Dual EVPN-MPLS Instance VPLS Services

This chapter provides information about the dual EVPN-MPLS instance VPLS services.

Topics in this chapter include:

Applicability

The information and MD-CLI configuration in this chapter are based on SR OS Release 22.10.R1. Dual EVPN-MPLS instance in VPLS is supported in SR OS Release 21.10.R1 and later.

Overview

One of the scale issues that low-scale access nodes or leaf PEs face in high-scale architectures is the limited number of EVPN/IP-VPN next hops, tunnels, and service labels that they support.

The following solutions reduce the number of EVPN next hops exposed to the access nodes:

  • inter-AS model B, as described in the Inter-AS VPRN Model B chapter
  • next-hop-self route reflectors (NHS-RRs)

The figure Access nodes receive next hops from the NHS-RRs shows the NHS-RR solution reducing the number of EVPN next hops that are sent to the low-scale access nodes PE-1 and PE-2. Only the two NHS-RRs are exposed as next hops to PE-1.

Figure 1. Access nodes receive next hops from the NHS-RRs

The number of EVPN next hops is reduced, but the number of service labels to be learned is not. PE-1 still learns one service label per remote PE for each service it is attached to. In case of EVPN E-LAN services and broadcast, unknown unicast, and multicast (BUM) traffic, the ingress PE still needs one copy of every BUM packet per egress PE that exists in the remote domains, even if all the BUM traffic goes through one of the two NHS-RRs (or ASBRs in the case of model B).

The following solutions reduce the number of service labels:

  • VPRN services on the NHS-RRs with allow-export-bgp-vpn configured
  • dual EVPN-MPLS instance VPLS services on the NHS-RRs

The allow-export-bgp-vpn command applies to VPRN services using EVPN-IFL, VPN-IPv4, and VPN-IPv6 families. Routes from the WAN are imported to the VPRN service and exported to the access nodes as new VPN-IP routes. The values of the service labels, route targets (RTs), and BGP next hops of the re-advertised routes are based on the configuration of the exporting VPRN.

The figure Access nodes receive one service label per service from each NHS-RR shows a dual EVPN-MPLS instance VPLS service on the NHS-RRs, which offers a similar solution for EVPN-VPLS services to the allow-export-bgp-vpn solution for VPRN services. EVPN-MPLS routes received from the WAN are imported to the network EVPN-MPLS instance and redistributed to the access EVPN-MPLS instance with a new route distinguisher (RD), next hop, service label, and possibly a new RT. The ingress PE learns only one service label for each NHS-RR per service, as opposed to one service label per remote PE that is attached to the same EVPN service. With this solution, the replication of BUM traffic is also optimized because the ingress PE sends a single copy of each BUM packet to the NHS-RR, as opposed to one copy per egress PE.

Figure 2. Access nodes receive one service label per service from each NHS-RR

In the example, redundant NHS-RRs are used. Redundancy is handled via anycast multihoming, which implies that two or more PEs are configured with the same service parameters as part of the same redundancy group: identical route distinguishers and RTs per instance, and the same anycast IP address. The ingress PEs set up EVPN destinations to only one PE in the anycast group for a specific service. EVPN BUM destinations are not established between PEs in the same anycast group because the received anycast peer inclusive multicast Ethernet tag (IMET) routes have the same local originating IP address. In anycast multihoming scenarios, policies are required to prevent control-plane loops.

Configuration

The following scenarios are described in this section:

  • dual EVPN-MPLS instance VPLS without multihoming
  • dual EPVN-MPLS instance VPLS with anycast multihoming

Dual EVPN-MPLS instance VPLS without multihoming

The figure Example topology 1 shows EVPN-MPLS VPLS 1 configured on four PEs. PE-2 and PE-4 are EVPN gateways (GWs). RR-7 is the route reflector for PE-2 and PE-4 in the WAN network.

Figure 3. Example topology 1

The initial configuration includes:

  • cards, MDAs, ports
  • router interfaces
  • IS-IS level 1 between PE-1 and PE-2 and between PE-4 and PE-6
  • IS-IS level 2 between PE-2, PE-4, and RR-7
  • SR-TE tunnels between PE-2 and PE-4
  • MPLS LSPs between PE-1 and PE-2 and between PE-4 and PE-6

BGP is configured on all nodes for the EVPN address family. PE-1 peers with the dual-homed EVPN GW PE-2. In a similar way, PE-6 peers with EVPN GW PE-4. The BGP configuration on PE-1 is as follows:

# on PE-1:
configure {
    router "Base" {
        autonomous-system 64496
        bgp {
            vpn-apply-export true
            vpn-apply-import true
            rapid-withdrawal true
            peer-ip-tracking true
            split-horizon true
            rapid-update {
                evpn true
            }
            group "access1" {
                peer-as 64496
                family {
                    evpn true
                }
            }
            neighbor "192.0.2.2" {
                group "access1"
            }
        }

EVPN GW PE-2 peers with PE-1 in BGP group "access1" and with RR-7 in BGP group "WAN":

# on PE-2:
configure {
    router "Base" {
        autonomous-system 64496
        bgp {
            vpn-apply-export true
            vpn-apply-import true
            rapid-withdrawal true
            peer-ip-tracking true
            split-horizon true
            rapid-update {
                evpn true
            }
            group "WAN" {
                next-hop-self true
                peer-as 64496
                family {
                    evpn true
                }
                export {
                    policy ["drop-tag-10"]
                }
            }
            group "access1" {
                next-hop-self true
                peer-as 64496
                family {
                    evpn true
                }
                cluster {
                    cluster-id 192.0.2.2
                }
                export {
                    policy ["drop-tag-20"]
                }
            }
            neighbor "192.0.2.1" {
                group "access1"
            }
            neighbor "192.0.2.7" {
                group "WAN"
            }
        }

The BGP configuration on PE-4 is similar. The export policies use tags to avoid loops in topologies with redundant EVPN GWs, as described in the section Dual EVPN-MPLS instance VPLS with anycast multihoming.

RR-7 peers with PE-2 and PE-4 in BGP group "WAN":

# on RR-7:
configure {
    router "Base" {
        autonomous-system 64496
        bgp {
            vpn-apply-export true
            vpn-apply-import true
            rapid-withdrawal true
            peer-ip-tracking true
            split-horizon true
            rapid-update {
                evpn true
            }
            group "WAN" {
                peer-as 64496
                family {
                    evpn true
                }
                cluster {
                    cluster-id 192.0.2.7
                }
            }
            neighbor "192.0.2.2" {
                group "WAN"
            }
            neighbor "192.0.2.4" {
                group "WAN"
            }
        }

On PE-1, VPLS 1 is configured with a single EVPN-MPLS instance. The RD 192.0.2.1:1 for BGP 1 is auto-derived from the values for the IPv4 system address and the EVI. PE-1 imports and exports routes with RT 64496:101.

# on PE-1:
configure {
    service {
        vpls "VPLS-1" {
            admin-state enable
            service-id 1
            customer "1"
            bgp 1 {
                # route-distinguisher 192.0.2.1:1  # will be auto-derived
                route-target {
                    export "target:64496:101"
                    import "target:64496:101"
                }
            }
            bgp-evpn {
                evi 1
                mpls 1 {
                    admin-state enable
                    auto-bind-tunnel {
                        resolution filter
                        resolution-filter {
                            rsvp true
                        }
                    }
                }
            }
            sap 1/1/c10/1:1 {
            }
        }
        

On PE-2, VPLS 1 is configured with two EVPN-MPLS instances: instance 1 is configured with multihoming mode access and instance 2 with the (default) multihoming mode network, as follows:

# on PE-2:
configure {
    service {
        system {
            bgp-auto-rd-range {
                ip-address 192.0.2.2
                community-value {
                    start 2000
                    end 2999
                }
            }
        }
        vpls "VPLS-1" {
            admin-state enable
            description "dual BGP-EVPN MPLS instance VPLS"
            service-id 1
            customer "1"
            bgp 1 {
                # route-distinguisher 192.0.2.2:1    # will be auto-derived
                route-target {
                    export "target:64496:101"
                    import "target:64496:101"
                }
            }
            bgp 2 {
                route-distinguisher auto-rd
                route-target {
                    export "target:64496:100"
                    import "target:64496:100"
                }
            }
            bgp-evpn {
                evi 1
                mpls 1 {
                    admin-state enable
                    mh-mode access
                    auto-bind-tunnel {
                        resolution filter
                        resolution-filter {
                            rsvp true
                        }
                    }
                }
                mpls 2 {
                    admin-state enable
                    # mh-mode network               # default MH mode
                    auto-bind-tunnel {
                        resolution filter
                        resolution-filter {
                            sr-te true
                        }
                    }
                }
            }
        }
Note: The RD for BGP 1 can be auto-derived from the values for the IPv4 system address and the EVI, for example, 192.0.2.2:1 on PE-2. The RD for BGP 2 cannot be auto-derived from the values for the IPv4 system address and the EVI, because the RD for BGP 2 must be different from the RD for BGP 1, so it must be configured manually or with auto-rd.

On PE-4, the configuration is similar:

# on PE-4:
configure {
    service {
        system {
            bgp-auto-rd-range {
                ip-address 192.0.2.4
                community-value {
                    start 2000
                    end 2999
                }
            }
        }
        vpls "VPLS-1" {
            admin-state enable
            description "dual BGP-EVPN MPLS instance VPLS"
            service-id 1
            customer "1"
            bgp 1 {
                # route-distinguisher 192.0.2.4:1    # will be auto-derived
                route-target {
                    export "target:64496:102"
                    import "target:64496:102"
                }
            }
            bgp 2 {
                route-distinguisher auto-rd     # different RD
                route-target {
                    export "target:64496:100"
                    import "target:64496:100"
                }
            }
            bgp-evpn {
                evi 1
                mpls 1 {
                    admin-state enable
                    mh-mode access
                    auto-bind-tunnel {
                        resolution filter
                        resolution-filter {
                            rsvp true
                        }
                    }
                }
                mpls 2 {
                    admin-state enable
                    # mh-mode network               # default MH mode
                    auto-bind-tunnel {
                        resolution filter
                        resolution-filter {
                            sr-te true
                        }
                    }
                }
            }
        }

The following command on PE-2 shows BGP instances 1 and 2 in VPLS 1. RD 192.0.2.2:1 for BGP instance 1 is auto-derived from the IPv4 system address and the EVI; the RD for BGP instance 2 is configured with auto-rd and has the value 192.0.2.2:2000. The RT values are configured.

[/]
A:admin@PE-2# show service id 1 bgp
 
===============================================================================
BGP Information
===============================================================================
Bgp Instance         : 1
Vsi-Import           : None
Vsi-Export           : None
Route Dist           : None
Oper Route Dist      : 192.0.2.2:1
Oper RD Type         : derivedEvi
Rte-Target Import    : 64496:101            Rte-Target Export: 64496:101
Oper RT Imp Origin   : configured           Oper RT Import   : 64496:101
Oper RT Exp Origin   : configured           Oper RT Export   : 64496:101
ADV Service MTU      : -1
 
Bgp Instance         : 2
Vsi-Import           : None
Vsi-Export           : None
Route Dist           : auto-rd
Oper Route Dist      : 192.0.2.2:2000
Oper RD Type         : auto
Rte-Target Import    : 64496:100            Rte-Target Export: 64496:100
Oper RT Imp Origin   : configured           Oper RT Import   : 64496:100
Oper RT Exp Origin   : configured           Oper RT Export   : 64496:100
ADV Service MTU      : -1
 
PW-Template Id       : None
-------------------------------------------------------------------------------
===============================================================================
 

The following command on PE-2 shows EVPN destination 192.0.2.1 in EVPN-MPLS instance 1:

[/]
A:admin@PE-2# show service id 1 evpn-mpls instance 1
 
===============================================================================
BGP EVPN-MPLS Dest
===============================================================================
TEP Address                    Egr Label     Num.   Mcast Last Change
                               Transport:Tnl MACs         Sup BCast Domain
-------------------------------------------------------------------------------
192.0.2.1                      524286        0      bum   12/13/2022 09:56:36
                               rsvp:1                     No
-------------------------------------------------------------------------------
Number of entries : 1
-------------------------------------------------------------------------------
===============================================================================
 
===============================================================================
BGP EVPN-MPLS Ethernet Segment Dest
===============================================================================
Eth SegId                       Num. Macs               Last Change
-------------------------------------------------------------------------------
No Matching Entries
===============================================================================

The following command on PE-2 shows EVPN destination 192.0.2.4 in EVPN-MPLS instance 2:

[/]
A:admin@PE-2# show service id 1 evpn-mpls instance 2
 
===============================================================================
BGP EVPN-MPLS Dest
===============================================================================
TEP Address                    Egr Label     Num.   Mcast Last Change
                               Transport:Tnl MACs         Sup BCast Domain
-------------------------------------------------------------------------------
192.0.2.4                      524282        0      bum   12/13/2022 09:56:39
                               sr-te:655362               No
-------------------------------------------------------------------------------
Number of entries : 1
-------------------------------------------------------------------------------
===============================================================================
 
===============================================================================
BGP EVPN-MPLS Ethernet Segment Dest
===============================================================================
Eth SegId                       Num. Macs               Last Change
-------------------------------------------------------------------------------
No Matching Entries
===============================================================================

When traffic is sent between CE-11 and CE-16, MAC address 00:00:5e:00:53:11 of CE-11 is learned on the local SAP in VPLS 1 on PE-1 and MAC address 00:00:5e:00:53:16 of CE-16 is learned on the local SAP in VPLS 1 on PE-6. EVPN MAC routes are advertised to the BGP-EVPN peers.

The forwarding database (FDB) on PE-1 is as follows:

[/]
A:admin@PE-1# show service id 1 fdb detail
 
===============================================================================
Forwarding Database, Service 1
===============================================================================
ServId     MAC               Source-Identifier       Type     Last Change
            Transport:Tnl-Id                         Age
-------------------------------------------------------------------------------
1          00:00:5e:00:53:11 sap:1/1/c10/1:1         L/0      12/13/22 10:04:14
1          00:00:5e:00:53:16 mpls-1:                 Evpn     12/13/22 10:04:14
                             192.0.2.2:524284
           rsvp:1
-------------------------------------------------------------------------------
No. of MAC Entries: 2
-------------------------------------------------------------------------------
Legend:  L=Learned O=Oam P=Protected-MAC C=Conditional S=Static Lf=Leaf
===============================================================================
 

The FDB on PE-2 shows that an EVPN MAC route is received in EVPN-MPLS instance 1 for address 00:00:5e:00:53:11 whereas an EVPN MAC route is received in EVPN-MPLS instance 2 for address 00:00:5e:00:53:16.

[/]
A:admin@PE-2# show service id 1 fdb detail
 
===============================================================================
Forwarding Database, Service 1
===============================================================================
ServId     MAC               Source-Identifier       Type     Last Change
            Transport:Tnl-Id                         Age
-------------------------------------------------------------------------------
1          00:00:5e:00:53:11 mpls-1:                 Evpn     12/13/22 10:04:14
                             192.0.2.1:524286
           rsvp:1
1          00:00:5e:00:53:16 mpls-2:                 Evpn     12/13/22 10:04:14
                             192.0.2.4:524282
           sr-te:655362
-------------------------------------------------------------------------------
No. of MAC Entries: 2
-------------------------------------------------------------------------------
Legend:  L=Learned O=Oam P=Protected-MAC C=Conditional S=Static Lf=Leaf
===============================================================================

The following command shows the received EVPN-MAC routes on PE-2 for MAC address 00:00:5e:00:53:16. The route with RD 192.0.2.4:2000 is used:

[/]
A:admin@PE-2# show router bgp routes evpn mac mac-address 00:00:5e:00:53:16
===============================================================================
 BGP Router ID:192.0.2.2        AS:64496       Local AS:64496
===============================================================================
 Legend -
 Status codes  : u - used, s - suppressed, h - history, d - decayed, * - valid
                 l - leaked, x - stale, > - best, b - backup, p - purge
 Origin codes  : i - IGP, e - EGP, ? - incomplete
 
===============================================================================
BGP EVPN MAC Routes
===============================================================================
Flag  Route Dist.         MacAddr           ESI
      Tag                 Mac Mobility      Label1
                          Ip Address
                          NextHop
-------------------------------------------------------------------------------
u*>i  192.0.2.4:2000      00:00:5e:00:53:16 ESI-0
      0                   Seq:0             LABEL 524282
                          n/a
                          192.0.2.4
 
*>i   192.0.2.6:1         00:00:5e:00:53:16 ESI-0
      0                   Seq:0             LABEL 524286
                          n/a
                          192.0.2.6
 
-------------------------------------------------------------------------------
Routes : 2
===============================================================================

Dual EVPN-MPLS instance VPLS with anycast multihoming

Example topology 2 shows example topology 2 with VPLS 2 configured on six PEs. PE-2 and PE-3 are redundant EVPN GWs with anycast address 23.23.23.23; PE-4 and PE-5 are redundant EVPN GWs with anycast address 45.45.45.45. RR-7 is the route reflector for PE-2, PE-3, PE-4, and PE-5 in the WAN network.

Figure 4. Example topology 2

The initial configuration includes:

  • cards, MDAs, ports
  • router interfaces
  • IS-IS level 1 between PE-1, PE-2, and PE-3
  • IS-IS level 1 between PE-4, PE-5, and PE-6
  • IS-IS level 2 between PE-2, PE-3, PE-4, PE-5, and RR-7
  • SR-ISIS between PE-2, PE-3, PE-4, and PE-5
  • MPLS LSPs between PE-1 and PE-2, between PE-1 and PE-3, between PE-4 and PE-6, and between PE-5 and PE-6

The BGP configuration on PE-1 and PE-6 is similar.

# on PE-1:
configure {
    router "Base" {
        autonomous-system 64496
        bgp {
            vpn-apply-export true
            vpn-apply-import true
            rapid-withdrawal true
            peer-ip-tracking true
            split-horizon true
            rapid-update {
                evpn true
            }
            group "access1" {
                peer-as 64496
                family {
                    evpn true
                }
            }
            neighbor "192.0.2.2" {        # on PE-6: 192.0.2.4
                group "access1"
            }
            neighbor "192.0.2.3" {        # on PE-6: 192.0.2.5      
                group "access1"
            }
        }

The BGP configuration on PE-3 is:

# on PE-3:
configure {
    router "Base" {
        autonomous-system 64496
        bgp {
            vpn-apply-export true
            vpn-apply-import true
            rapid-withdrawal true
            peer-ip-tracking true
            split-horizon true
            rapid-update {
                evpn true
            }
            group "WAN" {
                next-hop-self true
                peer-as 64496
                family {
                    evpn true
                }
                export {
                    policy ["drop-tag-10"]
                }
            }
            group "access1" {
                next-hop-self true
                peer-as 64496
                family {
                    evpn true
                }
                cluster {
                    cluster-id 192.0.2.3
                }
                export {
                    policy ["drop-tag-20"]
                }
            }
            neighbor "192.0.2.1" {
                group "access1"
            }
            neighbor "192.0.2.7" {
                group "WAN"
            }
        }

The BGP configuration on PE-2, PE-4, and PE-5 is similar.

On PE-1, VPLS 2 is configured with a single EVPN-MPLS instance. PE-1 imports and exports routes with RT 64496:501. The configuration is as follows:

# on PE-1:
configure {
    service {
        vpls "VPLS-2" {
            admin-state enable
            service-id 2
            customer "1"
            bgp 1 {
                # route-distinguisher 192.0.2.1:2  # will be auto-derived
                route-target {
                    export "target:64496:501"
                    import "target:64496:501"
                }
            }
            bgp-evpn {
                evi 2
                mpls 1 {
                    admin-state enable
                    auto-bind-tunnel {
                        resolution filter
                        resolution-filter {
                            rsvp true
                        }
                    }
                }
            }
            sap 1/1/c10/1:2 {
            }
        }

On PE-2 and PE-3, the following policies are used in VPLS 2:

  • Export policy "vsi-501-export" adds the communities "SOO-23" for the site of origin (SOO) and "RT64496:501" for the RT.
  • Export policy "vsi-502-export" adds the communities "SOO-23" and "RT64496:502".
  • Import policy "vsi-501-import" prevents loops based on the SOO and accepts routes with RT 64496:501.
  • Import policy "vsi-502-import" prevent loops based on the SOO and accepts routes with RT 64496:502.
# on PE-2, PE-3:
configure {
    policy-options {
        community "RT64496:501" {
            member "target:64496:501" { }
        }
        community "RT64496:502" {
            member "target:64496:502" { }
        }
        community "SOO-23" {
            member "origin:23:23" { }
        }
        policy-statement "vsi-501-export" {
            default-action {
                action-type accept
                community {
                    add ["RT64496:501" "SOO-23"]
                }
            }
        }
        policy-statement "vsi-501-import" {
            entry 10 {
                from {
                    family [evpn]
                    community {
                        name "SOO-23"
                    }
                }
                action {
                    action-type reject
                }
            }
            entry 20 {
                from {
                    family [evpn]
                    community {
                        name "RT64496:501"
                    }
                }
                action {
                    action-type accept
                }
            }
        }
        policy-statement "vsi-502-export" {
            default-action {
                action-type accept
                community {
                    add ["RT64496:502" "SOO-23"]
                }
            }
        }
        policy-statement "vsi-502-import" {
            entry 10 {
                from {
                    family [evpn]
                    community {
                        name "SOO-23"
                    }
                }
                action {
                    action-type reject
                }
            }
            entry 20 {
                from {
                    family [evpn]
                    community {
                        name "RT64496:502"
                    }
                }
                action {
                    action-type accept
                }
            }
        }

On PE-2 and PE-3, VPLS 2 is configured with two EVPN-MPLS instances: instance 1 is configured with multihoming mode access and instance 2 with multihoming mode network. For redundancy, anycast multihoming is configured with anycast address 23.23.23.23 and identical RDs and RTs for the same instance. The RD for BGP 1 is 192.0.2.23:2 and the RD for BGP 2 is 192.0.2.32:2. The default-route-tag 10 command is configured for service instance 1, while default-route-tag 20 is configured for service instance 2. These route tags are used in the BGP peer export policies to differentiate the different routes.On PE-2 and PE-3, VPLS 2 is configured as follows:

# on PE-2, PE-3:
configure {
    service {
        vpls "VPLS-2" {
            admin-state enable
            description "dual BGP-EVPN MPLS instance VPLS"
            service-id 2
            customer "1"
            bgp 1 {
                route-distinguisher "192.0.2.23:2"
                vsi-import ["vsi-501-import"]
                vsi-export ["vsi-501-export"]
            }
            bgp 2 {
                route-distinguisher "192.0.2.32:2"
                vsi-import ["vsi-502-import"]
                vsi-export ["vsi-502-export"]
            }
            bgp-evpn {
                evi 2
                incl-mcast-orig-ip 23.23.23.23
                mpls 1 {
                    admin-state enable
                    default-route-tag 0xa       # default route tag 10
                    mh-mode access
                    auto-bind-tunnel {
                        resolution filter
                        resolution-filter {
                            rsvp true
                        }
                    }
                }
                mpls 2 {
                    admin-state enable
                    default-route-tag 0x14       # default route tag 20
                    auto-bind-tunnel {
                        resolution filter
                        resolution-filter {
                            sr-isis true
                        }
                    }
                }
            }
        }
Note: For anycast multihoming, the RDs must be identical, so all RDs are configured manually.

In datacenter GWs (DC GWs) with EVPN-VXLAN and EVPN-MPLS instances, route policies can match on the encapsulation type VXLAN or MPLS. In DC GWs with two EVPN-MPLS instances, the default route tag is used instead. The default route tag prevents a MAC/IP route that is installed in instance 1 (access) from being readvertised back to the access peers. In a similar way, MAC/IP routes installed in instance 2 are not readvertised back to peers in instance 2. On PE-2 and PE-3, the BGP peer export policy "drop-tag-10" drops routes with tag 10 and is configured in BGP group "WAN" with neighbor RR-7; BGP peer export policy "drop-tag-20" drops routes with tag 20 and is configured in BGP group "access1" with neighbor PE-1.

# on PE-2, PE-3:
configure {
    policy-options {
        policy-statement "drop-tag-10" {
            description "used as export policy toward WAN BGP peers"
            entry 10 {
                from {
                    tag 10
                }
                action {
                    action-type reject
                }
            }
            default-action {
                action-type accept
            }
        }
        policy-statement "drop-tag-20" {
            description "used as export policy toward DC BGP peers"
            entry 10 {
                from {
                    tag 20
                }
                action {
                    action-type reject
                }
            }
            default-action {
                action-type accept
            }
        }
        info
    }
    router "Base" {
        bgp {
            group "WAN" {
                export {
                    policy ["drop-tag-10"]
                }
            }
            group "access1" {
                export {
                    policy ["drop-tag-20"]
                }
            }

The figure Export policies on PE-2 drop routes based on tag shows an incoming EVPN MAC route on PE-2 for CE-21's MAC address 00:00:5e:00:53:21. PE-2 receives the EVPN MAC route with RT target:64496:501 from PE-1 (BGP-EVPN peer 192.0.2.1). On PE-2, BGP 1 in VPLS 2 imports routes with this RT and the MAC address is installed in the FDB. The EVPN MAC route is redistributed to BGP 2 where the communities "RT64496:502" and "SOO-23", as well as internal tag 20, are added to the route. When PE-2’s BGP process sends an EVPN MAC route with tag 20 to BGP peer PE-1, the BGP export policy "drop-tag-20" drops the route, preventing PE-2 from re-advertising the EVPN MAC route back to the access peer 192.0.2.1. PE-2 can only send the EVPN MAC route to WAN neighbor 192.0.2.7 because the BGP export policy toward the WAN only drops the routes with tag 10, not the ones with tag 20.

Figure 5. Export policies on PE-2 drop routes based on tag

For completeness, the configuration on PE-4 and PE-5 is as follows:

# on PE-4, PE-5:
configure {
    policy-options {
        community "RT64496:502" {
            member "target:64496:502" { }
        }
        community "RT64496:503" {
            member "target:64496:503" { }
        }
        community "SOO-45" {
            member "origin:45:45" { }
        }
        policy-statement "drop-tag-20" {
            description "used as export policy toward DC BGP peers"
            entry 10 {
                from {
                    tag 20
                }
                action {
                    action-type reject
                }
            }
            default-action {
                action-type accept
            }
        }
        policy-statement "drop-tag-30" {
            description "used as export policy toward WAN BGP peers"
            entry 10 {
                from {
                    tag 30
                }
                action {
                    action-type reject
                }
            }
            default-action {
                action-type accept
            }
        }
        policy-statement "vsi-502-export" {
            default-action {
                action-type accept
                community {
                    add ["RT64496:502" "SOO-45"]
                }
            }
        }
        policy-statement "vsi-502-import" {
            entry 10 {
                from {
                    family [evpn]
                    community {
                        name "SOO-45"
                    }
                }
                action {
                    action-type reject
                }
            }
            entry 20 {
                from {
                    family [evpn]
                    community {
                        name "RT64496:502"
                    }
                }
                action {
                    action-type accept
                }
            }
        }
        policy-statement "vsi-503-export" {
            default-action {
                action-type accept
                community {
                    add ["RT64496:503" "SOO-45"]
                }
            }
        }
        policy-statement "vsi-503-import" {
            entry 10 {
                from {
                    family [evpn]
                    community {
                        name "SOO-45"
                    }
                }
                action {
                    action-type reject
                }
            }
            entry 20 {
                from {
                    family [evpn]
                    community {
                        name "RT64496:503"
                    }
                }
                action {
                    action-type accept
                }
            }
        }
    }
    service {
        vpls "VPLS-2" {
            admin-state enable
            description "dual BGP-EVPN MPLS instance VPLS"
            service-id 2
            customer "1"
            bgp 1 {
                route-distinguisher "192.0.2.45:2"
                vsi-import ["vsi-503-import"]
                vsi-export ["vsi-503-export"]
            }
            bgp 2 {
                route-distinguisher "192.0.2.54:2"
                vsi-import ["vsi-502-import"]
                vsi-export ["vsi-502-export"]
            }
            bgp-evpn {
                evi 2
                incl-mcast-orig-ip 45.45.45.45
                mpls 1 {
                    admin-state enable
                    default-route-tag 0x1e      # default route tag 30
                    mh-mode access
                    auto-bind-tunnel {
                        resolution filter
                        resolution-filter {
                            rsvp true
                        }
                    }
                }
                mpls 2 {
                    admin-state enable
                    default-route-tag 0x14      # default route tag 20
                    auto-bind-tunnel {
                        resolution filter
                        resolution-filter {
                            sr-isis true
                        }
                    }
                }
            }
        }

The following command on PE-2 shows BGP instances 1 and 2 in VPLS 2. RD 192.0.2.23:2 is configured in BGP instance 1; RD 192.0.2.32:2 is configured in BGP instance 2. The RTs are defined by virtual switching instance (VSI) policies.

[/]
A:admin@PE-2# show service id 2 bgp 

===============================================================================
BGP Information
===============================================================================
Bgp Instance         : 1                    
Vsi-Import           : vsi-501-import
Vsi-Export           : vsi-501-export
Route Dist           : 192.0.2.23:2
Oper Route Dist      : 192.0.2.23:2
Oper RD Type         : configured           
Rte-Target Import    : None                 Rte-Target Export: None
Oper RT Imp Origin   : vsi                  Oper RT Import   : Policy Based
Oper RT Exp Origin   : vsi                  Oper RT Export   : Policy Based
ADV Service MTU      : -1                   
 
Bgp Instance         : 2                    
Vsi-Import           : vsi-502-import
Vsi-Export           : vsi-502-export
Route Dist           : 192.0.2.32:2
Oper Route Dist      : 192.0.2.32:2
Oper RD Type         : configured           
Rte-Target Import    : None                 Rte-Target Export: None
Oper RT Imp Origin   : vsi                  Oper RT Import   : Policy Based
Oper RT Exp Origin   : vsi                  Oper RT Export   : Policy Based
ADV Service MTU      : -1                   
 
PW-Template Id       : None                 
-------------------------------------------------------------------------------
===============================================================================

The following command shows that EVPN destination 192.0.2.1 is reachable via an RSVP tunnel and EVPN destination 192.0.2.4 via an SR-ISIS tunnel. In EVPN-MPLS instance 2 of VPLS 2 on PE-2, the EVPN destination 192.0.2.4 is reachable via an SR-ISIS tunnel:

[/]
A:admin@PE-2# show service id 2 evpn-mpls

===============================================================================
BGP EVPN-MPLS Dest
===============================================================================
TEP Address                    Egr Label     Num.   Mcast Last Change
                               Transport:Tnl MACs         Sup BCast Domain
-------------------------------------------------------------------------------
192.0.2.1                      524284        1      bum   12/13/2022 08:53:25
                               rsvp:1                     No
192.0.2.4                      524278        1      bum   12/13/2022 08:53:50
                               isis:524291                No
-------------------------------------------------------------------------------
Number of entries : 2
-------------------------------------------------------------------------------
===============================================================================

===============================================================================
BGP EVPN-MPLS Ethernet Segment Dest
===============================================================================
Eth SegId                       Num. Macs               Last Change
-------------------------------------------------------------------------------
No Matching Entries
===============================================================================

When traffic is sent between CE-21 and CE-26, the FDB in PE-1 shows that traffic toward MAC address 00:00:5e:00:53:26 is sent via RSVP tunnel 1 toward PE-2:

[/]
A:admin@PE-1# show service id 2 fdb detail
 
===============================================================================
Forwarding Database, Service 2
===============================================================================
ServId     MAC               Source-Identifier       Type     Last Change
            Transport:Tnl-Id                         Age
-------------------------------------------------------------------------------
2          00:00:5e:00:53:21 sap:1/1/c10/1:2         L/90     12/13/22 10:17:06
2          00:00:5e:00:53:26 mpls-1:                 Evpn     12/13/22 10:17:32
                             192.0.2.2:524280
           rsvp:1
-------------------------------------------------------------------------------
No. of MAC Entries: 2
-------------------------------------------------------------------------------
Legend:  L=Learned O=Oam P=Protected-MAC C=Conditional S=Static Lf=Leaf
===============================================================================

The following command on PE-1 shows that only the EVPN MAC route received from PE-2 is used, not the one from PE-3 in the same anycast group. This is due to the best path selection done by BGP for the two routes, which have the same route key:

[/]
A:admin@PE-1# show router bgp routes evpn mac mac-address 00:00:5e:00:53:26
===============================================================================
 BGP Router ID:192.0.2.1        AS:64496       Local AS:64496
===============================================================================
 Legend -
 Status codes  : u - used, s - suppressed, h - history, d - decayed, * - valid
                 l - leaked, x - stale, > - best, b - backup, p - purge
 Origin codes  : i - IGP, e - EGP, ? - incomplete
 
===============================================================================
BGP EVPN MAC Routes
===============================================================================
Flag  Route Dist.         MacAddr           ESI
      Tag                 Mac Mobility      Label1
                          Ip Address
                          NextHop
-------------------------------------------------------------------------------
u*>i  192.0.2.23:2        00:00:5e:00:53:26 ESI-0
      0                   Seq:0             LABEL 524280
                          n/a
                          192.0.2.2
 
*>i   192.0.2.23:2        00:00:5e:00:53:26 ESI-0
      0                   Seq:0             LABEL 524282
                          n/a
                          192.0.2.3
 
-------------------------------------------------------------------------------
Routes : 2
===============================================================================

The FDB for VPLS 2 on PE-2 shows that MAC address 00:00:5e:00:53:21 can be reached using EVPN-MPLS instance 1 whereas MAC address 00:00:5e:00:53:26 can be reached using EVPN-MPLS instance 2:

[/]
A:admin@PE-2# show service id 2 fdb detail
 
===============================================================================
Forwarding Database, Service 2
===============================================================================
ServId     MAC               Source-Identifier       Type     Last Change
            Transport:Tnl-Id                         Age
-------------------------------------------------------------------------------
2          00:00:5e:00:53:21 mpls-1:                 Evpn     12/13/22 10:17:20
                             192.0.2.1:524284
           rsvp:1
2          00:00:5e:00:53:26 mpls-2:                 Evpn     12/13/22 10:17:32
                             192.0.2.4:524278
           isis:524291
-------------------------------------------------------------------------------
No. of MAC Entries: 2
-------------------------------------------------------------------------------
Legend:  L=Learned O=Oam P=Protected-MAC C=Conditional S=Static Lf=Leaf
===============================================================================

The FDB for VPLS 2 on PE-4 is as follows:

[/]
A:admin@PE-4# show service id 2 fdb detail
 
===============================================================================
Forwarding Database, Service 2
===============================================================================
ServId     MAC               Source-Identifier       Type     Last Change
            Transport:Tnl-Id                         Age
-------------------------------------------------------------------------------
2          00:00:5e:00:53:21 mpls-2:                 Evpn     12/13/22 10:17:28
                             192.0.2.2:524279
           isis:524290
2          00:00:5e:00:53:26 mpls-1:                 Evpn     12/13/22 10:17:32
                             192.0.2.6:524284
           rsvp:1
-------------------------------------------------------------------------------
No. of MAC Entries: 2
-------------------------------------------------------------------------------
Legend:  L=Learned O=Oam P=Protected-MAC C=Conditional S=Static Lf=Leaf
===============================================================================

The FDB for VPLS 2 on PE-6 is as follows:

[/]
A:admin@PE-6# show service id 2 fdb detail
 
===============================================================================
Forwarding Database, Service 2
===============================================================================
ServId     MAC               Source-Identifier       Type     Last Change
            Transport:Tnl-Id                         Age
-------------------------------------------------------------------------------
2          00:00:5e:00:53:21 mpls-1:                 Evpn     12/13/22 10:17:34
                             192.0.2.4:524279
           rsvp:1
2          00:00:5e:00:53:26 sap:1/1/c10/1:2         L/60     12/13/22 10:17:32
-------------------------------------------------------------------------------
No. of MAC Entries: 2
-------------------------------------------------------------------------------
Legend:  L=Learned O=Oam P=Protected-MAC C=Conditional S=Static Lf=Leaf
===============================================================================

Conclusion

Dual-instance EVPN-MPLS GWs reduce the number of service labels to be learned at the access nodes, and optimizes the replication of BUM traffic from the access nodes.