subject to Layer 3 routing loops and the D-path attribute helps preventing these loops without the need for extra routing policies to tag or drop routes. The figure Example topology with R-VPLS shows a slightly modified example topology with R-VPLS with PE-2 and PE-3 acting as redundant DC GWs. PE-1 advertises an EVPN-IFF route for prefix 10.20.201.0/24 and PE-6 advertises an EVPN-IFF route for prefix 10.20.206.0/24.

Figure 7. Example topology with R-VPLS

The service configuration on PE-1 does not include a domain ID, as follows:

# on PE-1:
configure {
    service {
        vpls "SBD-21" {
            admin-state enable
            service-id 21
            customer "1"
            vxlan {
                instance 1 {
                    vni 1
                }
            }
            routed-vpls {
            }
            bgp 1 {
            }
            bgp-evpn {
                evi 21
                routes {
                    ip-prefix {
                        advertise true
                    }
                }
                vxlan 1 {
                    admin-state enable
                    vxlan-instance 1
                }
            }
        }
        vprn "VPRN 20" {
            admin-state enable
            service-id 20
            customer "1"
            autonomous-system 64496
            interface "int-PE-1-CE-21" {
                ipv4 {
                    primary {
                        address 10.20.201.1
                        prefix-length 24
                    }
                }
                sap 1/1/c5/1:20 {
                }
            }
            interface "int-SBD-21" {
                vpls "SBD-21" {
                    evpn-tunnel {
                    }
                }
            }
        }

On DC GW PE-2, domain ID 64496:2010 is configured in VPLS "SBD-21" whereas domain ID 64496:2020 is configured in VPRN 20. The configuration on DC GW PE-3 is similar.

# on PE-2:
configure {
    service {
        vpls "SBD-21" {
            admin-state enable
            service-id 21
            customer "1"
            vxlan {
                instance 1 {
                    vni 1
                }
            }
            routed-vpls {
            }
            bgp 1 {
            }
            bgp-evpn {
                evi 21
                routes {
                    ip-prefix {
                        advertise true
                        domain-id "64496:2010"
                    }
                }
                vxlan 1 {
                    admin-state enable
                    vxlan-instance 1
                }
            }
        }
        vprn "VPRN 20" {
            admin-state enable
            service-id 20
            customer "1"
            autonomous-system 64496
            segment-routing-v6 1 {
                locator "PE-2_loc" {                 # on PE-3: "PE-3_loc"
                    function {
                        end-dt46 {
                        }
                    }
                }
            }
            bgp-ipvpn {
                segment-routing-v6 1 {
                    admin-state enable
                    route-distinguisher "192.0.2.2:26"  # on PE-3; 192.0.2.3:26
                    source-address 2001:db8::2:2        # on PE-3: 2001:db8::2:3
                    domain-id "64496:2020"
                    vrf-target {
                        community "target:64496:20"
                    }
                    srv6 {
                        instance 1
                        default-locator "PE-2_loc"     # on PE-3: "PE-3_loc"
                    }
                }
            }
            interface "int-SBD-21" {
                vpls "SBD-21" {
                    evpn-tunnel {
                    }
                }
            }
        }

The service configuration examples for PE-1, PE-2, and PE-3 show how a loop is detected at the DC GWs in VPN-IPv4 routes for prefix 10.20.201.0/24 received from the other DC GW. The following command on DC GW PE-2 shows that a D-path loop is detected in VPRN 20 in a VPN-IPv4 route for prefix 10.20.201.0/24 received from DC GW PE-3:

[/]
A:admin@PE-2# show router bgp routes vpn-ipv4 rd 192.0.2.3:26 hunt
===============================================================================
 BGP Router ID:192.0.2.2        AS:64496       Local AS:64496
===============================================================================
 Legend -
 Status codes  : u - used, s - suppressed, h - history, d - decayed, * - valid
                 l - leaked, x - stale, > - best, b - backup, p - purge
 Origin codes  : i - IGP, e - EGP, ? - incomplete
 
===============================================================================
BGP VPN-IPv4 Routes
===============================================================================
-------------------------------------------------------------------------------
RIB In Entries
-------------------------------------------------------------------------------
Network        : 10.20.201.0/24
Nexthop        : 2001:db8::2:3
Route Dist.    : 192.0.2.3:26           VPN Label      : 524283
Path Id        : None
From           : 2001:db8::2:3
Res. Nexthop   : n/a
Local Pref.    : 100                    Interface Name : int-PE-2-PE-3
Aggregator AS  : None                   Aggregator     : None
Atomic Aggr.   : Not Atomic             MED            : None
AIGP Metric    : None                   IGP Cost       : 10
Connector      : None
Community      : target:64496:20
Cluster        : No Cluster Members
Originator Id  : None                   Peer Router Id : 192.0.2.3
Fwd Class      : None                   Priority       : None
Flags          : Valid Best IGP
Route Source   : Internal
AS-Path        : No As-Path
D-Path         : [64496:2010:(evpn)]
Route Tag      : 0
Neighbor-AS    : n/a
Orig Validation: N/A
Source Class   : 0                      Dest Class     : 0
Add Paths Send : Default
Last Modified  : 00h00m51s
SRv6 TLV Type  : SRv6 L3 Service TLV (5)
SRv6 SubTLV    : SRv6 SID Information (1)
Sid            : 2001:db8:aaaa:103::
Full Sid       : 2001:db8:aaaa:103:7fff:b000::
Behavior       : End.DT46 (20)
SRv6 SubSubTLV : SRv6 SID Structure (1)
Loc-Block-Len  : 48                     Loc-Node-Len   : 16
Func-Len       : 20                     Arg-Len        : 0
Tpose-Len      : 20                     Tpose-offset   : 64
VPRN Imported  : None
DPath Loop VRFs:  20
 
-------------------------------------------------------------------------------
RIB Out Entries
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Routes : 1
===============================================================================*A:PE-2# show router bgp routes vpn-ipv4 rd 192.0.2.3:26 hunt

The figure Loop prevention between DC GW PE-2 and DC GW PE-3 shows that PE-1 sends an EVPN-IFF route for prefix 10.20.201.0/24 without D-path attribute to PE-2 and PE-3. Both PE-2 and PE-3 re-advertise prefix 10.20.201.0/24 as a VPN-IPv4 route with D-path attribute 64496:2010:(evpn). When PE-2 receives this VPN-IPv4 route from PE-3, it detects a loop based on the D-path attribute with domain segment 64496:2010:(evpn) and does not install the route in the VPRN route table. Likewise, PE-3 receives the VPN-IPv4 route from PE-2 and does not install it in the VPRN route table.

Figure 8. Loop prevention between DC GW PE-2 and DC GW PE-3

PE-2 does not use the VPN-IPv4 route for prefix 10.20.201.0/24 from PE-3. The VPRN route table on PE-2 contains the EVPN-IFF route received from PE-1 for prefix 10.20.201.0/24:

[/]
A:admin@PE-2# show router 20 route-table
 
===============================================================================
Route Table (Service: 20)
===============================================================================
Dest Prefix[Flags]                            Type    Proto     Age        Pref
      Next Hop[Interface Name]                                    Metric
-------------------------------------------------------------------------------
10.20.201.0/24                                Remote  EVPN-IFF  00h01m59s  169
       int-SBD-21 (ET-02:0f:ff:ff:ff:52)                            0
10.20.206.0/24                                Remote  BGP VPN   00h01m43s  170
       2001:db8:aaaa:104:7fff:6000:: (tunneled:SRV6)                20
-------------------------------------------------------------------------------
No. of Routes: 2
Flags: n = Number of times nexthop is repeated
       B = BGP backup route available
       L = LFA nexthop available
       S = Sticky ECMP requested
===============================================================================

Conclusion

The D-path attribute provides traceability for VPRN BGP routes and can be used for BGP best path selection. The D-path attribute for VPRN routes also helps preventing loops without the need for dedicated routing policies to tag and drop routes.