Flow-Aware Transport (FAT) Label Signaling in L2VPN and EVPN Services

This chapter provides information about Flow-Aware Transport (FAT) label signaling in BGP Layer 2 services and BGP EVPN services.

Topics in this chapter include:

Applicability

The information and the configuration in this chapter are based on SR OS Release 24.3.R1. FAT label signaling in BGP VPLS and BGP VPWS is supported in SR OS Release 22.10.R2 and later. FAT label signaling in EVPN VPLS and EVPN VPWS is supported in SR OS Release 23.10.R1 and later.

Overview

Some operators require the use of the FAT label, also known as the hash label, as an alternative to entropy label in order to interoperate with other vendors. The hash label adds entropy to divisible flows and creates load-balancing for unicast flows in the network. The hash label uses only one additional label, whereas the entropy label adds two labels: the entropy label indicator and the entropy label itself, as described in the Entropy Label chapter in the 7450 ESS, 7750 SR, and 7950 XRS MPLS Advanced Configuration Guide for Classic CLI. The hash label is mutually exclusive with the entropy label. The hash label works end-to-end regardless of the transport tunnels. The packet sequencing is preserved because one hash label is used per flow.

Besides the hash label itself, SR OS nodes can signal the capability of transmitting or receiving the hash label using the following control flags:
  • the T and R control flags as per RFC 8395 in BGP L2VPN routes
  • the F control flag as per RFC 7342bis in BGP EVPN routes.

Hash label signaling in BGP VPLS and BGP VPWS services

Control flags in the layer 2 extended community shows the control flags in the Layer 2 extended community, with T for transmit capability and R for receive capability for the hash label. The C and S control flags are beyond the scope of this chapter.

Figure 1. Control flags in the layer 2 extended community

RFC 8395 extends the BGP L2VPN route signaling to indicate the capability of a node to send and receive the hash label at the bottom of the stack on a per pseudowire (PW) basis. BGP VPLS and BGP VPWS services use PW templates, that can be configured with the hash-label attribute with or without the signal-capability option.

*A:PE-2>config>service>pw-template# hash-label ?
  - hash-label [signal-capability]
  - no hash-label

 <signal-capability>  : keyword
Note: The hash-label [signal-capability] command is also used to signal the hash label in TLDP SDP bindings, but the scope of this section is hash label signaling in BGP L2VPN routes.

When the PW template is configured with hash-label only, the control flags are signaled as T=R=0 (Flags=none) and the hash label is sent and expected to be received in all the packets.

When the PW template is configured with hash-label signal-capability, the control flags are signaled as T=R=1. The dynamic signaling of the capability to transmit or receive hash labels is required in mixed environments where different vendors in the same service may support the hash label or not.

For example, PE-1 signals T=R=1 to PE-2 and PE-2 signals T=R=0 to PE-1. When PE-1 receives the information that PE-2 is not capable of transmitting or receiving hash labels, PE-1 sends packets without a hash label to PE-2 and PE-1 expects packets without a hash label from PE-2. If PE-2 sends packets with a hash label while PE-2 signaled T=R=0, PE-1 drops these packets.

In principle, it is possible that a node signals different values for the T and R flag, for example, T=1 and R=0 (or T=0 and R=1), but in either case, no traffic is possible toward such a node. SR OS does not support hash label asymmetry between peers. If peer PE-3 signals R=1 to PE-1, PE-1 sends packets with a hash label to PE-3 and expects packets with hash label from PE-3, regardless of the value of the received T flag. PE-1 drops packets without a hash label received from PE-3. If peer PE-4 signals R=0 to PE-1, PE-1 sends packets without a hash label to PE-4 and PE-1 expects packets without a hash label from PE-4. PE-1 drops packets with a hash label received from PE-4.

Hash label signaling in EVPN VPLS and EVPN VPWS services

Control flags in the EVPN Layer 2 attributes community shows the control flags in the EVPN Layer 2 attributes community, with F for the presence of a flow label. The C control flag is used for the presence of a control word and C=1 in one of the configuration examples in this chapter; the P and B control flags are described in the EVPN for MPLS Tunnels in Epipe Services (EVPN-VPWS) chapter.

Figure 2. Control flags in the EVPN Layer 2 attributes community

When the F-bit is set to 1, the PE announces the capability of both sending and receiving hash labels for unicast.

The following command enables the hash label in an EVPN VPWS service:

configure
    service
        epipe "EVPN-VPWS-4"
            bgp-evpn
                mpls
                    hash-label

The following command enables the hash label in an EVPN VPLS service:

configure
    service
        vpls "EVPN-VPLS-3"
            bgp-evpn
                mpls
                    ingress-replication-bum-label
                    hash-label

The following error message is raised when attempting to enable the hash label in an EVPN VPLS service without ingress-replication-bum-label:

*A:PE-2>config>service>vpls>bgp-evpn>mpls# hash-label 
MINOR: SVCMGR #7886 cannot modify evpn - cannot support hash-label without ingress-replication-bum-label

The incl-mcast-l2-attributes-advertisement command enables the advertisement of the EVPN Layer 2 attributes enhanced community in Inclusive Multicast Ethernet Tag (IMET) routes for the EVPN VPLS:

configure
    service
        vpls "EVPN-VPLS-3" 
            bgp-evpn
                incl-mcast-l2-attributes-advertisement

For EVPN VPWS services, the Layer 2 attributes are signaled in the AD per-EVI routes. No IMET routes are sent for EVPN VPWS services, so the incl-mcast-l2-attributes-advertisement command is not supported in Epipes.

When a node receives an IMET (for EVPN VPLS) or a BGP-EVPN AD per-EVI (for EVPN-VPWS) route that contains the F bit, the node compares the received F bit with the local configuration for the hash label. In case of a mismatch, the node brings down the EVPN destination in case of EVPN VPLS or removes the EVPN destination in case of EVPN VPWS.

Besides the F flag, the Layer 2 attributes community also includes the service MTU and the control word. A node compares the received MTU with the local service MTU. In case of an MTU mismatch, the node brings down the EVPN destination in case of EVPN VPLS or removes the EVPN destination in case of EVPN VPWS, unless the ignore-mtu-mismatch command is configured. The control word flag C is set by the advertising PE when the control-word command is configured in the service. A node compares the received C flag with the local configuration. In case of a mismatch, the node brings down the EVPN destination in case of EVPN VPLS or removes the EVPN destination in case of EVPN VPWS.

Configuration

Example topology shows the example topology with four PEs and one route reflector (RR) in AS 64496.

Figure 3. Example topology
The initial configuration includes:
  • cards, MDAs, ports
  • router interfaces
  • ECMP = 2 in the base router of all PEs
  • IS-IS between all nodes
  • LDP between all PEs, not toward the RR
In this section, the following will be described:

Hash label signaling in BGP VPLS and BGP VPWS

BGP is configured for the L2VPN address family, as follows:

# on PE-1, PE-2, PE-3, PE-4;
configure
    router Base
        autonomous-system 64496
        bgp
            rapid-withdrawal
            split-horizon
            rapid-update l2-vpn
            group "internal" 
                peer-as 64496
                neighbor 192.0.2.5    # RR-5
                    family l2-vpn
                exit
            exit
In this section, three PW templates are used:

All of these PW templates are used on different nodes in Different hash label configuration in BGP-VPLS-1 on different nodes.

BGP VPLS and BGP VPWS without hash label

PW template "PW-1" is configured with split-horizon-group (SHG) "SHG-1" but without hash label, as follows:

# on PE-1, PE-2, PE-3, PE-4:
configure
    service
        pw-template 1 name "PW-1" create
            split-horizon-group "SHG-1"
            exit
        exit

The following services on PE-1 use PW template "PW-1":

# on PE-1:
configure
    service
        vpls 1 name "BGP-VPLS-1" customer 1 create
            bgp
                route-distinguisher 192.0.2.1:1
                route-target export target:64496:1 import target:64496:1
                pw-template-binding 1
                exit
            exit
            bgp-vpls
                max-ve-id 10
                ve-name "PE-1"
                    ve-id 1
                exit
                no shutdown
            exit
            stp
                shutdown
            exit
            sap 1/1/c10/1:1 create
                no shutdown
            exit
            no shutdown
        exit
        epipe 2 name "BGP-VPWS-2" customer 1 create
            bgp
                route-distinguisher 192.0.2.1:2
                route-target export target:64496:2 import target:64496:2
                pw-template-binding 1
                exit
            exit
            bgp-vpws
                ve-name "PE-1"
                    ve-id 1
                exit
                remote-ve-name "PE-4"
                    ve-id 4
                exit
                no shutdown
            exit
            sap 1/1/c10/1:2 create
                no shutdown
            exit
            no shutdown
        exit

The configuration is similar on the other PEs. The BGP VPLS is configured on all PEs; the BGP VPWS only on PE-1 and PE-4.

The following BGP VPLS routes are received on PE-4:

*A:PE-4# show router bgp routes l2-vpn bgp-vpls
===============================================================================
 BGP Router ID:192.0.2.4        AS:64496       Local AS:64496
===============================================================================
 Legend -
 Status codes  : u - used, s - suppressed, h - history, d - decayed, * - valid
                 l - leaked, x - stale, > - best, b - backup, p - purge
 Origin codes  : i - IGP, e - EGP, ? - incomplete

===============================================================================
BGP L2VPN-VPLS Routes
===============================================================================
Flag  RouteType                   Prefix                             MED
      RD                          SiteId                             Label
      Nexthop                     VeId                   BlockSize   LocalPref
      As-Path                     BaseOffset             vplsLabelBa
                                                         se
-------------------------------------------------------------------------------
u*>i  VPLS                        -                      -           0
      192.0.2.1:1                 -                                  -
      192.0.2.1                   1                      8           100
      No As-Path                  1                      524276
u*>i  VPLS                        -                      -           0
      192.0.2.2:1                 -                                  -
      192.0.2.2                   2                      8           100
      No As-Path                  1                      524276
u*>i  VPLS                        -                      -           0
      192.0.2.3:1                 -                                  -
      192.0.2.3                   3                      8           100
      No As-Path                  1                      524276
-------------------------------------------------------------------------------
Routes : 3
===============================================================================

The following BGP VPWS route is received on PE-4:

*A:PE-4# show router bgp routes l2-vpn bgp-vpws
===============================================================================
 BGP Router ID:192.0.2.4        AS:64496       Local AS:64496
===============================================================================
 Legend -
 Status codes  : u - used, s - suppressed, h - history, d - decayed, * - valid
                 l - leaked, x - stale, > - best, b - backup, p - purge
 Origin codes  : i - IGP, e - EGP, ? - incomplete

===============================================================================
BGP L2VPN-VPWS Routes
===============================================================================
Flag  RouteType                   Prefix                             MED
      RD                          SiteId                             Label
      Nexthop                     VeId                   BlockSize   LocalPref
      As-Path                     BaseOffset             vplsLabelBa
                                                         se
-------------------------------------------------------------------------------
u*>i  VPWS                        -                      -           0
      192.0.2.1:2                 -                                  -
      192.0.2.1                   1                      1           100
      No As-Path                  4                      524275
-------------------------------------------------------------------------------
Routes : 1
===============================================================================

PW template 1 does not have hash label enabled. The following command shows that the hash label is disabled on all SDPs in BGP-VPLS-1:

*A:PE-1# show service id 1 sdp detail | match Hash
Hash Label         : Disabled                 Hash Lbl Sig Cap  : Disabled
Oper Hash Label    : Disabled
Hash Label         : Disabled                 Hash Lbl Sig Cap  : Disabled
Oper Hash Label    : Disabled
Hash Label         : Disabled                 Hash Lbl Sig Cap  : Disabled
Oper Hash Label    : Disabled

The following command shows that the hash label is disabled on the SDP in BGP-VPWS-2:

*A:PE-1# show service id 2 sdp detail | match Hash
Hash Label         : Disabled                 Hash Lbl Sig Cap  : Disabled
Oper Hash Label    : Disabled

BGP VPLS and BGP VPWS with hash label only

The following command configures PW template "PW-2-hash-label-only" with SHG and hash label, but without hash label signaling capability:

# on PE-1, PE-2, PE-3, PE-4:
configure
    service
        pw-template 2 name "PW-2-hash-label-only" create
            hash-label
            split-horizon-group "SHG-1"
        exit

The following command reconfigures the BGP VPLS and BGP VPWS services with PW template 2 instead of PW template 1:

# on PE-1:
configure
    service
        vpls "BGP-VPLS-1" 
            bgp-vpls
                shutdown
            exit
            bgp
                route-target export target:64496:1 import target:64496:1
                no pw-template-binding 1
                pw-template-binding 2
                exit
            exit
            bgp-vpls
                no shutdown
            exit
        exit
        epipe "BGP-VPWS-2" 
            bgp-vpws
                shutdown
            exit
            bgp
                route-target export target:64496:2 import target:64496:2
                no pw-template-binding 1
                pw-template-binding 2
                exit
            exit
            bgp-vpws
                no shutdown
            exit
        exit

The configuration on the other PEs is similar. BGP-VPWS-2 is only configured on PE-1 and PE-4.

The following command shows that hash label is enabled, but the hash label signaling capability is disabled. The operational hash label is enabled only when both ends of the SDP have the hash label enabled.

*A:PE-1# show service id 1 sdp detail | match Hash
Hash Label         : Enabled                  Hash Lbl Sig Cap  : Disabled
Oper Hash Label    : Enabled
Hash Label         : Enabled                  Hash Lbl Sig Cap  : Disabled
Oper Hash Label    : Enabled
Hash Label         : Enabled                  Hash Lbl Sig Cap  : Disabled
Oper Hash Label    : Enabled
*A:PE-1# show service id 2 sdp detail | match Hash
Hash Label         : Enabled                  Hash Lbl Sig Cap  : Disabled
Oper Hash Label    : Enabled

The hash label signaling capability is disabled, so no T-bit or R-bit is advertised. The following shows that no flags are received in the L2VPN community for BGP-VPLS-1:

*A:PE-1# show router bgp routes l2-vpn community target:64496:1 detail | match Community context all
Community      : target:64496:1
                 l2-vpn/vrf-imp:Encap=19: Flags=none: MTU=1514: PREF=0
Community      : target:64496:1
                 l2-vpn/vrf-imp:Encap=19: Flags=none: MTU=1514: PREF=0
Community      : target:64496:1
                 l2-vpn/vrf-imp:Encap=19: Flags=none: MTU=1514: PREF=0
Community      : target:64496:1
                 l2-vpn/vrf-imp:Encap=19: Flags=none: MTU=1514: PREF=0
Community      : target:64496:1
                 l2-vpn/vrf-imp:Encap=19: Flags=none: MTU=1514: PREF=0
Community      : target:64496:1
                 l2-vpn/vrf-imp:Encap=19: Flags=none: MTU=1514: PREF=0

Similarly, no flags are received in the L2VPN community for BGP-VPWS-2:

*A:PE-1# show router bgp routes l2-vpn community target:64496:2 detail | match Community context all
Community      : target:64496:2
                 l2-vpn/vrf-imp:Encap=5: Flags=none: MTU=1514: PREF=0
Community      : target:64496:2
                 l2-vpn/vrf-imp:Encap=5: Flags=none: MTU=1514: PREF=0

BGP VPLS and BGP VPWS with hash label and hash label signaling

The following command configures PW template "PW-3-hash-label-sign" with SHG, hash label, and hash label signal capability. This PW template is applied in BGP-VPLS-1 and BGP-VPWS-2.

# on PE-1, PE-4:
configure
    service
        pw-template 3 name "PW-3-hash-label-sign" create
            hash-label signal-capability
            split-horizon-group "SHG-1"
            exit
        exit
        vpls "BGP-VPLS-1" 
            bgp-vpls
                shutdown
            exit
            bgp
                route-target export target:64496:1 import target:64496:1
                no pw-template-binding 2
                pw-template-binding 3
                exit
            exit
            bgp-vpls
                no shutdown
            exit
        exit
        epipe "BGP-VPWS-2" 
            bgp-vpws
                shutdown
            exit
            bgp
                route-target export target:64496:2 import target:64496:2
                no pw-template-binding 2
                pw-template-binding 3
                exit
            exit
            bgp-vpws
                no shutdown
            exit
        exit

The configuration on PE-2 and PE-3 is similar for BGP-VPLS-1; BGP-VPWS-2 is only configured on PE-1 and PE-4.

The following shows that hash label and hash label signaling capability is supported on all SDPs in BGP-VPLS-1 on PE-1:

*A:PE-1# show service id 1 sdp detail | match Hash
Hash Label         : Enabled                  Hash Lbl Sig Cap  : Enabled
Oper Hash Label    : Enabled
Hash Label         : Enabled                  Hash Lbl Sig Cap  : Enabled
Oper Hash Label    : Enabled
Hash Label         : Enabled                  Hash Lbl Sig Cap  : Enabled
Oper Hash Label    : Enabled

Likewise, hash label and hash label capability signaling is enabled on the SDP in BGP-VPWS-2 on PE-1:

*A:PE-1# show service id 2 sdp detail | match Hash
Hash Label         : Enabled                  Hash Lbl Sig Cap  : Enabled
Oper Hash Label    : Enabled

PE-1 receives the following BGP L2VPN route for BGP-VPLS-1 with T=R=1 (Flags=-T-R) from PE-4:

140 2024/09/04 14:14:12.097 UTC MINOR: DEBUG #2001 Base Peer 1: 192.0.2.5
"Peer 1: 192.0.2.5: UPDATE
Peer 1: 192.0.2.5 - Received BGP UPDATE:
    Withdrawn Length = 0
    Total Path Attr Length = 86
    Flag: 0x90 Type: 14 Len: 28 Multiprotocol Reachable NLRI:
        Address Family L2VPN
        NextHop len 4 NextHop 192.0.2.4
        [VPLS/VPWS] preflen 17, veid: 4, vbo: 1, vbs: 8, label-base: 524253, RD 192.0.2.4:1
    Flag: 0x40 Type: 1 Len: 1 Origin: 0
    Flag: 0x40 Type: 2 Len: 0 AS Path:
    Flag: 0x80 Type: 4 Len: 4 MED: 0
    Flag: 0x40 Type: 5 Len: 4 Local Preference: 100
    Flag: 0x80 Type: 9 Len: 4 Originator ID: 192.0.2.4
    Flag: 0x80 Type: 10 Len: 4 Cluster ID:
        192.0.2.5
    Flag: 0xc0 Type: 16 Len: 16 Extended Community:
        target:64496:1
        l2-vpn/vrf-imp:Encap=19: Flags=-T-R: MTU=1514: PREF=0    # encap 19 --> BGP VPLS
"

PE-1 receives the following BGP L2VPN route for BGP-VPWS-2 with T=R=1 from PE-4:

143 2024/09/04 14:14:12.098 UTC MINOR: DEBUG #2001 Base Peer 1: 192.0.2.5
"Peer 1: 192.0.2.5: UPDATE
Peer 1: 192.0.2.5 - Received BGP UPDATE:
    Withdrawn Length = 0
    Total Path Attr Length = 90
    Flag: 0x90 Type: 14 Len: 32 Multiprotocol Reachable NLRI:
        Address Family L2VPN
        NextHop len 4 NextHop 192.0.2.4
        [VPLS/VPWS] preflen 21, veid: 4, vbo: 1, vbs: 1, label-base: 524279, RD 192.0.2.4:2, csv: 0x00000000, type 1, len 1,
    Flag: 0x40 Type: 1 Len: 1 Origin: 0
    Flag: 0x40 Type: 2 Len: 0 AS Path:
    Flag: 0x80 Type: 4 Len: 4 MED: 0
    Flag: 0x40 Type: 5 Len: 4 Local Preference: 100
    Flag: 0x80 Type: 9 Len: 4 Originator ID: 192.0.2.4
    Flag: 0x80 Type: 10 Len: 4 Cluster ID:
        192.0.2.5
    Flag: 0xc0 Type: 16 Len: 16 Extended Community:
        target:64496:2
        l2-vpn/vrf-imp:Encap=5: Flags=-T-R: MTU=1514: PREF=0    # encap 5 --> BGP VPWS
"

The following command includes the T and R flags for the different SDPs in the L2 BGP-VPLS route information:

*A:PE-4# show service id "BGP-VPLS-1" l2-route-table bgp-vpls detail


===============================================================================
Services: L2 Bgp-Vpls Route Information - Service 1
===============================================================================

VeId           : 1
PW Temp Id     : 3
RD             : *192.0.2.1:1
Next Hop       : 192.0.2.1
State (D-Bit)  : up(0)
Path MTU       : 1514
Hash Label Tx  : 1
Hash Label Rx  : 1
Control Word   : 0
Seq Delivery   : 0
DF Bit         : clear
Status         : active
Sdp Bind Id    : 32752:4294967275

VeId           : 2
PW Temp Id     : 3
RD             : *192.0.2.2:1
Next Hop       : 192.0.2.2
State (D-Bit)  : up(0)
Path MTU       : 1514
Hash Label Tx  : 1
Hash Label Rx  : 1
Control Word   : 0
Seq Delivery   : 0
DF Bit         : clear
Status         : active
Sdp Bind Id    : 32750:4294967273

VeId           : 3
PW Temp Id     : 3
RD             : *192.0.2.3:1
Next Hop       : 192.0.2.3
State (D-Bit)  : up(0)
Path MTU       : 1514
Hash Label Tx  : 1
Hash Label Rx  : 1
Control Word   : 0
Seq Delivery   : 0
DF Bit         : clear
Status         : active
Sdp Bind Id    : 32749:4294967272
===============================================================================

The following command includes the T and R flags in the L2 BGP-VPWS route information:

*A:PE-4# show service id "BGP-VPWS-2" l2-route-table bgp-vpws detail


===============================================================================
Services: L2 Bgp-Vpws Route Information - Service 2
===============================================================================

VeId           : 1
PW Temp Id     : 3
RD             : *192.0.2.1:2
Next Hop       : 192.0.2.1
State (D-Bit)  : up(0)
Path MTU       : 1514
Hash Label Tx  : 1
Hash Label Rx  : 1
Control Word   : 0
Seq Delivery   : 0
Status         : active
Tx Status      : active
CSV            : 0
Preference     : 0
Sdp Bind Id    : 32751:4294967274
===============================================================================

Different hash label configuration in BGP-VPLS-1 on different nodes

BGP-VPLS-1 is reconfigured on PE-2 and PE-3 with different PW templates. The following command reconfigures BGP-VPLS-1 with PW template 1 on PE-2:

# on PE-2:
configure
    service
        vpls "BGP-VPLS-1" 
            bgp-vpls
                shutdown
            exit
            bgp
                no pw-template-binding 3
                pw-template-binding 1        # PW template 1 is without hash-label
                exit
            exit
            bgp-vpls
                no shutdown
            exit
Similarly, BGP-VPLS-1 on PE-3 is reconfigured with PW template 2. As a result, BGP-VPLS-1 has a different hash label configuration on different nodes:
  • PW template 3 (hash label with hash label signaling capability) on PE-1 and PE-4
  • PW template 1 (no hash label) on PE-2
  • PW template 2 (hash label without hash label signaling capability) on PE-3

BGP-VPLS-1 on PE-1 (hash label with hash label signaling capability) has connectivity with BGP-VPLS-1 on PE-2 (no hash label):

*A:PE-1# ping router-instance "CE-11" 172.16.1.2 rapid
PING 172.16.1.2 56 data bytes
!!!!!
---- 172.16.1.2 PING Statistics ----
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min = 3.01ms, avg = 3.91ms, max = 7.33ms, stddev = 1.71ms

BGP-VPLS-1 on PE-2 is configured without hash label, so PE-2 always sends and expects to receive frames without a hash label. Even though BGP-VPLS-1 on PE-1 is configured with hash label and hash label signalling capability, when PE-1 receives T=R=0 (Flags:none) from PE-2, PE-1 adapts to send and expect to receive frames without a hash label to and from PE-2.

BGP-VPLS-1 on PE-1 (hash label with hash label signaling capability) has no connectivity with BGP-VPLS-1 on PE-3 (hash label only):

*A:PE-1# ping router-instance "CE-11" 172.16.1.3 rapid
PING 172.16.1.3 56 data bytes
.....
---- 172.16.1.3 PING Statistics ----
5 packets transmitted, 0 packets received, 100% packet loss

BGP-VPLS-1 on PE-3 is configured with hash label only, so PE-3 always sends and expects to receive frames with a hash label. PE-3 has no signaling capability, so PE-3 sends T=R=0 (Flags:none). Even though BGP-VPLS-1 on PE-1 is configured with hash label and hash label signalling capability, when PE-1 receives T=R=0 from PE-3, PE-1 adapts to send and expect to receive frames without a hash label to and from PE-3. So, there is a mismatch, causing PE-1 to drop the frames with a hash label from PE-3 and PE-3 to drop the frames without a hash label from PE-1.

From BGP-VPLS-1 on PE-3 (hash label only), there is no connectivity to PE-1 (hash label with hash label signaling capability) or to PE-2 (no hash label):

*A:PE-3# ping router-instance "CE-13" 172.16.1.1 rapid
PING 172.16.1.1 56 data bytes
.....
---- 172.16.1.1 PING Statistics ----
5 packets transmitted, 0 packets received, 100% packet loss

*A:PE-3# ping router-instance "CE-13" 172.16.1.2 rapid
PING 172.16.1.2 56 data bytes
.....
---- 172.16.1.2 PING Statistics ----
5 packets transmitted, 0 packets received, 100% packet loss

BGP-VPLS-1 on PE-2 is configured without hash label, so PE-2 always sends and expects to receive frames without a hash label. PE-3 is configured with hash label only, so it always sends and expects to receive frames with a hash label. This is a mismatch and the frames are dropped.

Hash label signaling in EVPN VPLS and EVPN VPWS

BGP is configured for the EVPN address family, as follows:

# on PE-1, PE-2, PE-3, PE-4:
configure
    router Base
        autonomous-system 64496
        bgp
            rapid-withdrawal
            split-horizon
            rapid-update evpn
            group "internal" 
                peer-as 64496
                neighbor 192.0.2.5        # RR-5
                    family evpn
                exit
            exit
This section is divided in the following subsections:

EVPN VPLS and EVPN VPWS services without hash label

The following EVPN VPLS and EVPN VPWS services are configured on PE-1:

# on PE-1:
configure
    service
        vpls 3 name "EVPN-VPLS-3" customer 1 create
            bgp
                route-target export target:64496:3 import target:64496:3
            exit
            bgp-evpn
                evi 3
                mpls
                    auto-bind-tunnel
                        resolution any
                    exit
                    no shutdown
                exit
            exit
            sap 1/1/c10/1:3 create
                no shutdown
            exit
            no shutdown
        exit
        epipe 4 name "EVPN-VPWS-4" customer 1 create
            bgp
                route-target export target:64496:4 import target:64496:4
            exit
            bgp-evpn
                local-attachment-circuit PE1 create
                    eth-tag 1
                exit
                remote-attachment-circuit PE4 create
                    eth-tag 4
                exit
                evi 4
                mpls
                    auto-bind-tunnel
                        resolution any
                    exit
                    no shutdown
                exit
            exit
            sap 1/1/c10/1:4 create
                description "SAP to CE-41"
                no shutdown
            exit
            no shutdown
        exit
        vpls 5 name "BD-5" customer 1 create
            allow-ip-int-bind
            exit
            bgp
                route-target export target:64496:5 import target:64496:5
            exit
            bgp-evpn
                evi 5
                mpls bgp 1
                    auto-bind-tunnel
                        resolution any
                    exit
                    no shutdown
                exit
            exit
            stp
                shutdown
            exit
            sap 1/1/c10/1:5 create
                no shutdown
            exit
            no shutdown
        exit
        ies 55 name "IES-55" customer 1 create
            interface "int-BD-5" create
                address 172.16.51.1/24
                vpls "BD-5"
                exit
            exit
            no shutdown
        exit

The configuration on PE-4 is similar. On PE-2 and PE-3, only one EVPN L2 service is configured: EVPN-VPLS-3.

PE-4 receives the following IMET routes for EVPN-VPLS-3 and BD-5:

*A:PE-4# show router bgp routes evpn incl-mcast
===============================================================================
 BGP Router ID:192.0.2.4        AS:64496       Local AS:64496
===============================================================================
 Legend -
 Status codes  : u - used, s - suppressed, h - history, d - decayed, * - valid
                 l - leaked, x - stale, > - best, b - backup, p - purge
 Origin codes  : i - IGP, e - EGP, ? - incomplete

===============================================================================
BGP EVPN Inclusive-Mcast Routes
===============================================================================
Flag  Route Dist.         OrigAddr
      Tag                 NextHop
-------------------------------------------------------------------------------
u*>i  192.0.2.1:3         192.0.2.1
      0                   192.0.2.1

u*>i  192.0.2.1:5         192.0.2.1
      0                   192.0.2.1

u*>i  192.0.2.2:3         192.0.2.2
      0                   192.0.2.2

u*>i  192.0.2.3:3         192.0.2.3
      0                   192.0.2.3

-------------------------------------------------------------------------------
Routes : 4
===============================================================================

PE-4 receives the following AD per-EVI route for EVPN-VPWS-4:

*A:PE-4# show router bgp routes evpn auto-disc
===============================================================================
 BGP Router ID:192.0.2.4        AS:64496       Local AS:64496
===============================================================================
 Legend -
 Status codes  : u - used, s - suppressed, h - history, d - decayed, * - valid
                 l - leaked, x - stale, > - best, b - backup, p - purge
 Origin codes  : i - IGP, e - EGP, ? - incomplete

===============================================================================
BGP EVPN Auto-Disc Routes
===============================================================================
Flag  Route Dist.         ESI                           NextHop
      Tag                                               Label
-------------------------------------------------------------------------------
u*>i  192.0.2.1:4         ESI-0                         192.0.2.1
      1                                                 LABEL 524273

-------------------------------------------------------------------------------
Routes : 1
===============================================================================

The following shows that the hash label is disabled on EVPN-VPLS-3, BGP-VPWS-4, and BD-5:

*A:PE-1# show service id 3 bgp-evpn | match Hash
Hash Label         : Disabled
*A:PE-1# show service id 4 bgp-evpn | match Hash
Hash Label         : Disabled
*A:PE-1# show service id 5 bgp-evpn | match Hash
Hash Label         : Disabled

The following command shows the EVPN destinations for EVPN-VPLS-3 on PE-1 with their operational state and operational flags:

*A:PE-1# show service id 3 evpn-mpls instance 1 detail

===============================================================================
BGP EVPN-MPLS Dest (Instance 1)
===============================================================================
TEP Address                     Transport:Tnl     Egr Label  Oper  Mcast  Num
                                                             State        MACs
-------------------------------------------------------------------------------
192.0.2.2                       ldp:65537         524275     Up    bum    1
  Oper Flags       : None
  Sup BCast Domain : No
  Last Update      : 10/07/2024 09:21:23
192.0.2.3                       ldp:65538         524275     Up    bum    1
  Oper Flags       : None
  Sup BCast Domain : No
  Last Update      : 10/07/2024 09:21:29
192.0.2.4                       ldp:65539         524274     Up    bum    1
  Oper Flags       : None
  Sup BCast Domain : No
  Last Update      : 10/07/2024 09:21:37
-------------------------------------------------------------------------------
Number of entries: 3
-------------------------------------------------------------------------------
===============================================================================
---snip---

EVPN VPWS services with hash label and hash label signaling capability

The following command enables the hash label in BGP-VPWS-4:

# on PE-1, PE-4:
configure
    service
        epipe "EVPN-VPWS-4"
            bgp-evpn
                mpls
                    hash-label

The following shows that the hash label is enabled in BGP-VPWS-4:

*A:PE-1# show service id 4 bgp-evpn | match Hash
Hash Label         : Enabled

PE-1 receives the following AD per EVI route from originator PE-4:

100 2024/09/04 14:06:09.098 UTC MINOR: DEBUG #2001 Base Peer 1: 192.0.2.5
"Peer 1: 192.0.2.5: UPDATE
Peer 1: 192.0.2.5 - Received BGP UPDATE:
    Withdrawn Length = 0
    Total Path Attr Length = 95
    Flag: 0x90 Type: 14 Len: 36 Multiprotocol Reachable NLRI:
        Address Family EVPN
        NextHop len 4 NextHop 192.0.2.4
        Type: EVPN-AD Len: 25 RD: 192.0.2.4:4 ESI: ESI-0, tag: 4 Label: 8388368 (Raw Label: 0x7fff10) PathId:
    Flag: 0x40 Type: 1 Len: 1 Origin: 0
    Flag: 0x40 Type: 2 Len: 0 AS Path:
    Flag: 0x40 Type: 5 Len: 4 Local Preference: 100
    Flag: 0x80 Type: 9 Len: 4 Originator ID: 192.0.2.4
    Flag: 0x80 Type: 10 Len: 4 Cluster ID:
        192.0.2.5
    Flag: 0xc0 Type: 16 Len: 24 Extended Community:
        target:64496:4
        l2-attribute:MTU: 1514 F: 1 C: 0 P: 0 B: 0
        bgp-tunnel-encap:MPLS
"

The L2 attributes community includes the MTU and the control flags. The flow label F flag is set to 1. When the hash label is enabled, it is advertised in the AD per-EVI route.

EVPN VPLS services with hash label only

The hash label is configured in EVPN-VPLS-3 and BD-5, as follows:

# on PE-1:
configure
    service
        vpls "EVPN-VPLS-3"
            bgp-evpn
                mpls
                    ingress-replication-bum-label    # required for hash label
                    hash-label
                    no shutdown
                exit
            exit
            info
        exit
        vpls "BD-5" 
            bgp-evpn
                mpls
                    control-word                     # optional
                    ingress-replication-bum-label    # required for hash label
                    hash-label
                    no shutdown
                exit
            exit

The following shows that the hash label is enabled in EVPN-VPLS-3 and BD-5:

*A:PE-1# show service id 3 bgp-evpn | match Hash
Hash Label         : Enabled
*A:PE-1# show service id 5 bgp-evpn | match Hash
Hash Label         : Enabled

The hash label is enabled, but the flow label control flag F is not advertised. The following IMET route for EVPN-VPLS-3 shows that there is no Layer 2 attributes community in the extended community:

101 2024/09/04 14:06:09.098 UTC MINOR: DEBUG #2001 Base Peer 1: 192.0.2.5
"Peer 1: 192.0.2.5: UPDATE
Peer 1: 192.0.2.5 - Received BGP UPDATE:
    Withdrawn Length = 0
    Total Path Attr Length = 91
    Flag: 0x90 Type: 14 Len: 28 Multiprotocol Reachable NLRI:
        Address Family EVPN
        NextHop len 4 NextHop 192.0.2.4
        Type: EVPN-INCL-MCAST Len: 17 RD: 192.0.2.4:3, tag: 0, orig_addr len: 32, orig_addr: 192.0.2.4
    Flag: 0x40 Type: 1 Len: 1 Origin: 0
    Flag: 0x40 Type: 2 Len: 0 AS Path:
    Flag: 0x40 Type: 5 Len: 4 Local Preference: 100
    Flag: 0x80 Type: 9 Len: 4 Originator ID: 192.0.2.4
    Flag: 0x80 Type: 10 Len: 4 Cluster ID:
        192.0.2.5
    Flag: 0xc0 Type: 16 Len: 16 Extended Community:
        target:64496:3
        bgp-tunnel-encap:MPLS
    Flag: 0xc0 Type: 22 Len: 9 PMSI:
        Tunnel-type Ingress Replication (6)
        Flags: (0x0)[Type: None BM: 0 U: 0 Leaf: not required]
        MPLS Label 8388512
        Tunnel-Endpoint 192.0.2.4
"

EVPN VPLS services with hash label and hash label signaling capability

The following command is configured on the PEs to include the Layer 2 attributes community in the IMET routes:

# on PE-1:
configure
    service
        vpls "EVPN-VPLS-3" 
            bgp-evpn
                incl-mcast-l2-attributes-advertisement
            exit
        exit
        vpls "BD-5"
            bgp-evpn
                incl-mcast-l2-attributes-advertisement
            exit
        exit

The Layer 2 attributes community is included in the IMET routes. The flow label control flag is set to 1 for EVPN-VPLS-3, as follows:

*A:PE-1# show router bgp routes evpn incl-mcast community target:64496:3 detail | match Community context all
Community      : target:64496:3
                 l2-attribute:MTU: 1514 F: 1 C: 0 P: 0 B: 0
                 bgp-tunnel-encap:MPLS
Community      : target:64496:3
                 l2-attribute:MTU: 1514 F: 1 C: 0 P: 0 B: 0
                 bgp-tunnel-encap:MPLS
Community      : target:64496:3
                 l2-attribute:MTU: 1514 F: 1 C: 0 P: 0 B: 0
                 bgp-tunnel-encap:MPLS
Community      : target:64496:3
                 l2-attribute:MTU: 1514 F: 1 C: 0 P: 0 B: 0
                 bgp-tunnel-encap:MPLS
Community      : target:64496:3
                 l2-attribute:MTU: 1514 F: 1 C: 0 P: 0 B: 0
                 bgp-tunnel-encap:MPLS
Community      : target:64496:3
                 l2-attribute:MTU: 1514 F: 1 C: 0 P: 0 B: 0
                 bgp-tunnel-encap:MPLS

The flow label control flag is set to 1 for EVPN R-VPLS BD-5, as follows:

*A:PE-1# show router bgp routes evpn incl-mcast community target:64496:5 detail | match Community context all
Community      : target:64496:5
                 l2-attribute:MTU: 1514 F: 1 C: 1 P: 0 B: 0
                 bgp-tunnel-encap:MPLS
Community      : target:64496:5
                 l2-attribute:MTU: 1514 F: 1 C: 1 P: 0 B: 0
                 bgp-tunnel-encap:MPLS

PE-1 receives the following IMET route with Layer 2 attributes community for EVPN-VPLS-3:

148 2024/09/04 14:14:32.434 UTC MINOR: DEBUG #2001 Base Peer 1: 192.0.2.5
"Peer 1: 192.0.2.5: UPDATE
Peer 1: 192.0.2.5 - Received BGP UPDATE:
    Withdrawn Length = 0
    Total Path Attr Length = 99
    Flag: 0x90 Type: 14 Len: 28 Multiprotocol Reachable NLRI:
        Address Family EVPN
        NextHop len 4 NextHop 192.0.2.4
        Type: EVPN-INCL-MCAST Len: 17 RD: 192.0.2.4:3, tag: 0, orig_addr len: 32, orig_addr: 192.0.2.4
    Flag: 0x40 Type: 1 Len: 1 Origin: 0
    Flag: 0x40 Type: 2 Len: 0 AS Path:
    Flag: 0x40 Type: 5 Len: 4 Local Preference: 100
    Flag: 0x80 Type: 9 Len: 4 Originator ID: 192.0.2.4
    Flag: 0x80 Type: 10 Len: 4 Cluster ID:
        192.0.2.5
    Flag: 0xc0 Type: 16 Len: 24 Extended Community:
        target:64496:3
        l2-attribute:MTU: 1514 F: 1 C: 0 P: 0 B: 0
        bgp-tunnel-encap:MPLS
    Flag: 0xc0 Type: 22 Len: 9 PMSI:
        Tunnel-type Ingress Replication (6)
        Flags: (0x0)[Type: None BM: 0 U: 0 Leaf: not required]
        MPLS Label 8388512
        Tunnel-Endpoint 192.0.2.4
"

The following command shows the operational state "Up" and operational flags "None" for the EVPN destinations for EVPN-VPLS-3 on PE-1:

*A:PE-1# show service id 3 evpn-mpls instance 1 detail

===============================================================================
BGP EVPN-MPLS Dest (Instance 1)
===============================================================================
TEP Address                     Transport:Tnl     Egr Label  Oper  Mcast  Num
                                                             State        MACs
-------------------------------------------------------------------------------
192.0.2.2                       ldp:65537         524273     Up    bum    0
  Oper Flags       : None
  Sup BCast Domain : No
  Last Update      : 10/07/2024 09:23:53
192.0.2.3                       ldp:65538         524273     Up    bum    0
  Oper Flags       : None
  Sup BCast Domain : No
  Last Update      : 10/07/2024 09:23:03
192.0.2.4                       ldp:65539         524268     Up    bum    0
  Oper Flags       : None
  Sup BCast Domain : No
  Last Update      : 10/07/2024 09:23:18
-------------------------------------------------------------------------------
Number of entries: 3
-------------------------------------------------------------------------------
===============================================================================
---snip---

The operational flags will indicate which problems occur in case of a mismatch in hash label configuration on the different PEs, as shown in the following section.

Different hash label configuration in EVPN-VPLS-3 on different nodes

The hash label configuration on PE-2 is removed:

# on PE-2:
configure
    service
        vpls "EVPN-VPLS-3"
            bgp-evpn
                mpls
                    no hash-label

On PE-3, the hash label remains enabled in EVPN-VPLS-3, but the Layer 2 attributes community is not advertised:

# on PE-3:
configure
    service
        vpls "EVPN-VPLS-3"
            bgp-evpn
                no incl-mcast-l2-attributes-advertisement
As a result, EVPN-VPLS-3 has a different hash label configuration on the different PEs:
  • on PE-1 and PE-4; hash label enabled and Layer 2 attributes community advertised
  • on PE-2: no hash label configured
  • on PE-3: hash label enabled, but no Layer 2 attributes community advertised

The following ping commands show that it is only possible to ping between PE-1 and PE-4, but not between PE-1 and PE-2 or between PE-1 and PE-3.

*A:PE-1# ping router-instance "CE-31" 172.16.3.2 rapid
PING 172.16.3.2 56 data bytes
.....
---- 172.16.3.2 PING Statistics ----
5 packets transmitted, 0 packets received, 100% packet loss

*A:PE-1# ping router-instance "CE-31" 172.16.3.3 rapid
PING 172.16.3.3 56 data bytes
.....
---- 172.16.3.3 PING Statistics ----
5 packets transmitted, 0 packets received, 100% packet loss

*A:PE-1# ping router-instance "CE-31" 172.16.3.4 rapid
PING 172.16.3.4 56 data bytes
!!!!!
---- 172.16.3.4 PING Statistics ----
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min = 3.16ms, avg = 4.92ms, max = 10.0ms, stddev = 2.56ms

Similarly, it is possible to ping between PE-4 and PE-1, but not between PE-4 and PE-2 or between PE-4 and PE-3.

It is not possible to ping between PE-2 and PE-1, between PE-2 and PE-3, or between PE-2 and PE-4:

*A:PE-2# ping router-instance "CE-32" 172.16.3.1 rapid
PING 172.16.3.1 56 data bytes
.....
---- 172.16.3.1 PING Statistics ----
5 packets transmitted, 0 packets received, 100% packet loss

*A:PE-2# ping router-instance "CE-32" 172.16.3.3 rapid
PING 172.16.3.3 56 data bytes
.....
---- 172.16.3.3 PING Statistics ----
5 packets transmitted, 0 packets received, 100% packet loss

*A:PE-2# ping router-instance "CE-32" 172.16.3.4 rapid
PING 172.16.3.4 56 data bytes
.....
---- 172.16.3.4 PING Statistics ----
5 packets transmitted, 0 packets received, 100% packet loss

PE-1 and PE-4 advertise F=1 in the IMET routes while PE-2 advertises F=0 and PE-3 does not advertise the F flag, as follows:

*A:PE-4# show router bgp routes evpn incl-mcast community target:64496:3 hunt | match Community post-lines 5
Community      : target:64496:3
                 l2-attribute:MTU: 1514 F: 1 C: 0 P: 0 B: 0    # originator PE-1
                 bgp-tunnel-encap:MPLS
Cluster        : 192.0.2.5
Originator Id  : 192.0.2.1              Peer Router Id : 192.0.2.5
Origin         : IGP
Community      : target:64496:3
                 l2-attribute:MTU: 1514 F: 0 C: 0 P: 0 B: 0    # originator PE-2
                 bgp-tunnel-encap:MPLS
Cluster        : 192.0.2.5
Originator Id  : 192.0.2.2              Peer Router Id : 192.0.2.5
Origin         : IGP
Community      : target:64496:3 bgp-tunnel-encap:MPLS            # originator PE-3
Cluster        : 192.0.2.5
Originator Id  : 192.0.2.3              Peer Router Id : 192.0.2.5
Origin         : IGP
Flags          : Used Valid Best
Route Source   : Internal
Community      : target:64496:3
                 l2-attribute:MTU: 1514 F: 1 C: 0 P: 0 B: 0    # originator PE-4
                 bgp-tunnel-encap:MPLS
Cluster        : No Cluster Members
Originator Id  : None                   Peer Router Id : 192.0.2.5
Origin         : IGP

In case of a mismatch in F flag, the receiving node brings down the EVPN destination for EVPN VPLS. On PE-4, the only EVPN destination that is operationally up is PE-1:

*A:PE-4# show service id 3 evpn-mpls

===============================================================================
BGP EVPN-MPLS Dest (Instance 1)
===============================================================================
TEP Address                     Transport:Tnl     Egr Label  Oper  Mcast  Num
                                                             State        MACs
-------------------------------------------------------------------------------
192.0.2.1                       ldp:65538         524285     Up    bum    0
192.0.2.2                       ldp:65537         524285     Down  bum    0
192.0.2.3                       ldp:65539         524285     Down  bum    0
-------------------------------------------------------------------------------
Number of entries: 3
-------------------------------------------------------------------------------
===============================================================================
---snip---

The detailed information for the preceding EVPN destinations on PE-4 shows that there is a hash label mismatch with the F flag in the IMET received from PE-2 and that there is no L2 attributes community present in the IMET received from PE-3:

*A:PE-4# show service id 3 evpn-mpls detail

===============================================================================
BGP EVPN-MPLS Dest (Instance 1)
===============================================================================
TEP Address                     Transport:Tnl     Egr Label  Oper  Mcast  Num
                                                             State        MACs
-------------------------------------------------------------------------------
192.0.2.1                       ldp:65538         524285     Up    bum    0
  Oper Flags       : None
  Sup BCast Domain : No
  Last Update      : 09/05/2024 06:05:47
192.0.2.2                       ldp:65537         524285     Down  bum    0
  Oper Flags       : hashLblMismatch
  Sup BCast Domain : No
  Last Update      : 09/05/2024 06:05:47
192.0.2.3                       ldp:65539         524285     Down  bum    0
  Oper Flags       : noL2comm
  Sup BCast Domain : No
  Last Update      : 09/05/2024 06:05:47
-------------------------------------------------------------------------------
Number of entries: 3
-------------------------------------------------------------------------------
===============================================================================
---snip---

Conclusion

BGP L2VPN and BGP EVPN support hash label to enable a more efficient load balancing in the MPLS network. BGP L2VPN and BGP EVPN routes can signal the hash label capability dynamically, which is useful in networks where not all nodes support hash label.