Dual EVPN-MPLS Instance VPLS Services

This chapter provides information about the dual EVPN-MPLS instance VPLS services.

Topics in this chapter include:

Applicability

The information and configuration in this chapter are based on SR OS Release 22.10.R1. Dual EVPN-MPLS instance in VPLS is supported in SR OS Release 21.10.R1 and later.

Overview

One of the scale issues that low-scale access nodes or leaf PEs face in high-scale architectures is the limited number of EVPN/IP-VPN next hops, tunnels, and service labels that they support.

The following solutions reduce the number of EVPN next hops exposed to the access nodes:

  • inter-AS model B, as described in the "Inter-AS VPRN Model B" chapter in the 7450 ESS, 7750 SR, and 7950 XRS Layer 2 Services and EVPN Advanced Configuration Guide for Classic CLI
  • next-hop-self route reflectors (NHS-RRs)

Access nodes receive next hops from the NHS-RRs shows the NHS-RR solution reducing the number of EVPN next hops that are sent to the low-scale access nodes PE-1 and PE-2. Only the two NHS-RRs are exposed as next hops to PE-1.

Figure 1. Access nodes receive next hops from the NHS-RRs

The number of EVPN next hops is reduced, but the number of service labels to be learned is not. PE-1 still learns one service label per remote PE for each service it is attached to. In case of EVPN E-LAN services and broadcast, unknown unicast, and multicast (BUM) traffic, the ingress PE still needs one copy of every BUM packet per egress PE that exists in the remote domains, even if all the BUM traffic goes through one of the two NHS-RRs (or ASBRs in the case of model B).

The following solutions reduce the number of service labels:

  • VPRN services on the NHS-RRs with allow-export-bgp-vpn configured
  • dual EVPN-MPLS instance VPLS services on the NHS-RRs

The allow-export-bgp-vpn command applies to VPRN services using EVPN-IFL, VPN-IPv4, and VPN-IPv6 families. Routes from the WAN are imported to the VPRN service and exported to the access nodes as new VPN-IP routes. The values of the service labels, route targets (RTs), and BGP next hops of the re-advertised routes are based on the configuration of the exporting VPRN.

Access nodes receive one service label per service from each NHS-RR shows a dual EVPN-MPLS instance VPLS service on the NHS-RRs, which offers a similar solution for EVPN-VPLS services to the allow-export-bgp-vpn solution for VPRN services. EVPN-MPLS routes received from the WAN are imported to the network EVPN-MPLS instance and redistributed to the access EVPN-MPLS instance with a new route distinguisher (RD), next hop, service label, and possibly a new RT. The ingress PE learns only one service label for each NHS-RR per service, as opposed to one service label per remote PE that is attached to the same EVPN service. With this solution, the replication of BUM traffic is also optimized because the ingress PE sends a single copy of each BUM packet to the NHS-RR, as opposed to one copy per egress PE.

Figure 2. Access nodes receive one service label per service from each NHS-RR

In the example, redundant NHS-RRs are used. Redundancy is handled via anycast multihoming, which implies that two or more PEs are configured with the same service parameters as part of the same redundancy group: identical route distinguishers and RTs per instance, and the same anycast IP address. The ingress PEs set up EVPN destinations to only one PE in the anycast group for a specific service. EVPN BUM destinations are not established between PEs in the same anycast group because the received anycast peer inclusive multicast Ethernet tag (IMET) routes have the same local originating IP address. In anycast multihoming scenarios, policies are required to prevent control-plane loops.

Configuration

The following scenarios are described in this section:

  • dual EVPN-MPLS instance VPLS without multihoming
  • dual EPVN-MPLS instance VPLS with anycast multihoming

Dual EVPN-MPLS instance VPLS without multihoming

Example topology 1 shows EVPN-MPLS VPLS 1 configured on four PEs. PE-2 and PE-4 are EVPN gateways (GWs). RR-7 is the route reflector for PE-2 and PE-4 in the WAN network.

Figure 3. Example topology 1

The initial configuration includes:

  • cards, MDAs, ports
  • router interfaces
  • IS-IS level 1 between PE-1 and PE-2 and between PE-4 and PE-6
  • IS-IS level 2 between PE-2, PE-4, and RR-7
  • SR-TE tunnels between PE-2 and PE-4
  • MPLS LSPs between PE-1 and PE-2 and between PE-4 and PE-6

BGP is configured on all nodes for the EVPN address family. PE-1 peers with the dual-homed EVPN GW PE-2. In a similar way, PE-6 peers with EVPN GW PE-4. The BGP configuration on PE-1 is as follows:

# on PE-1:
configure
    router Base
        autonomous-system 64496
        bgp
            vpn-apply-import
            vpn-apply-export
            enable-peer-tracking
            rapid-withdrawal
            split-horizon
            rapid-update evpn
            group "access1"
                family evpn
                peer-as 64496
                neighbor 192.0.2.2
                exit
            exit

EVPN GW PE-2 peers with PE-1 in BGP group "access1" and with RR-7 in BGP group "WAN":

# on PE-2:
configure
    router Base
        autonomous-system 64496
        bgp
            vpn-apply-import
            vpn-apply-export
            enable-peer-tracking
            rapid-withdrawal
            split-horizon
            rapid-update evpn
            group "access1"
                family evpn
                next-hop-self
                cluster 192.0.2.2
                export "drop-tag-20"
                peer-as 64496
                neighbor 192.0.2.1
                exit
            exit
            group "WAN"
                family evpn
                next-hop-self
                export "drop-tag-10"
                peer-as 64496
                neighbor 192.0.2.7
                exit
            exit

The BGP configuration on PE-4 is similar. The export policies use tags to avoid loops in topologies with redundant EVPN GWs, as described in the section Dual EVPN-MPLS instance VPLS with anycast multihoming.

RR-7 peers with PE-2 and PE-4 in BGP group "WAN":

# on RR-7:
configure
    router Base
        autonomous-system 64496
        bgp
            vpn-apply-import
            vpn-apply-export
            enable-peer-tracking
            rapid-withdrawal
            split-horizon
            rapid-update evpn
            group "WAN"
                family evpn
                cluster 192.0.2.7
                peer-as 64496
                neighbor 192.0.2.2
                exit
                neighbor 192.0.2.4
                exit
            exit

On PE-1, VPLS 1 is configured with a single EVPN-MPLS instance. The RD 192.0.2.1:1 for BGP 1 is auto-derived from the values for the IPv4 system address and the EVI. PE-1 imports and exports routes with RT 64496:101.

# on PE-1:
configure
    service
        vpls 1 name "VPLS 1" customer 1 create
            bgp
                # route-distinguisher 192.0.2.1:1  # will be auto-derived
                route-target export target:64496:101 import target:64496:101
            exit
            bgp-evpn
                evi 1
                mpls bgp 1
                    auto-bind-tunnel
                        resolution-filter
                            rsvp
                        exit
                        resolution filter
                    exit
                    no shutdown
                exit
            exit    
            stp
                shutdown
            exit
            sap 1/1/c10/1:1 create
                no shutdown
            exit
            no shutdown
        exit

On PE-2, VPLS 1 is configured with two EVPN-MPLS instances: instance 1 is configured with multihoming mode access and instance 2 with the (default) multihoming mode network, as follows:

# on PE-2:
configure
    service
        system
            bgp-auto-rd-range 192.0.2.2 comm-val 2000 to 2999
        exit
        vpls 1 name "VPLS 1" customer 1  create
            description "dual BGP-EVPN MPLS instance VPLS 1"
            bgp
                # route-distinguisher 192.0.2.2:1    # will be auto-derived
                route-target export target:64496:101 import target:64496:101
            exit
            bgp 2
                route-distinguisher auto-rd    # different RD (must be configured)
                route-target export target:64496:100 import target:64496:100
            exit
            bgp-evpn
                evi 1
                mpls bgp 1
                    mh-mode access
                    auto-bind-tunnel
                        resolution-filter
                            rsvp
                        exit
                        resolution filter
                    exit
                    no shutdown
                exit
                mpls bgp 2
                    # mh-mode network               # default MH mode
                    auto-bind-tunnel
                        resolution-filter
                            sr-te
                        exit
                        resolution filter
                    exit
                    no shutdown
                exit
            exit
            stp
                shutdown
            exit
            no shutdown
Note: The RD for BGP 1 can be auto-derived from the values for the IPv4 system address and the EVI, for example, 192.0.2.2:1 on PE-2. The RD for BGP 2 cannot be auto-derived from the values for the IPv4 system address and the EVI, because the RD for BGP 2 must be different from the RD for BGP 1, so it must be configured manually or with auto-rd.

On PE-4, the configuration is similar:

# on PE-4:
configure
    service
        system
            bgp-auto-rd-range 192.0.2.4 comm-val 2000 to 2999
        exit
        vpls 1 name "VPLS 1" customer 1 create
            description "dual BGP-EVPN MPLS instance VPLS"
            bgp
                # route-distinguisher 192.0.2.4:1    # will be auto-derived
                route-target export target:64496:102 import target:64496:102                  
            exit
            bgp 2
                route-distinguisher auto-rd    # different RD 
                route-target export target:64496:100 import target:64496:100            
            exit
            bgp-evpn
                evi 1
                mpls bgp 1
                    mh-mode access
                    auto-bind-tunnel
                        resolution-filter
                            rsvp
                        exit
                        resolution filter
                    exit
                    no shutdown
                exit
                mpls bgp 2
                    # mh-mode network               # default MH mode
                    auto-bind-tunnel
                        resolution-filter
                            sr-te
                        exit
                        resolution filter
                    exit
                    no shutdown
                exit
            exit
            stp
                shutdown
            exit
            no shutdown

The following command on PE-2 shows BGP instances 1 and 2 in VPLS 1. RD 192.0.2.2:1 for BGP instance 1 is auto-derived from the IPv4 system address and the EVI; the RD for BGP instance 2 is configured with auto-rd and has the value 192.0.2.2:2000. The RT values are configured.

*A:PE-2# show service id 1 bgp
 
===============================================================================
BGP Information
===============================================================================
Bgp Instance         : 1
Vsi-Import           : None
Vsi-Export           : None
Route Dist           : None
Oper Route Dist      : 192.0.2.2:1
Oper RD Type         : derivedEvi
Rte-Target Import    : 64496:101            Rte-Target Export: 64496:101
Oper RT Imp Origin   : configured           Oper RT Import   : 64496:101
Oper RT Exp Origin   : configured           Oper RT Export   : 64496:101
ADV Service MTU      : -1
 
Bgp Instance         : 2
Vsi-Import           : None
Vsi-Export           : None
Route Dist           : auto-rd
Oper Route Dist      : 192.0.2.2:2000
Oper RD Type         : auto
Rte-Target Import    : 64496:100            Rte-Target Export: 64496:100
Oper RT Imp Origin   : configured           Oper RT Import   : 64496:100
Oper RT Exp Origin   : configured           Oper RT Export   : 64496:100
ADV Service MTU      : -1
 
PW-Template Id       : None
-------------------------------------------------------------------------------
===============================================================================

The following command on PE-2 shows EVPN destination 192.0.2.1 in EVPN-MPLS instance 1:

*A:PE-2# show service id 1 evpn-mpls instance 1
 
===============================================================================
BGP EVPN-MPLS Dest
===============================================================================
TEP Address                    Egr Label     Num.   Mcast Last Change
                               Transport:Tnl MACs         Sup BCast Domain
-------------------------------------------------------------------------------
192.0.2.1                      524286        1      bum   12/09/2022 09:59:58
                               rsvp:1                     No
-------------------------------------------------------------------------------
Number of entries : 1
-------------------------------------------------------------------------------
===============================================================================
 
===============================================================================
BGP EVPN-MPLS Ethernet Segment Dest
===============================================================================
Eth SegId                       Num. Macs               Last Change
-------------------------------------------------------------------------------
No Matching Entries
===============================================================================

The following command on PE-2 shows EVPN destination 192.0.2.4 in EVPN-MPLS instance 2:

*A:PE-2# show service id 1 evpn-mpls instance 2
 
===============================================================================
BGP EVPN-MPLS Dest
===============================================================================
TEP Address                    Egr Label     Num.   Mcast Last Change
                               Transport:Tnl MACs         Sup BCast Domain
-------------------------------------------------------------------------------
192.0.2.4                      524282        1      bum   12/09/2022 10:00:04
                               sr-te:655362               No
-------------------------------------------------------------------------------
Number of entries : 1
-------------------------------------------------------------------------------
===============================================================================
 
===============================================================================
BGP EVPN-MPLS Ethernet Segment Dest
===============================================================================
Eth SegId                       Num. Macs               Last Change
-------------------------------------------------------------------------------
No Matching Entries
===============================================================================

When traffic is sent between CE-11 and CE-16, MAC address 00:00:5e:00:53:11 of CE-11 is learned on the local SAP in VPLS 1 on PE-1 and MAC address 00:00:5e:00:53:16 of CE-16 is learned on the local SAP in VPLS 1 on PE-6. EVPN MAC routes are advertised to the BGP-EVPN peers.

The forwarding database (FDB) on PE-1 is as follows:

*A:PE-1# show service id 1 fdb detail
 
===============================================================================
Forwarding Database, Service 1
===============================================================================
ServId     MAC               Source-Identifier       Type     Last Change
            Transport:Tnl-Id                         Age
-------------------------------------------------------------------------------
1          00:00:5e:00:53:11 sap:1/1/c10/1:1         L/0      12/09/22 10:06:17
1          00:00:5e:00:53:16 mpls-1:                 Evpn     12/09/22 10:06:17
                             192.0.2.2:524284
           rsvp:1
-------------------------------------------------------------------------------
No. of MAC Entries: 2
-------------------------------------------------------------------------------
Legend:  L=Learned O=Oam P=Protected-MAC C=Conditional S=Static Lf=Leaf
===============================================================================

The FDB on PE-2 shows that an EVPN MAC route is received in EVPN-MPLS instance 1 for address 00:00:5e:00:53:11 whereas an EVPN MAC route is received in EVPN-MPLS instance 2 for address 00:00:5e:00:53:16.

*A:PE-2# show service id 1 fdb detail
 
===============================================================================
Forwarding Database, Service 1
===============================================================================
ServId     MAC               Source-Identifier       Type     Last Change
            Transport:Tnl-Id                         Age
-------------------------------------------------------------------------------
1          00:00:5e:00:53:11 mpls-1:                 Evpn     12/09/22 10:06:17
                             192.0.2.1:524286
           rsvp:1
1          00:00:5e:00:53:16 mpls-2:                 Evpn     12/09/22 10:06:17
                             192.0.2.4:524282
           sr-te:655362
-------------------------------------------------------------------------------
No. of MAC Entries: 2
-------------------------------------------------------------------------------
Legend:  L=Learned O=Oam P=Protected-MAC C=Conditional S=Static Lf=Leaf
===============================================================================

The following command shows the received EVPN-MAC routes on PE-2 for MAC address 00:00:5e:00:53:16. The route with RD 192.0.2.4:2000 is used:

*A:PE-2# show router bgp routes evpn mac mac-address 00:00:5e:00:53:16
===============================================================================
 BGP Router ID:192.0.2.2        AS:64496       Local AS:64496
===============================================================================
 Legend -
 Status codes  : u - used, s - suppressed, h - history, d - decayed, * - valid
                 l - leaked, x - stale, > - best, b - backup, p - purge
 Origin codes  : i - IGP, e - EGP, ? - incomplete
 
===============================================================================
BGP EVPN MAC Routes
===============================================================================
Flag  Route Dist.         MacAddr           ESI
      Tag                 Mac Mobility      Label1
                          Ip Address
                          NextHop
-------------------------------------------------------------------------------
u*>i  192.0.2.4:2000      00:00:5e:00:53:16 ESI-0
      0                   Seq:0             LABEL 524282
                          n/a
                          192.0.2.4
 
*>i   192.0.2.6:1         00:00:5e:00:53:16 ESI-0
      0                   Seq:0             LABEL 524286
                          n/a
                          192.0.2.6
 
-------------------------------------------------------------------------------
Routes : 2
===============================================================================

Dual EVPN-MPLS instance VPLS with anycast multihoming

Example topology 2 shows example topology 2 with VPLS 2 configured on six PEs. PE-2 and PE-3 are redundant EVPN GWs with anycast address 23.23.23.23; PE-4 and PE-5 are redundant EVPN GWs with anycast address 45.45.45.45. RR-7 is the route reflector for PE-2, PE-3, PE-4, and PE-5 in the WAN network.

Figure 4. Example topology 2

The initial configuration includes:

  • cards, MDAs, ports
  • router interfaces
  • IS-IS level 1 between PE-1, PE-2, and PE-3
  • IS-IS level 1 between PE-4, PE-5, and PE-6
  • IS-IS level 2 between PE-2, PE-3, PE-4, PE-5, and RR-7
  • SR-ISIS between PE-2, PE-3, PE-4, and PE-5
  • MPLS LSPs between PE-1 and PE-2, between PE-1 and PE-3, between PE-4 and PE-6, and between PE-5 and PE-6

The BGP configuration on PE-1 and PE-6 is similar.

# on PE-1:
configure
    router Base
        autonomous-system 64496
        bgp
            vpn-apply-import
            vpn-apply-export
            enable-peer-tracking
            rapid-withdrawal
            split-horizon
            rapid-update evpn
            group "access1"
                family evpn
                peer-as 64496
                neighbor 192.0.2.2        # on PE-6: 192.0.2.4
                exit
                neighbor 192.0.2.3        # on PE-6: 192.0.2.5
                exit
            exit

The BGP configuration on PE-3 is:

# on PE-3:
configure
    router Base
        autonomous-system 64496
        bgp
            vpn-apply-import
            vpn-apply-export
            enable-peer-tracking
            rapid-withdrawal
            split-horizon
            rapid-update evpn
            group "WAN"
                family evpn
                next-hop-self
                export "drop-tag-10"
                peer-as 64496
                neighbor 192.0.2.7
                exit
            exit
            group "access1"
                family evpn
                next-hop-self
                cluster 192.0.2.3
                export "drop-tag-20"
                peer-as 64496
                neighbor 192.0.2.1
                exit
            exit

The BGP configuration on PE-2, PE-4, and PE-5 is similar.

On PE-1, VPLS 2 is configured with a single EVPN-MPLS instance. PE-1 imports and exports routes with RT 64496:501. The configuration is as follows:

# on PE-1:
configure
    service
        vpls 2 name "VPLS 2" customer 1 create
            bgp
                # route-distinguisher 192.0.2.1:2  # will be auto-derived
                route-target export target:64496:501 import target:64496:501
            exit
            bgp-evpn
                evi 2
                mpls bgp 1
                    auto-bind-tunnel
                        resolution-filter
                            rsvp
                        exit
                        resolution filter
                    exit
                    no shutdown
                exit
            exit    
            stp
                shutdown
            exit
            sap 1/1/c10/1:2 create
                no shutdown
            exit
            no shutdown
        exit

On PE-2 and PE-3, the following policies are used in VPLS 2:

  • Export policy "vsi-501-export" adds the communities "SOO-23" for the site of origin (SOO) and "RT64496:501" for the RT.
  • Export policy "vsi-502-export" adds the communities "SOO-23" and "RT64496:502".
  • Import policy "vsi-501-import" prevents loops based on the SOO and accepts routes with RT 64496:501.
  • Import policy "vsi-502-import" prevent loops based on the SOO and accepts routes with RT 64496:502.
# on PE-2, PE-3:
configure
    router Base
        policy-options
            begin
            community "SOO-23"
                members "origin:23:23"
            exit
            community "RT64496:501"
                members "target:64496:501"
            exit
            community "RT64496:502"
                members "target:64496:502"
            exit
            policy-statement "vsi-501-export"
                default-action accept
                    community add "RT64496:501" "SOO-23"
                exit
            exit
            policy-statement "vsi-501-import"
                entry 10
                    from
                        community "SOO-23"
                        family evpn
                    exit
                    action drop
                    exit
                exit
                entry 20
                    from
                        community "RT64496:501"
                        family evpn
                    exit
                    action accept
                    exit
                exit
            exit
            policy-statement "vsi-502-export"
                default-action accept
                    community add "RT64496:502" "SOO-23"
                exit             
            exit
            policy-statement "vsi-502-import"
                entry 10
                    from
                        community "SOO-23"
                        family evpn
                    exit
                    action drop
                    exit
                exit
                entry 20
                    from
                        community "RT64496:502"
                        family evpn
                    exit
                    action accept
                    exit
                exit
            exit
            commit

On PE-2 and PE-3, VPLS 2 is configured with two EVPN-MPLS instances: instance 1 is configured with multihoming mode access and instance 2 with multihoming mode network. For redundancy, anycast multihoming is configured with anycast address 23.23.23.23 and identical RDs and RTs for the same instance. The RD for BGP 1 is 192.0.2.23:2 and the RD for BGP 2 is 192.0.2.32:2. The default-route-tag 10 command is configured for service instance 1, while default-route-tag 20 is configured for service instance 2. These route tags are used in the BGP peer export policies to differentiate the different routes.On PE-2 and PE-3, VPLS 2 is configured as follows:

# on PE-2, PE-3:
configure
    service
        vpls 2 name "VPLS 2" customer 1 create
            description "dual BGP-EVPN MPLS instance VPLS"
            bgp
                route-distinguisher 192.0.2.23:2
                vsi-export "vsi-501-export"
                vsi-import "vsi-501-import"
            exit
            bgp 2
                route-distinguisher 192.0.2.32:2
                vsi-export "vsi-502-export"
                vsi-import "vsi-502-import"
            exit
            bgp-evpn
                incl-mcast-orig-ip 23.23.23.23
                evi 2
                mpls bgp 1
                    mh-mode access
                    auto-bind-tunnel
                        resolution-filter
                            rsvp
                        exit
                        resolution filter
                    exit
                    default-route-tag 10
                    no shutdown
                exit
                mpls bgp 2
                    # mh-mode network               # default MH mode
                    auto-bind-tunnel
                        resolution-filter
                            sr-isis
                        exit
                        resolution filter
                    exit
                    default-route-tag 20
                    no shutdown
                exit
            exit
            stp
                shutdown
            exit
            no shutdown
Note: For anycast multihoming, the RDs must be identical, so all RDs are configured manually.

In datacenter GWs (DC GWs) with EVPN-VXLAN and EVPN-MPLS instances, route policies can match on the encapsulation type VXLAN or MPLS. In DC GWs with two EVPN-MPLS instances, the default route tag is used instead. The default route tag prevents a MAC/IP route that is installed in instance 1 (access) from being readvertised back to the access peers. In a similar way, MAC/IP routes installed in instance 2 are not readvertised back to peers in instance 2. On PE-2 and PE-3, the BGP peer export policy "drop-tag-10" drops routes with tag 10 and is configured in BGP group "WAN" with neighbor RR-7; BGP peer export policy "drop-tag-20" drops routes with tag 20 and is configured in BGP group "access1" with neighbor PE-1.

# on PE-2, PE-3:
configure
    router Base
        policy-options
            begin
            policy-statement "drop-tag-10"
                description "used as export policy toward WAN BGP peers"
                entry 10
                    from
                        tag 10
                    exit
                    action drop
                    exit
                exit
                default-action accept
                exit
            exit
            policy-statement "drop-tag-20"
                description "used as export policy toward DC BGP peers"
                entry 10
                    from
                        tag 20
                    exit
                    action drop
                    exit
                exit
                default-action accept
                exit
            exit
            commit
        exit
        bgp
            group "access1"
                export "drop-tag-20"
            exit
            group "WAN"
                export "drop-tag-10"
            exit

Export policies on PE-2 drop routes based on tag shows an incoming EVPN MAC route on PE-2 for CE-21's MAC address 00:00:5e:00:53:21. PE-2 receives the EVPN MAC route with RT target:64496:501 from PE-1 (BGP-EVPN peer 192.0.2.1). On PE-2, BGP 1 in VPLS 2 imports routes with this RT and the MAC address is installed in the FDB. The EVPN MAC route is redistributed to BGP 2 where the communities "RT64496:502" and "SOO-23", as well as internal tag 20, are added to the route. When PE-2’s BGP process sends an EVPN MAC route with tag 20 to BGP peer PE-1, the BGP export policy "drop-tag-20" drops the route, preventing PE-2 from re-advertising the EVPN MAC route back to the access peer 192.0.2.1. PE-2 can only send the EVPN MAC route to WAN neighbor 192.0.2.7 because the BGP export policy toward the WAN only drops the routes with tag 10, not the ones with tag 20.

Figure 5. Export policies on PE-2 drop routes based on tag

For completeness, the configuration on PE-4 and PE-5 is as follows:

# on PE-4, PE-5:
configure
    router Base
        policy-options
            begin
            community "SOO-45"
                members "origin:45:45"
            exit
            community "RT64496:502"
                members "target:64496:502"
            exit
            community "RT64496:503"
                members "target:64496:503"
            exit
            policy-statement "drop-tag-20"
                description "used as export policy toward DC BGP peers"
                entry 10
                    from
                        tag 20
                    exit
                    action drop
                    exit
                exit
                default-action accept
                exit
            exit
            policy-statement "drop-tag-30"
                description "used as export policy toward WAN BGP peers"
                entry 10
                    from
                        tag 30
                    exit
                    action drop
                    exit
                exit
                default-action accept
                exit
            exit
            policy-statement "vsi-502-export"
                default-action accept
                    community add "RT64496:502" "SOO-45"
                exit
            exit
            policy-statement "vsi-502-import"
                entry 10
                    from
                        community "SOO-45"
                        family evpn
                    exit
                    action drop
                    exit
                exit
                entry 20
                    from
                        community "RT64496:502"
                        family evpn
                    exit
                    action accept
                    exit
                exit
            exit
            policy-statement "vsi-503-export"
                default-action accept
                    community add "RT64496:503" "SOO-45"
                exit
            exit
            policy-statement "vsi-503-import"
                entry 10
                    from
                        community "SOO-45"
                        family evpn
                    exit
                    action drop
                    exit
                exit
                entry 20
                    from
                        community "RT64496:503"
                        family evpn
                    exit
                    action accept
                    exit
                exit
            exit
            commit
        exit
    exit
    service
        vpls 2 name "VPLS 2" customer 1 create
            description "dual BGP-EVPN MPLS instance VPLS"
            bgp
                route-distinguisher 192.0.2.45:2
                vsi-export "vsi-503-export"
                vsi-import "vsi-503-import"
            exit
            bgp 2
                route-distinguisher 192.0.2.54:2
                vsi-export "vsi-502-export"
                vsi-import "vsi-502-import"
            exit
            bgp-evpn
                incl-mcast-orig-ip 45.45.45.45
                evi 2
                mpls bgp 1
                    mh-mode access
                    auto-bind-tunnel
                        resolution-filter
                            rsvp
                        exit
                        resolution filter
                    exit
                    default-route-tag 30
                    no shutdown
                exit
                mpls bgp 2
                    # mh-mode network               # default MH mode
                    auto-bind-tunnel
                        resolution-filter
                            sr-isis
                        exit
                        resolution filter
                    exit
                    default-route-tag 20
                    no shutdown
                exit
            exit
            stp
                shutdown
            exit
            no shutdown
        exit

The following command on PE-2 shows BGP instances 1 and 2 in VPLS 2. RD 192.0.2.23:2 is configured in BGP instance 1; RD 192.0.2.32:2 is configured in BGP instance 2. The RTs are defined by virtual switching instance (VSI) policies.

*A:PE-2# show service id 2 bgp

===============================================================================
BGP Information
===============================================================================
Bgp Instance         : 1
Vsi-Import           : vsi-501-import
Vsi-Export           : vsi-501-export
Route Dist           : 192.0.2.23:2
Oper Route Dist      : 192.0.2.23:2
Oper RD Type         : configured
Rte-Target Import    : None                 Rte-Target Export: None
Oper RT Imp Origin   : vsi                  Oper RT Import   : Policy Based
Oper RT Exp Origin   : vsi                  Oper RT Export   : Policy Based
ADV Service MTU      : -1

Bgp Instance         : 2
Vsi-Import           : vsi-502-import
Vsi-Export           : vsi-502-export
Route Dist           : 192.0.2.32:2
Oper Route Dist      : 192.0.2.32:2
Oper RD Type         : configured
Rte-Target Import    : None                 Rte-Target Export: None
Oper RT Imp Origin   : vsi                  Oper RT Import   : Policy Based
Oper RT Exp Origin   : vsi                  Oper RT Export   : Policy Based
ADV Service MTU      : -1

PW-Template Id       : None
-------------------------------------------------------------------------------
===============================================================================

The following command shows that EVPN destination 192.0.2.1 is reachable via an RSVP tunnel and EVPN destination 192.0.2.4 via an SR-ISIS tunnel. In EVPN-MPLS instance 2 of VPLS 2 on PE-2, the EVPN destination 192.0.2.4 is reachable via an SR-ISIS tunnel:

*A:PE-2# show service id 2 evpn-mpls
 
===============================================================================
BGP EVPN-MPLS Dest
===============================================================================
TEP Address                    Egr Label     Num.   Mcast Last Change
                               Transport:Tnl MACs         Sup BCast Domain
-------------------------------------------------------------------------------
192.0.2.1                      524284        1      bum   12/09/2022 10:11:04
                               rsvp:1                     No
192.0.2.4                      524278        1      bum   12/09/2022 10:11:17
                               isis:524291                No
-------------------------------------------------------------------------------
Number of entries : 2
-------------------------------------------------------------------------------
===============================================================================
 
===============================================================================
BGP EVPN-MPLS Ethernet Segment Dest
===============================================================================
Eth SegId                       Num. Macs               Last Change
-------------------------------------------------------------------------------
No Matching Entries
===============================================================================

When traffic is sent between CE-21 and CE-26, the FDB in PE-1 shows that traffic toward MAC address 00:00:5e:00:53:26 is sent via RSVP tunnel 1 toward PE-2:

*A:PE-1# show service id 2 fdb detail
 
===============================================================================
Forwarding Database, Service 2
===============================================================================
ServId     MAC               Source-Identifier       Type     Last Change
            Transport:Tnl-Id                         Age
-------------------------------------------------------------------------------
2          00:00:5e:00:53:21 sap:1/1/c10/1:2         L/120    12/09/22 10:10:20
2          00:00:5e:00:53:26 mpls-1:                 Evpn     12/09/22 10:11:36
                             192.0.2.2:524281
           rsvp:1
-------------------------------------------------------------------------------
No. of MAC Entries: 2
-------------------------------------------------------------------------------
Legend:  L=Learned O=Oam P=Protected-MAC C=Conditional S=Static Lf=Leaf
===============================================================================

The following command on PE-1 shows that only the EVPN MAC route received from PE-2 is used, not the one from PE-3 in the same anycast group. This is due to the best path selection done by BGP for the two routes, which have the same route key:

*A:PE-1# show router bgp routes evpn mac mac-address 00:00:5e:00:53:26
===============================================================================
 BGP Router ID:192.0.2.1        AS:64496       Local AS:64496
===============================================================================
 Legend -
 Status codes  : u - used, s - suppressed, h - history, d - decayed, * - valid
                 l - leaked, x - stale, > - best, b - backup, p - purge
 Origin codes  : i - IGP, e - EGP, ? - incomplete
 
===============================================================================
BGP EVPN MAC Routes
===============================================================================
Flag  Route Dist.         MacAddr           ESI
      Tag                 Mac Mobility      Label1
                          Ip Address
                          NextHop
-------------------------------------------------------------------------------
u*>i  192.0.2.23:2        00:00:5e:00:53:26 ESI-0
      0                   Seq:0             LABEL 524281
                          n/a
                          192.0.2.2
 
*>i   192.0.2.23:2        00:00:5e:00:53:26 ESI-0
      0                   Seq:0             LABEL 524283
                          n/a
                          192.0.2.3 
 
-------------------------------------------------------------------------------
Routes : 2
===============================================================================

The FDB for VPLS 2 on PE-2 shows that MAC address 00:00:5e:00:53:21 can be reached using EVPN-MPLS instance 1 whereas MAC address 00:00:5e:00:53:26 can be reached using EVPN-MPLS instance 2:

*A:PE-2# show service id 2 fdb detail
 
===============================================================================
Forwarding Database, Service 2
===============================================================================
ServId     MAC               Source-Identifier       Type     Last Change
            Transport:Tnl-Id                         Age
-------------------------------------------------------------------------------
2          00:00:5e:00:53:21 mpls-1:                 Evpn     12/09/22 10:11:04
                             192.0.2.1:524284
           rsvp:1
2          00:00:5e:00:53:26 mpls-2:                 Evpn     12/09/22 10:11:36
                             192.0.2.4:524278
           isis:524291
-------------------------------------------------------------------------------
No. of MAC Entries: 2
-------------------------------------------------------------------------------
Legend:  L=Learned O=Oam P=Protected-MAC C=Conditional S=Static Lf=Leaf
===============================================================================

The FDB for VPLS 2 on PE-4 is as follows:

*A:PE-4# show service id 2 fdb detail
 
===============================================================================
Forwarding Database, Service 2
===============================================================================
ServId     MAC               Source-Identifier       Type     Last Change
            Transport:Tnl-Id                         Age
-------------------------------------------------------------------------------
2          00:00:5e:00:53:21 mpls-2:                 Evpn     12/09/22 10:11:20
                             192.0.2.2:524280
           isis:524290
2          00:00:5e:00:53:26 mpls-1:                 Evpn     12/09/22 10:11:36
                             192.0.2.6:524284
           rsvp:1
-------------------------------------------------------------------------------
No. of MAC Entries: 2
-------------------------------------------------------------------------------
Legend:  L=Learned O=Oam P=Protected-MAC C=Conditional S=Static Lf=Leaf
===============================================================================

The FDB for VPLS 2 on PE-6 is as follows:

*A:PE-6# show service id 2 fdb detail
 
===============================================================================
Forwarding Database, Service 2
===============================================================================
ServId     MAC               Source-Identifier       Type     Last Change
            Transport:Tnl-Id                         Age
-------------------------------------------------------------------------------
2          00:00:5e:00:53:21 mpls-1:                 Evpn     12/09/22 10:11:39
                             192.0.2.4:524279
           rsvp:1
2          00:00:5e:00:53:26 sap:1/1/c10/1:2         L/30     12/09/22 10:11:36
-------------------------------------------------------------------------------
No. of MAC Entries: 2
-------------------------------------------------------------------------------
Legend:  L=Learned O=Oam P=Protected-MAC C=Conditional S=Static Lf=Leaf
===============================================================================

Conclusion

Dual-instance EVPN-MPLS GWs reduce the number of service labels to be learned at the access nodes, and optimizes the replication of BUM traffic from the access nodes.