EVPN Proxy ND - ARP/ND extended community

This chapter provides information about the support of RFC 9047 for EVPN proxy ND.

Topics in this chapter include:

Applicability
Overview
Configuration
Conclusion

Applicability

SR OS Release 23.3.R1 and later supports the ARP/ND extended community in EVPN MAC/IP advertisement routes used to advertise and populate the layer 2 proxy ARP or proxy ND table in EVPN VPLS services. The information and configuration in this chapter are based on SR OS Release 24.10.R3.

Overview

RFC 9047 specifies the ARP/ND extended community (type 0x06, sub-type 0x08) that contains three different flags (R, I, O) that the router supports when arp-nd-extended-community true is configured in the service vpls <vpls id> bgp-evpn routes mac-ip context.

ARP/ND extended community:

  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 | Type=0x06     | Sub-Type=0x08 |Flags (1 octet)| Reserved=0    |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
 |                       Reserved=0                              |
 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

 Flags field:

  0 1 2 3 4 5 6 7
 +-+-+-+-+-+-+-+-+
 |       |I| |O|R|
 +-+-+-+-+-+-+-+-+

This allows IPv6/MAC entries for both routers and hosts to be distributed via the EVPN control plane, when routers and hosts are concurrently attached to a single EVPN network. The ARP/ND extended community may also be used to indicate whether IPv4/MAC or IPv6/MAC entries are immutable. SR OS supports arp-nd-extended-community true in the same EVPN services that support proxy ARP or proxy ND. SR OS does not support proxy ARP and proxy ND in routed VPLS (R-VPLS) services and in multi-instance VPLS services.

Flags

Router (R) flag – bit 23 of the ARP/ND extended community (bit 7 of the flags field): the R flag indicates whether the EVPN MAC/IP advertisement route conveys a Neighbor Discovery (ND) IPv6/MAC entry that belongs to a router (R=1) or to a host (R=0). When advertise-neighbor-type router-host is configured in the service vpls <vpls id> proxy-nd evpn context, dynamic entries of type router and of type host are both advertised in EVPN MAC/IP advertisement routes with the corresponding value for the R flag. An ingress PE learns dynamic proxy ND entries as router or as host, based on the snooped Neighbor Advertisement (NA) messages that it receives. The ingress PE installs the proxy ND entry as a router or as a host entry depending on the value of the R flag and uses this information in NA messages for the associated IPv6 address. The R flag applies only to IPv6/MAC pairs (proxy ND). When a PE receives an ARP/ND extended community with an EVPN MAC/IP advertisement route for an IPv4/MAC pair, the PE ignores the R flag.
Immutable (I) flag – bit 20 of the ARP/ND extended community (bit 4 of the flags field): the I flag indicates whether the IPv4/MAC or IPv6/MAC pair for the EVPN MAC/IP advertisement route that an egress PE advertises is immutable (I=1) or not (I=0). When immutable, the IP address in the EVPN MAC/IP advertisement route can only be bound to the MAC address that is specified in the same route, and not to any other MAC address that is received in a different route with I=0. Static proxy ARP entries, static proxy ND entries, and configured dynamic IPs (associated to a MAC list) are always advertised as immutable. The I flag applies to both IPv4/MAC pairs (proxy ARP) and IPv6/MAC pairs (proxy ND). The I flag affects the selection of proxy ARP or proxy ND entries in an ingress PE: when a PE receives two EVPN MAC/IP advertisement routes for the same IP/MAC pair, the PE always prioritises an immutable proxy ARP or proxy ND EVPN MAC/IP advertisement route (I=1) over a non-immutable one (I=0).
Override (O) flag – bit 22 of the ARP/ND extended community (bit 6 of the flags field): the O flag indicates whether the NA message that an egress PE sends out for a proxy ND entry overrides any other existing entry in the host. An egress PE normally advertises IPv6/MAC pairs with O=1. An egress PE advertises IPv6/MAC pairs with O=0 only when IPv6 anycast is enabled, but SR OS does not support anycast IPv6 addresses in the proxy ND table. An ingress PE learns the O flag value from the snooped NA messages, installs the ND entry with the received O flag value, and always uses the installed O flag value when replying to a Neighbor Solicitation (NS) message for the IPv6 address. The O flag does not affect the selection of proxy ND entries in an ingress PE; it only transfers the information between ND and EVPN. The O flag only applies to IPv6/MAC pairs (proxy ND). When a PE receives an ARP/ND extended community with an EVPN MAC/IP advertisement route for an IPv4/MAC pair, the PE ignores the O flag.

Advertisement and processing of the flags

R flag (only for proxy ND)

Static proxy ND entries

The PE where the static proxy ND entry is configured adds it to its proxy ND table with the R flag value as configured with ip-address <IPv6 Address> mac <MAC Address> type router|host in the service vpls <vpls id> proxy-nd static-neighbor context, and advertises it in EVPN with the R flag value that corresponds with this configuration.
The PE replies subsequent received NS messages for the proxy ND entry with the configured R flag.
If the user changes the configuration for a specific static proxy ND entry from host to router or from router to host, the PE triggers an unsolicited NA message containing the new value for the R flag.

Dynamic proxy ND entries

When dynamic-populate true is configured in the service vpls <vpls id> proxy-nd context, the ingress PE learns dynamic proxy ND entries and their corresponding R flag value from NA messages and adds them to its proxy ND table.
The PE replies subsequent received NS messages with the corresponding R flag value that it stored for the proxy ND entry.
The PE advertises the learned dynamic entries in EVPN, as described in EVPN proxy ND entries.

EVPN proxy ND entries

A PE advertises the entries in EVPN, depending on the configuration of advertise-neighbor-type in the service vpls <vpls id> proxy-nd evpn context:
- advertise-neighbor-type router: only advertises (in EVPN) dynamic entries learned with R=1, or static entries configured as router. For EVPN entries (out of routes) received without ARP/ND extended community the entry's R flag value defaults to R=1.
- advertise-neighbor-type host: only advertises (in EVPN) dynamic entries learned with R=0, or static entries configured as host. For EVPN entries (out of routes) received without ARP/ND extended community the entry's R flag value defaults to R=1.
- advertise-neighbor-type router-host: advertises (in EVPN) dynamic and static entries irrespective of the router flag, and with the correct R flag in each case. For EVPN entries (out of routes) received without ARP/ND extended community the entry's R flag value defaults to R=1.
- The advertise-neighbor-type configuration must be consistent in all the nodes for the same service.

I flag (for proxy ARP and proxy ND)

The I bit in the ARP/ND extended community is advertised as follows:

When arp-nd-extended-community true is set, any static proxy ARP or proxy ND entry is advertised with I=1.
When arp-nd-extended-community true is set, any configured dynamic IP (associated to a MAC list) proxy ARP or proxy ND entry is advertised with I=1.
Duplicate entries with AS-MAC are advertised with I=1 (in addition to O=1 and R=0 or R=1, based on the configuration).
The configuration of the I bit is independent of the configuration of the static bit associated to the FDB entry, and it is only used with proxy ARP or proxy ND advertisements.

The I bit in the ARP/ND extended community is processed on reception as follows:

An ingress PE receiving an EVPN MAC/IP advertisement route containing an IP/MAC pair and I=1, installs the corresponding entry in its proxy ARP or proxy ND table as an immutable binding.
An immutable binding entry overrides an existing non-immutable binding entry for the same IP/MAC pair.
The absence of the ARP/ND extended community in an EVPN MAC/IP advertisement route indicates that the route is not for an immutable binding.
MAC mobility does not consider the I bit.

The proxy ARP or proxy ND selection in case of multiple routes for the same IP is changed. From the user’s perspective, this change in the selection is only seen when arp-nd-extended-community true is set (otherwise the ARP/ND extended community and the local I bits are ignored anyway):

Local immutable proxy ARP or proxy ND entries (static and configured dynamic IP)
EVPN immutable proxy ARP or proxy ND entries
Regular existing proxy ARP or proxy ND selection

Receiving multiple EVPN MAC/IP advertisement routes with I=1 for the same IP but a different MAC address, is considered a misconfiguration or a transient error condition.

An ingress PE that receives multiple EVPN MAC/IP advertisement routes (with I=1 for the same IP and a different MAC address) selects one route, based on the mentioned selection rules.
When a configured IP/MAC pair changes to point to a new MAC address, the EVPN MAC/IP advertisement route for the existing IP/MAC pair is withdrawn before the EVPN MAC/IP advertisement route for the new IP/MAC pair is advertised.

A PE originating an EVPN MAC/IP advertisement route for an IP/MAC pair for which I=1 also originates the route with the "Sticky/static flag" set (in the MAC Mobility extended community) when the MAC is static.

The IP/MAC binding is then not only immutable but it cannot move either.
Even so, when an update for the same immutable and static IP/MAC pair is received from a different PE, the ingress PE selects one of the two routes.

In case of IP duplication and configured dynamic IP entries:

When an ingress PE receives a dynamic ARP/ND message that matches a dynamic IP immutable entry, it does not learn the message and drops it on CPM.
An existing dynamic immutable entry is allowed to be overwritten with a new dynamic immutable entry, when their MACs do not match but are part of the same configured MAC list.
When an ingress PE has a local configured dynamic IP, it does not install a received EVPN immutable proxy ARP or proxy ND entry.
When an ingress PE that has an EVPN immutable entry receives a local dynamic (non-immutable) ARP/ND message, it drops the ARP/ND message.
When an ingress PE that has a configured dynamic IP that is installed with a current MAC (which generated an EVPN MAC/IP advertisement route with I=1) receives a dynamic ARP/ND message with a different MAC:
- It flushes the entry and sends a resolve message.
- When the newly learned MAC is on the same MAC list as the current MAC, the PE withdraws the current IP/MAC pair and sends the new IP/MAC pair with I=1.

There are no changes on the generation of confirmation messages or GARP/unsolicited NA when a new entry is learned.

O flag (only for proxy ND)

The O flag is propagated in EVPN.

On transmission:

The egress PE learns the O flag value for dynamic entries and adds them to its proxy ND table. When arp-nd-extended-community true is set, the O flag value is taken from the proxy ND table.
For static and duplicate proxy ND entries O=1.

On reception:

The ingress PE learns proxy ND entries from received NA messages with either O=0 or O=1.

The ingress PE stores the received O flag value in its proxy ND table, and uses it when replying to a received NS message.
For link-local neighbor advertisements (generated for solicitations to the local chassis MAC) O=1.
When the ingress PE receives an EVPN MAC/IP advertisement route without the ARP/ND extended community, it installs the proxy ND entry with O=1 (default).

When sending solicited or unsolicited NA messages, the O flag value is O=1 or O=0, depending on the O flag value in the proxy ND entry that is learned.

Configuration

Initial example topology illustrates the initial example topology.

The initial configuration includes:

cards, MDAs, ports
router interfaces
IS-IS on the router interfaces (OSPF or OSPF3 router interfaces are also possible)
IBGP in the EVPN network for the EVPN address family
LDP

Router configuration

The router configuration (interfaces, IS-IS, and IBGP) on route reflector RR-1 is as follows:

# On RR-1:
configure {
    router "Base" {
        interface "int-RR-1-PE-2" {
            port 1/1/c2/1:10
            ipv4 {
                primary {
                    address 192.168.12.1
                    prefix-length 30
                }
            }
        }
        interface "system" {
            ipv4 {
                primary {
                    address 192.0.2.1
                    prefix-length 32
                }
            }
        }
        autonomous-system 64500
        bgp {
            rapid-withdrawal true
            peer-ip-tracking true
            rapid-update {
                evpn true
            }
            group "IBGP" {
                type internal
                family {
                    evpn true
                }
                cluster {
                    cluster-id 1.1.1.1
                }
            }
            neighbor "192.0.2.2" {
                group "IBGP"
            }
            neighbor "192.0.2.3" {
                group "IBGP"
            }
            neighbor "192.0.2.4" {
                group "IBGP"
            }
        }
        isis 0 {
            admin-state enable
            advertise-router-capability as
            area-address [49.0001]
            interface "int-RR-1-PE-2" {
                interface-type point-to-point
            }
            interface "system" { }
            level 1 {
                wide-metrics-only true
            }
            level 2 {
                wide-metrics-only true
            }
        }

The router configuration (interfaces, IS-IS, IBGP, and LDP) on PE-2 is as follows:

# On PE-2:
configure {
    router "Base" {
        interface "int-PE-2-PE-3" {
            port 1/1/c3/1:10
            ipv4 {
                primary {
                    address 192.168.23.1
                    prefix-length 30
                }
            }
        }
        interface "int-PE-2-PE-4" {
            port 1/1/c4/1:10
            ipv4 {
                primary {
                    address 192.168.24.1
                    prefix-length 30
                }
            }
        }
        interface "int-PE-2-RR-1" {
            port 1/1/c1/1:10
            ipv4 {
                primary {
                    address 192.168.12.2
                    prefix-length 30
                }
            }
        }
        interface "system" {
            ipv4 {
                primary {
                    address 192.0.2.2
                    prefix-length 32
                }
            }
        }
        autonomous-system 64500
        bgp {
            rapid-withdrawal true
            peer-ip-tracking true
            rapid-update {
                evpn true
            }
            group "IBGP" {
                type internal
                family {
                    evpn true
                }
            }
            neighbor "192.0.2.1" {
                group "IBGP"
            }
        }
        isis 0 {
            admin-state enable
            advertise-router-capability as
            area-address [49.0001]
            interface "int-PE-2-PE-3" {
                interface-type point-to-point
            }
            interface "int-PE-2-PE-4" {
                interface-type point-to-point
            }
            interface "int-PE-2-RR-1" {
                interface-type point-to-point
            }
            interface "system" { }
            level 1 {
                wide-metrics-only true
            }
            level 2 {
                wide-metrics-only true
            }
        }
        ldp {
            interface-parameters {
                interface "int-PE-2-PE-3" {
                    ipv4 { }
                }
                interface "int-PE-2-PE-4" {
                    ipv4 { }
                }
            }
        }

The router configuration on PE-3 and PE-4 is similar, with different ports and without the interface to RR-1.

Service configuration in the EVPN network

VPLS 1 is initially configured on PE-2, PE-3, and PE-4, as follows:

# On PE-2, PE-3, PE-4:
configure {
    service vpls "VPLS 1" {
            admin-state enable
            description "testing-proxy-nd-arp-flags"
            service-id 1
            customer "1"
            proxy-arp {
                admin-state enable
            }
            proxy-nd {
                admin-state enable
            }
            bgp 1 { }
            bgp-evpn {
                evi 1
                mpls 1 {
                    admin-state enable
                    auto-bind-tunnel {
                        resolution any
                    }
                }
            }

Command options

The command arp-nd-extended-community true in the service vpls <vpls id> bgp-evpn routes mac-ip context enables the advertisement of the ARP/ND extended community for both proxy ARP entries (IPv4) and proxy ND entries (IPv6). When configured, SR OS advertises the ARP/ND extended community along with the EVPN MAC/IP advertisement routes advertised for local static and dynamic proxy ARP or proxy ND entries. The command also controls the processing of the ARP/ND extended community and the selection of ARP/ND entries based on the Immutable flag.

The command advertise-neighbor-type router|host|router-host in the service vpls <vpls id> proxy-nd evpn context further configures the selective advertisement of proxy ND entries for routers only (default), hosts only, or routers and hosts, and determines the value of the R flag (R=1 or R=0) when sending NA messages for existing EVPN entries in the proxy ND table. SR OS accepts the router-host option only when arp-nd-extended-community true is set. Otherwise, SR OS does not apply the configuration and returns the message:

MINOR: SVCMGR #12: configure service vpls "VPLS 1" proxy-nd evpn advertise-neighbor-type
 - Inconsistent Value error
 - router-host option supported only when arp-nd-extended-community is configured in bgp-evpn
 - configure service vpls "VPLS 1" bgp-evpn

Similarly, SR OS does not apply arp-nd-extended-community false, when advertise-neighbor-type router-host is configured in the service vpls <vpls id> proxy-nd evpn context. Instead, SR OS returns the same message.

Use cases

The following use cases are described in the following sections:

Proxy ARP (IPv4)
Proxy ND (IPv6)

Proxy ARP (IPv4)

Proxy ARP example topology illustrates the example topology.

The following use cases are described in the following sections:

Static proxy ARP entries
Dynamic proxy ARP entries
Dynamic proxy ARP entries with a duplicate IPv4 address for different MAC addresses

Static proxy ARP entries

The command mac <MAC Address> sap <SAP ID> monitor forward-status in the service vpls <vpls id> fdb static-mac context configures a static MAC address. The same static MAC address can be configured for a proxy ARP entry and for a proxy ND entry.

The command ip-address <IPv4 Address> mac <MAC Address> in the service vpls <vpls id> proxy-arp static-arp context further configures a static proxy ARP entry, as follows:

# On PE-2:
configure {
    service vpls "VPLS 1" {
            fdb {
                static-mac {
                    mac 00:00:5e:00:53:4a {
                        sap 1/1/c5/1:1
                        monitor forward-status
                    }
                }
            }
            proxy-arp {
                admin-state enable
                static-arp {
                    ip-address 203.0.113.4 {
                        mac 00:00:5e:00:53:4a
                    }
                }
            }

Reconfigure the sender side PE-2 and the receiver side PE-3 and PE-4, as follows:

# On PE-2:
configure {
    service vpls "VPLS 1" {
            bgp-evpn routes mac-ip {
                        arp-nd-extended-community true

# On PE-3, PE-4:
configure {
    service vpls "VPLS 1" {
            bgp-evpn routes mac-ip {
                        arp-nd-extended-community false

PE-2 does not advertise the Router flag and the Override flag for IPv4/MAC pairs. PE-2 advertises the Immutable flag for IPv4/MAC pairs, to indicate that the IPv4/MAC pair is for a static entry. PE-3 and PE-4 do not process it:

[/]
A:admin@PE-2# show router bgp routes evpn mac mac-address 00:00:5e:00:53:4a
 detail | match "arp-nd"
Community      : target:64500:1 arp-nd:R:0/O:0/I:1 bgp-tunnel-encap:MPLS


[/]
A:admin@PE-2# show service id 1 proxy-arp detail | match "VPLS Proxy "
 pre-lines 1 post-lines 20
===============================================================================
VPLS Proxy Arp Entries
===============================================================================
IP Address          Mac Address         Type  Status Flags  Last Update
-------------------------------------------------------------------------------
203.0.113.4         00:00:5e:00:53:4a   stat  active I      06/23/2025 14:59:59
-------------------------------------------------------------------------------
Number of entries : 1
Legend : I=Immutable
===============================================================================

[/]
A:admin@PE-3# show router bgp routes evpn mac mac-address 00:00:5e:00:53:4a
 detail | match "arp-nd"
Community      : target:64500:1 arp-nd:R:0/O:0/I:1 bgp-tunnel-encap:MPLS


[/]
A:admin@PE-3# show service id 1 proxy-arp detail | match "VPLS Proxy "
 pre-lines 1 post-lines 20
===============================================================================
VPLS Proxy Arp Entries
===============================================================================
IP Address          Mac Address         Type  Status Flags  Last Update
-------------------------------------------------------------------------------
203.0.113.4         00:00:5e:00:53:4a   evpn  active        06/23/2025 15:00:12
-------------------------------------------------------------------------------
Number of entries : 1
Legend : I=Immutable
===============================================================================

Similar for PE-4.

Reconfigure the receiver side PE-3 and PE-4 as follows:

# On PE-3, PE-4:
configure {
    service vpls "VPLS 1" {
            bgp-evpn routes mac-ip {
                        arp-nd-extended-community true

PE-3 and PE-4 process the Immutable flag that PE-2 advertises:

[/]
A:admin@PE-3# show router bgp routes evpn mac mac-address 00:00:5e:00:53:4a
 detail | match "arp-nd"
Community      : target:64500:1 arp-nd:R:0/O:0/I:1 bgp-tunnel-encap:MPLS


[/]
A:admin@PE-3# show service id 1 proxy-arp detail | match "VPLS Proxy "
 pre-lines 1 post-lines 20
===============================================================================
VPLS Proxy Arp Entries
===============================================================================
IP Address          Mac Address         Type  Status Flags  Last Update
-------------------------------------------------------------------------------
203.0.113.4         00:00:5e:00:53:4a   evpn  active I      06/23/2025 15:05:09
-------------------------------------------------------------------------------
Number of entries : 1
Legend : I=Immutable
===============================================================================

Similar for PE-4.

Even if PE-2 advertises the Router flag and the Override flag, PE-3 and PE-4 ignore them for an IPv4/MAC pair.

Reconfigure the sender side PE-2 as follows:

# On PE-2:
configure {
    service vpls "VPLS 1" {
            bgp-evpn routes mac-ip {
                        arp-nd-extended-community false
                    }
                }
            }
            proxy-nd evpn {
                    advertise-neighbor-type router
                }
            }

PE-2 does not advertise the Immutable flag, so PE-3 and PE-4 do not process it.

[/]
A:admin@PE-2# show router bgp routes evpn mac mac-address 00:00:5e:00:53:4a
 detail | match "arp-nd"
---empty---


[/]
A:admin@PE-2# show service id 1 proxy-arp detail | match "VPLS Proxy "
 pre-lines 1 post-lines 20
===============================================================================
VPLS Proxy Arp Entries
===============================================================================
IP Address          Mac Address         Type  Status Flags  Last Update
-------------------------------------------------------------------------------
203.0.113.4         00:00:5e:00:53:4a   stat  active I      06/23/2025 15:09:55
-------------------------------------------------------------------------------
Number of entries : 1
Legend : I=Immutable
===============================================================================

[/]
A:admin@PE-3# show router bgp routes evpn mac mac-address 00:00:5e:00:53:4a
 detail | match "arp-nd"
---empty---


[/]
A:admin@PE-3# show service id 1 proxy-arp detail | match "VPLS Proxy "
 pre-lines 1 post-lines 20
===============================================================================
VPLS Proxy Arp Entries
===============================================================================
IP Address          Mac Address         Type  Status Flags  Last Update
-------------------------------------------------------------------------------
203.0.113.4         00:00:5e:00:53:4a   evpn  active        06/23/2025 15:09:55
-------------------------------------------------------------------------------
Number of entries : 1
Legend : I=Immutable
===============================================================================

Similar for PE-4.

Reconfigure PE-2, PE-3, and PE-4, so that proxy ARP entries are advertised and processed for all types, as follows:

# On PE-2, PE-3, PE-4:
configure {
    service vpls "VPLS 1" {
            bgp-evpn routes mac-ip {
                        arp-nd-extended-community true
                    }
                }
            }
            proxy-nd evpn {
                    advertise-neighbor-type router-host
                }
            }

Dynamic proxy ARP entries

Proxy ARP entries can be learned dynamically from received ARP requests or ARP responses.

Enable dynamic learning of proxy ARP entries, as follows:

# On PE-2, PE-3, PE-4:
configure {
    service vpls "VPLS 1" {
            proxy-arp {
                dynamic-populate true

PEs that support proxy ARP advertise dynamically learned proxy ARP entries without any flag.

Configure VPRN 2 on PE-2, PE-3 and PE-4, as follows:

# On PE-2:
configure {
    service vprn "VPRN 2" {
            admin-state disable    # do not enable yet
            description "VPRN 2 connected to VPLS 1 on PE-2"
            service-id 2
            customer "1"
            interface "int-VPLS-1" {
                mac 00:00:5e:00:53:02
                ipv4 {
                    primary {
                        address 172.16.4.2
                        prefix-length 24
                    }
                }
                sap 1/1/c10/1:1 { }
                ipv6 {
                    address 2001:db8::16:4:2 {
                        prefix-length 120
                    }
                }
            }

# On PE-3:
configure {
    service vprn "VPRN 2" {
            admin-state disable    # do not enable yet
            description "VPRN 2 connected to VPLS 1 on PE-3"
            service-id 2
            customer "1"
            interface "int-VPLS-1" {
                mac 00:00:5e:00:53:03
                ipv4 {
                    primary {
                        address 172.16.4.3
                        prefix-length 24
                    }
                }
                sap 1/1/c10/1:1 { }
                ipv6 {
                    address 2001:db8::16:4:3 {
                        prefix-length 120
                    }
                }
            }

# On PE-4:
configure {
    service vprn "VPRN 2" {
            admin-state disable    # do not enable yet
            description "VPRN 2 connected to VPLS 1 on PE-4"
            service-id 2
            customer "1"
            interface "int-VPLS-1" {
                mac 00:00:5e:00:53:04
                ipv4 {
                    primary {
                        address 172.16.4.4
                        prefix-length 24
                    }
                }
                sap 1/1/c10/1:1 { }
                ipv6 {
                    address 2001:db8::16:4:4 {
                        prefix-length 120
                    }
                }
            }

Enable VPRN 2 on PE-2, PE-3, and PE-4 successively as follows:

# On PE-2, PE-3, PE-4:
configure {
    service vprn "VPRN 2" {
            admin-state enable

Each PE adds in its proxy ARP table the dynamic entry that corresponds with the IPv4 address of its int-VPLS-1 interface and advertises it, without the Immutable flag.

Each PE also adds in its proxy ARP table the EVPN entries that it receives from the other PEs.

[/]
A:admin@PE-2# show service id 1 proxy-arp detail | match "VPLS Proxy "
 pre-lines 1 post-lines 20
===============================================================================
VPLS Proxy Arp Entries
===============================================================================
IP Address          Mac Address         Type  Status Flags  Last Update
-------------------------------------------------------------------------------
172.16.4.2          00:00:5e:00:53:02   dyn   active        06/23/2025 15:21:14
172.16.4.3          00:00:5e:00:53:03   evpn  active        06/23/2025 15:21:41
172.16.4.4          00:00:5e:00:53:04   evpn  active        06/23/2025 15:22:07
-------------------------------------------------------------------------------
Number of entries : 3
Legend : I=Immutable
===============================================================================

[/]
A:admin@PE-3# show service id 1 proxy-arp detail | match "VPLS Proxy "
 pre-lines 1 post-lines 20
===============================================================================
VPLS Proxy Arp Entries
===============================================================================
IP Address          Mac Address         Type  Status Flags  Last Update
-------------------------------------------------------------------------------
172.16.4.2          00:00:5e:00:53:02   evpn  active        06/23/2025 15:21:12
172.16.4.3          00:00:5e:00:53:03   dyn   active        06/23/2025 15:21:44
172.16.4.4          00:00:5e:00:53:04   evpn  active        06/23/2025 15:22:07
-------------------------------------------------------------------------------
Number of entries : 3
Legend : I=Immutable
===============================================================================

[/]
A:admin@PE-4# show service id 1 proxy-arp detail | match "VPLS Proxy "
 pre-lines 1 post-lines 20
===============================================================================
VPLS Proxy Arp Entries
===============================================================================
IP Address          Mac Address         Type  Status Flags  Last Update
-------------------------------------------------------------------------------
172.16.4.2          00:00:5e:00:53:02   evpn  active        06/23/2025 15:21:12
172.16.4.3          00:00:5e:00:53:03   evpn  active        06/23/2025 15:21:41
172.16.4.4          00:00:5e:00:53:04   dyn   active        06/23/2025 15:22:09
-------------------------------------------------------------------------------
Number of entries : 3
Legend : I=Immutable
===============================================================================

As an example, a test center port connected to PE-4 with IPv4 address 172.16.4.14 and MAC 00:00:5e:00:53:14 launches a dynamic proxy ARP entry.

PE-4 adds in its proxy ARP table the dynamic entry for 172.16.4.14 and advertises it.

[/]
A:admin@PE-4# show service id 1 proxy-arp detail | match "VPLS Proxy "
 pre-lines 1 post-lines 20
===============================================================================
VPLS Proxy Arp Entries
===============================================================================
IP Address          Mac Address         Type  Status Flags  Last Update
-------------------------------------------------------------------------------
172.16.4.2          00:00:5e:00:53:02   evpn  active        06/23/2025 15:22:58
172.16.4.3          00:00:5e:00:53:03   evpn  active        06/23/2025 15:21:41
172.16.4.4          00:00:5e:00:53:04   dyn   active        06/23/2025 15:22:09
172.16.4.14         00:00:5e:00:53:14   dyn   active        06/23/2025 15:25:32
-------------------------------------------------------------------------------
Number of entries : 4
Legend : I=Immutable
===============================================================================

PE-3 adds in its proxy ARP table the EVPN entry for 172.16.4.14 that PE-4 advertises.

[/]
A:admin@PE-3# show service id 1 proxy-arp detail | match "VPLS Proxy "
 pre-lines 1 post-lines 20
===============================================================================
VPLS Proxy Arp Entries
===============================================================================
IP Address          Mac Address         Type  Status Flags  Last Update
-------------------------------------------------------------------------------
172.16.4.2          00:00:5e:00:53:02   evpn  active        06/23/2025 15:22:58
172.16.4.3          00:00:5e:00:53:03   dyn   active        06/23/2025 15:21:44
172.16.4.4          00:00:5e:00:53:04   evpn  active        06/23/2025 15:22:53
172.16.4.14         00:00:5e:00:53:14   evpn  active        06/23/2025 15:25:32
-------------------------------------------------------------------------------
Number of entries : 4
Legend : I=Immutable
===============================================================================

PE-2 adds in its proxy ARP table the EVPN entry for 172.16.4.14 that PE-4 advertises.

[/]
A:admin@PE-2# show service id 1 proxy-arp detail | match "VPLS Proxy "
 pre-lines 1 post-lines 20
===============================================================================
VPLS Proxy Arp Entries
===============================================================================
IP Address          Mac Address         Type  Status Flags  Last Update
-------------------------------------------------------------------------------
172.16.4.2          00:00:5e:00:53:02   dyn   active        06/23/2025 15:21:14
172.16.4.3          00:00:5e:00:53:03   evpn  active        06/23/2025 15:21:41
172.16.4.4          00:00:5e:00:53:04   evpn  active        06/23/2025 15:22:53
172.16.4.14         00:00:5e:00:53:14   evpn  active        06/23/2025 15:25:32
-------------------------------------------------------------------------------
Number of entries : 4
Legend : I=Immutable
===============================================================================

Dynamic proxy ARP entries with a duplicate IPv4 address for different MAC addresses

When a proxy ARP entry is learned dynamically, a new IPv4 address may be learned for a MAC address for which an old IPv4 address was already known.

To illustrate this, configure two additional routers CE-5 and CE-7 that are wired to PE-2 and PE-4 respectively, as follows:

# On CE-5:
configure {
    router "Base" {
        interface "system" {
            ipv4 {
                primary {
                    address 192.0.2.5
                    prefix-length 32
                }

Similar on CE-7, with address 192.0.2.7 and prefix-length 32.

Configure an anti spoof MAC address for proxy ARP duplicates, as follows:

# On PE-2, PE-3, PE-4:
configure {
    service vpls "VPLS 1" {
            proxy-arp {
                admin-state enable
                dynamic-populate true
                duplicate-detect {
                    window 3
                    num-moves 5
                    hold-down-time 9
                    anti-spoof-mac 00:00:5e:00:53:40
                }

Where:

window: the period (in minutes) during which a counter counts detected IP/MAC combinations (IP0/MAC*) that differ from the currently known IP/MAC combination (IP0/MAC0) for an IP address (IP0)
num-moves: the count that the counter must reach within the window period, before the IP address (IP0) is considered as a duplicate (is associated with more than one MAC)
hold-down-time: the period (in minutes) during which the IP address is considered as a duplicate

# On PE-2:
configure {
    service vpls "VPLS 1" proxy-arp duplicate-detect ?

 duplicate-detect

 anti-spoof-mac        - MAC address to replace the proxy-ARP/ND offending entry's MAC
 hold-down-time        - Hold down time for a duplicate entry
 num-moves             - Number of moves required to declare a duplicate entry
 static-blackhole      - Consider anti-spoof MAC as black-hole static MAC in FDB
 window                - Time to monitor the MAC address in the anti-spoofing mechanism

Nokia recommends that the proxy ARP anti spoof MAC address is the same on all PEs.

The applicable configuration for proxy ARP can be verified with:

[/]
A:admin@PE-2# show service id 1 proxy-arp detail
-------------------------------------------------------------------------------
Proxy Arp
-------------------------------------------------------------------------------
Admin State       : enabled             
Dyn Populate      : enabled             
Age Time          : disabled            Send Refresh      : disabled
Table Size        : 250                 Total             : 0
Static Count      : 0                   EVPN Count        : 0
Dynamic Count     : 0                   Duplicate Count   : 0
Process Probes    : enabled             
Restrict Non Conf*: disabled            
Sponge MAC        : None

Dup Detect
-------------------------------------------------------------------------------
Detect Window     : 3 mins              Num Moves         : 5
Hold down         : 9 mins              
Anti Spoof MAC    : 00:00:5e:00:53:40

VPLS Flood Control
-------------------------------------------------------------------------------
Rcvd Garp Flood   : enabled             Rcvd Req Flood    : enabled

EVPN
-------------------------------------------------------------------------------
Garp Flood        : enabled             Req Flood         : enabled
Static Black Hole : disabled            
EVPN Route Tag    : 0                   
-------------------------------------------------------------------------------
* indicates that the corresponding row element may have been truncated.

Configure VPRN 2 on the two additional routers, as follows:

# On CE-5:
configure {
    service vprn "VPRN 2" {
            admin-state disable    # do not enable yet
            description "VPRN 2 connected to VPLS 1 on CE-5"
            service-id 2
            customer "1"
            interface "int-VPLS-1" {
                mac 00:00:5e:00:53:15
                ipv4 {
                    primary {
                        address 172.16.4.57     # dup with IPv4 of int-VPLS-1 on CE-7
                        prefix-length 24
                    }
                }
                sap 1/1/c2/1:1 { }
                ipv6 {
                    duplicate-address-detection false
                    address 2001:db8::16:4:57 { # dup with IPv6 of int-VPLS-1 on CE-7
                        prefix-length 120
                    }
                }
            }

Similar on CE-7 with the same IPv4 and IPv6 addresses, but a different MAC address 00:00:5e:00:53:17 and sap 1/1/c4/1:1

Enable VPRN 2 on CE-5:

# On CE-5:
configure {
    service vprn "VPRN 2" {
            admin-state enable

PE-2 adds in its proxy ARP table the dynamic entry for 172.16.4.57 that it receives from CE-5 and advertises it, without the Immutable flag.

[/]
A:admin@PE-2# show service id 1 proxy-arp detail | match "VPLS Proxy "
 pre-lines 1 post-lines 20
===============================================================================
VPLS Proxy Arp Entries
===============================================================================
IP Address          Mac Address         Type  Status Flags  Last Update
-------------------------------------------------------------------------------
172.16.4.2          00:00:5e:00:53:02   dyn   active        06/23/2025 15:55:17
172.16.4.3          00:00:5e:00:53:03   evpn  active        06/23/2025 15:55:42
172.16.4.4          00:00:5e:00:53:04   evpn  active        06/23/2025 15:56:29
172.16.4.57         00:00:5e:00:53:15   dyn   active        06/23/2025 15:57:17
-------------------------------------------------------------------------------
Number of entries : 4
Legend : I=Immutable
===============================================================================

[/]
A:admin@PE-4# show service id 1 proxy-arp detail | match "VPLS Proxy "
 pre-lines 1 post-lines 20
===============================================================================
VPLS Proxy Arp Entries
===============================================================================
IP Address          Mac Address         Type  Status Flags  Last Update
-------------------------------------------------------------------------------
172.16.4.2          00:00:5e:00:53:02   evpn  active        06/23/2025 15:55:15
172.16.4.3          00:00:5e:00:53:03   evpn  active        06/23/2025 15:55:42
172.16.4.4          00:00:5e:00:53:04   dyn   active        06/23/2025 15:56:32
172.16.4.57         00:00:5e:00:53:15   evpn  active        06/23/2025 15:57:14
-------------------------------------------------------------------------------
Number of entries : 4
Legend : I=Immutable
===============================================================================

[/]
A:admin@PE-3# show service id 1 proxy-arp detail | match "VPLS Proxy "
 pre-lines 1 post-lines 20
===============================================================================
VPLS Proxy Arp Entries
===============================================================================
IP Address          Mac Address         Type  Status Flags  Last Update
-------------------------------------------------------------------------------
172.16.4.2          00:00:5e:00:53:02   evpn  active        06/23/2025 15:55:15
172.16.4.3          00:00:5e:00:53:03   dyn   active        06/23/2025 15:55:45
172.16.4.4          00:00:5e:00:53:04   evpn  active        06/23/2025 15:56:29
172.16.4.57         00:00:5e:00:53:15   evpn  active        06/23/2025 15:57:14
-------------------------------------------------------------------------------
Number of entries : 4
Legend : I=Immutable
===============================================================================

Enable VPRN 2 also on CE-7:

# On CE-7:
configure {
    service vprn "VPRN 2" {
            admin-state enable

PE-4 learns from the ARP request that it receives from CE-7 that the IPv4 address 172.16.4.57 also appears for another MAC address than it already knows. So, PE-4 considers the corresponding proxy ARP entry as a duplicate, replaces its initial MAC address with the configured proxy ARP anti spoof MAC address 00:00:5e:00:53:40, and advertises the updated entry, with the Immutable flag.

[/]
A:admin@PE-4# show service id 1 proxy-arp detail | match "VPLS Proxy "
 pre-lines 1 post-lines 20
===============================================================================
VPLS Proxy Arp Entries
===============================================================================
IP Address          Mac Address         Type  Status Flags  Last Update
-------------------------------------------------------------------------------
172.16.4.2          00:00:5e:00:53:02   evpn  active        06/23/2025 15:55:15
172.16.4.3          00:00:5e:00:53:03   evpn  active        06/23/2025 15:55:42
172.16.4.4          00:00:5e:00:53:04   dyn   active        06/23/2025 15:56:32
172.16.4.57         00:00:5e:00:53:40   dup   active I      06/23/2025 15:57:49
-------------------------------------------------------------------------------
Number of entries : 4
Legend : I=Immutable
===============================================================================

PE-2 updates in its proxy ARP table the EVPN entry for 172.16.4.57 with the Immutable flag and the proxy ARP anti spoof MAC address, that it receives from PE-4.

[/]
A:admin@PE-2# show service id 1 proxy-arp detail | match "VPLS Proxy "
 pre-lines 1 post-lines 20
===============================================================================
VPLS Proxy Arp Entries
===============================================================================
IP Address          Mac Address         Type  Status Flags  Last Update
-------------------------------------------------------------------------------
172.16.4.2          00:00:5e:00:53:02   dyn   active        06/23/2025 15:55:17
172.16.4.3          00:00:5e:00:53:03   evpn  active        06/23/2025 15:55:42
172.16.4.4          00:00:5e:00:53:04   evpn  active        06/23/2025 15:56:29
172.16.4.57         00:00:5e:00:53:40   evpn  active I      06/23/2025 15:57:49
-------------------------------------------------------------------------------
Number of entries : 4
Legend : I=Immutable
===============================================================================

PE-3 adds in its proxy ARP table the EVPN entry for 172.16.4.57 with the Immutable flag and the proxy ARP anti spoof MAC address, that it receives from PE-4.

[/]
A:admin@PE-3# show service id 1 proxy-arp detail | match "VPLS Proxy "
 pre-lines 1 post-lines 20
===============================================================================
VPLS Proxy Arp Entries
===============================================================================
IP Address          Mac Address         Type  Status Flags  Last Update
-------------------------------------------------------------------------------
172.16.4.2          00:00:5e:00:53:02   evpn  active        06/23/2025 15:55:15
172.16.4.3          00:00:5e:00:53:03   dyn   active        06/23/2025 15:55:45
172.16.4.4          00:00:5e:00:53:04   evpn  active        06/23/2025 15:56:30
172.16.4.57         00:00:5e:00:53:40   evpn  active I      06/23/2025 15:57:49
-------------------------------------------------------------------------------
Number of entries : 4
Legend : I=Immutable
===============================================================================

When the duplicate entry's hold-down period expires, PE-4 does not consider it as a duplicate any longer. If the duplicate proxy ARP entry was on the PE that initially held the dynamic proxy ARP entry (PE-2), that PE restores the initial dynamic proxy ARP entry and advertises the updated entry with the initial MAC address, but without the Immutable flag. If the duplicate proxy ARP entry was on another PE (PE-4), that PE removes it from its proxy ARP table and advertises the removal. PE-2 and PE-3 receive the removal advertisement from PE-4 and also remove the corresponding EVPN entry from their proxy ARP table.

Proxy ND (IPv6)

Proxy ND example topology illustrates the example topology.

The following use cases are described in the following sections:

Static proxy ND entries
Dynamic proxy ND entries
Dynamic proxy ND entries with a duplicate IPv6 address for different MAC addresses

Static proxy ND entries

The command ip-address <IPv6 Address> mac <MAC Address> type router|host in the service vpls <vpls id> proxy-nd static-neighbor context further configures a static proxy ND entry, either as originating from a router or as originating from a host, as follows:

# On PE-2:
configure {
    service vpls "VPLS 1" {
            admin-state enable
            fdb {
                static-mac {
                    mac 00:00:5e:00:53:6e {
                        sap 1/1/c5/1:1
                        monitor forward-status
                    }
                    mac 00:00:5e:00:53:6f {
                        sap 1/1/c5/1:1
                        monitor forward-status
                    }
                }
            }
            proxy-nd {
                admin-state enable
                static-neighbor {
                    ip-address 2001:db8::113:6e {
                        mac 00:00:5e:00:53:6e
                        type router    # as router: R=1; advertise O and I flags
                    }
                    ip-address 2001:db8::113:6f {
                        mac 00:00:5e:00:53:6f
                        type host      # as host:   R=0; advertise O and I flags
                    }
                }
            }

Reconfigure the sender side PE-2 and the receiver side PE-3 and PE-4, as follows:

# On PE-2:
configure {
    service vpls "VPLS 1" {
            bgp-evpn routes mac-ip {
                        arp-nd-extended-community true
                    }
                }
            }
            proxy-nd evpn {
                    advertise-neighbor-type router-host
                }
            }

# On PE-3:
configure {
    service vpls "VPLS 1" {
            bgp-evpn routes mac-ip {
                        arp-nd-extended-community false
                    }
                }
            }
            proxy-nd evpn {
                    advertise-neighbor-type router
                }
            }

# On PE-4:
configure {
    service vpls "VPLS 1" {
            bgp-evpn routes mac-ip {
                        arp-nd-extended-community false
                    }
                }
            }
            proxy-nd evpn {
                    advertise-neighbor-type host
                }
            }

PE-2 advertises both the router type proxy ND entry and the host type proxy ND entry with:

the appropriate Router flag: R=1 for the router type; R=0 for the host type. When the type of a proxy ND entry changes from router to host, or from host to router, PE-2 triggers an unsolicited NA message with the new value for the Router flag. PE-2 replies to NS messages with the configured value for the Router flag.
the Immutable flag, to indicate that the IPv6/MAC pair is for a static entry.
the Override flag: O=1 for unicast; O=0 for anycast.

PE-3 and PE-4 do not process the received flags. PE-3 and PE-4 display the Router flag with the type as configured on PE-3 (R) and PE-4 (H) respectively, even if PE-2 advertises another type. PE-3 and PE-4 display the Override flag with the default value (O), even if PE-2 advertises another value.

[/]
A:admin@PE-2# show router bgp routes evpn mac mac-address 00:00:5e:00:53:6e
 detail | match "arp-nd"
Community      : target:64500:1 arp-nd:R:1/O:1/I:1 bgp-tunnel-encap:MPLS


[/]
A:admin@PE-2# show router bgp routes evpn mac mac-address 00:00:5e:00:53:6f
 detail | match "arp-nd"
Community      : target:64500:1 arp-nd:R:0/O:1/I:1 bgp-tunnel-encap:MPLS


[/]
A:admin@PE-2# show service id 1 proxy-nd detail | match "VPLS Proxy "
 pre-lines 1 post-lines 20
===============================================================================
VPLS Proxy ND Entries
===============================================================================
IP Address             Mac Address       Type Status Flags  Last Update
-------------------------------------------------------------------------------
2001:db8::113:6e       00:00:5e:00:53:6e stat active R I O  06/23/2025 14:59:59
2001:db8::113:6f       00:00:5e:00:53:6f stat active H I O  06/23/2025 14:59:59
-------------------------------------------------------------------------------
Number of entries : 2
Legend : I=Immutable, O=Override, R=Router, H=Host
===============================================================================

[/]
A:admin@PE-3# show router bgp routes evpn mac mac-address 00:00:5e:00:53:6e
 detail | match "arp-nd"
Community      : target:64500:1 arp-nd:R:1/O:1/I:1 bgp-tunnel-encap:MPLS


[/]
A:admin@PE-3# show router bgp routes evpn mac mac-address 00:00:5e:00:53:6f
 detail | match "arp-nd"
Community      : target:64500:1 arp-nd:R:0/O:1/I:1 bgp-tunnel-encap:MPLS


[/]
A:admin@PE-3# show service id 1 proxy-nd detail | match "VPLS Proxy "
 pre-lines 1 post-lines 20
===============================================================================
VPLS Proxy ND Entries
===============================================================================
IP Address             Mac Address       Type Status Flags  Last Update
-------------------------------------------------------------------------------
2001:db8::113:6e       00:00:5e:00:53:6e evpn active R  O   06/23/2025 15:00:12
2001:db8::113:6f       00:00:5e:00:53:6f evpn active R  O   06/23/2025 15:00:12
-------------------------------------------------------------------------------
Number of entries : 2
Legend : I=Immutable, O=Override, R=Router, H=Host
===============================================================================

[/]
A:admin@PE-4# show router bgp routes evpn mac mac-address 00:00:5e:00:53:6e
 detail | match "arp-nd"
Community      : target:64500:1 arp-nd:R:1/O:1/I:1 bgp-tunnel-encap:MPLS


[/]
A:admin@PE-4# show router bgp routes evpn mac mac-address 00:00:5e:00:53:6f
 detail | match "arp-nd"
Community      : target:64500:1 arp-nd:R:0/O:1/I:1 bgp-tunnel-encap:MPLS


[/]
A:admin@PE-4# show service id 1 proxy-nd detail | match "VPLS Proxy "
 pre-lines 1 post-lines 20
===============================================================================
VPLS Proxy ND Entries
===============================================================================
IP Address             Mac Address       Type Status Flags  Last Update
-------------------------------------------------------------------------------
2001:db8::113:6e       00:00:5e:00:53:6e evpn active H  O   06/23/2025 15:00:22
2001:db8::113:6f       00:00:5e:00:53:6f evpn active H  O   06/23/2025 15:00:22
-------------------------------------------------------------------------------
Number of entries : 2
Legend : I=Immutable, O=Override, R=Router, H=Host
===============================================================================

Reconfigure the receiver side PE-3 and PE-4 as follows:

# On PE-3:
configure {
    service vpls "VPLS 1" {
            bgp-evpn routes mac-ip {
                        arp-nd-extended-community true
                    }
                }
            }
            proxy-nd evpn {
                    advertise-neighbor-type router
                }
            }

# On PE-4:
configure {
    service vpls "VPLS 1" {
            bgp-evpn routes mac-ip {
                        arp-nd-extended-community true
                    }
                }
            }
            proxy-nd evpn {
                    advertise-neighbor-type host
                }
            }

PE-3 and PE-4 process the Router, Immutable, and Override flags that PE-2 advertises. PE-3 and PE-4 display the received flags, as PE-2 advertises.

[/]
A:admin@PE-3# show router bgp routes evpn mac mac-address 00:00:5e:00:53:6e
 detail | match "arp-nd"
Community      : target:64500:1 arp-nd:R:1/O:1/I:1 bgp-tunnel-encap:MPLS


[/]
A:admin@PE-3# show router bgp routes evpn mac mac-address 00:00:5e:00:53:6f
 detail | match "arp-nd"
Community      : target:64500:1 arp-nd:R:0/O:1/I:1 bgp-tunnel-encap:MPLS


[/]
A:admin@PE-3# show service id 1 proxy-nd detail | match "VPLS Proxy "
 pre-lines 1 post-lines 20
===============================================================================
VPLS Proxy ND Entries
===============================================================================
IP Address             Mac Address       Type Status Flags  Last Update
-------------------------------------------------------------------------------
2001:db8::113:6e       00:00:5e:00:53:6e evpn active R I O  06/23/2025 15:06:09
2001:db8::113:6f       00:00:5e:00:53:6f evpn active H I O  06/23/2025 15:06:09
-------------------------------------------------------------------------------
Number of entries : 2
Legend : I=Immutable, O=Override, R=Router, H=Host
===============================================================================

[/]
A:admin@PE-4# show router bgp routes evpn mac mac-address 00:00:5e:00:53:6e
 detail | match "arp-nd"
Community      : target:64500:1 arp-nd:R:1/O:1/I:1 bgp-tunnel-encap:MPLS


[/]
A:admin@PE-4# show router bgp routes evpn mac mac-address 00:00:5e:00:53:6f
 detail | match "arp-nd"
Community      : target:64500:1 arp-nd:R:0/O:1/I:1 bgp-tunnel-encap:MPLS


[/]
A:admin@PE-4# show service id 1 proxy-nd detail | match "VPLS Proxy "
 pre-lines 1 post-lines 20
===============================================================================
VPLS Proxy ND Entries
===============================================================================
IP Address             Mac Address       Type Status Flags  Last Update
-------------------------------------------------------------------------------
2001:db8::113:6e       00:00:5e:00:53:6e evpn active R I O  06/23/2025 15:06:20
2001:db8::113:6f       00:00:5e:00:53:6f evpn active H I O  06/23/2025 15:06:20
-------------------------------------------------------------------------------
Number of entries : 2
Legend : I=Immutable, O=Override, R=Router, H=Host
===============================================================================

At the BGP level, only one EVPN ARP/ND Ext community is expected to be received along with an EVPN MAC/IP advertisement route. If more than one EVPN ARP/ND Ext community is received, the router considers only the first one on the list for processing purposes on the PE.

[/]
A:admin@PE-4# show router bgp routes evpn mac mac-address 00:00:5e:00:53:6e detail
===============================================================================
 BGP Router ID:192.0.2.4        AS:64500       Local AS:64500      
===============================================================================
---snip---
===============================================================================
BGP EVPN MAC Routes
===============================================================================
---snip--- 
Network        : n/a
Nexthop        : 192.0.2.2
---snip---
Community      : target:64500:1 arp-nd:R:1/O:1/I:1 bgp-tunnel-encap:MPLS
                 mac-mobility:Seq:0/Static
Cluster        : 1.1.1.1
Originator Id  : 192.0.2.2              Peer Router Id : 192.0.2.1
Origin         : IGP                    
Flags          : Used Valid Best 
Route Source   : Internal
AS-Path        : No As-Path
EVPN type      : MAC                    
ESI            : ESI-0
Tag            : 0                      
IP Address     : 2001:db8::113:6e
Route Dist.    : 192.0.2.2:1            
Mac Address    : 00:00:5e:00:53:6e      
---snip---
-------------------------------------------------------------------------------
Routes : 2
===============================================================================

[/]
A:admin@PE-4# show router bgp routes evpn mac mac-address 00:00:5e:00:53:6f detail
===============================================================================
 BGP Router ID:192.0.2.4        AS:64500       Local AS:64500      
===============================================================================
---snip---
===============================================================================
BGP EVPN MAC Routes
===============================================================================
---snip---
Network        : n/a
Nexthop        : 192.0.2.2
---snip---
Community      : target:64500:1 arp-nd:R:0/O:1/I:1 bgp-tunnel-encap:MPLS
                 mac-mobility:Seq:0/Static
Cluster        : 1.1.1.1
Originator Id  : 192.0.2.2              Peer Router Id : 192.0.2.1
Origin         : IGP                    
Flags          : Used Valid Best 
Route Source   : Internal
AS-Path        : No As-Path
EVPN type      : MAC                    
ESI            : ESI-0
Tag            : 0                      
IP Address     : 2001:db8::113:6f
Route Dist.    : 192.0.2.2:1            
Mac Address    : 00:00:5e:00:53:6f      
---snip---
-------------------------------------------------------------------------------
Routes : 2
===============================================================================

Reconfigure the sender side PE-2 as follows:

# On PE-2:
configure {
    service vpls "VPLS 1" {
            bgp-evpn routes mac-ip {
                        arp-nd-extended-community false
                    }
                }
            }
            proxy-nd evpn {
                    advertise-neighbor-type router
                }
            }

PE-2 advertises only the router type proxy ND entry, but without the Router, Immutable, and Override flags. PE-3 and PE-4 receive the router type proxy ND entry without the flags. PE-3 and PE-4 display the Router flag with the default type (R). PE-3 and PE-4 display the Override flag with the default value (O).

[/]
A:admin@PE-2# show router bgp routes evpn mac mac-address 00:00:5e:00:53:6e
 detail | match "arp-nd"
---empty---


[/]
A:admin@PE-2# show router bgp routes evpn mac mac-address 00:00:5e:00:53:6f
 detail | match "arp-nd"
---empty---


[/]
A:admin@PE-2# show service id 1 proxy-nd detail | match "VPLS Proxy "
 pre-lines 1 post-lines 20
===============================================================================
VPLS Proxy ND Entries
===============================================================================
IP Address             Mac Address       Type Status Flags  Last Update
-------------------------------------------------------------------------------
2001:db8::113:6e       00:00:5e:00:53:6e stat active R I O  06/23/2025 15:09:55
2001:db8::113:6f       00:00:5e:00:53:6f stat active H I O  06/23/2025 15:09:55
-------------------------------------------------------------------------------
Number of entries : 2
Legend : I=Immutable, O=Override, R=Router, H=Host
===============================================================================

[/]
A:admin@PE-3# show router bgp routes evpn mac mac-address 00:00:5e:00:53:6e
 detail | match "arp-nd"
---empty---


[/]
A:admin@PE-3# show router bgp routes evpn mac mac-address 00:00:5e:00:53:6f
 detail | match "arp-nd"
---empty---


[/]
A:admin@PE-3# show service id 1 proxy-nd detail | match "VPLS Proxy "
 pre-lines 1 post-lines 20
===============================================================================
VPLS Proxy ND Entries
===============================================================================
IP Address             Mac Address       Type Status Flags  Last Update
-------------------------------------------------------------------------------
2001:db8::113:6e       00:00:5e:00:53:6e evpn active R  O   06/23/2025 15:10:05
-------------------------------------------------------------------------------
Number of entries : 1
Legend : I=Immutable, O=Override, R=Router, H=Host
===============================================================================

Similar for PE-4.

Reconfigure the sender side PE-2 as follows:

# On PE-2:
configure {
    service vpls "VPLS 1" {
            bgp-evpn routes mac-ip {
                        arp-nd-extended-community false
                    }
                }
            }
            proxy-nd evpn {
                    advertise-neighbor-type host
                }
            }

PE-2 advertises only the host type proxy ND entry, but without the Router, Immutable, and Override flags. PE-3 and PE-4 receive the host type proxy ND entry without the flags. PE-3 and PE-4 display the Router flag with the default type (R). PE-3 and PE-4 display the Override flag with the default value (O).

[/]
A:admin@PE-3# show router bgp routes evpn mac mac-address 00:00:5e:00:53:6e
 detail | match "arp-nd"
---empty---


[/]
A:admin@PE-3# show router bgp routes evpn mac mac-address 00:00:5e:00:53:6f
 detail | match "arp-nd"
---empty---


[/]
A:admin@PE-3# show service id 1 proxy-nd detail | match "VPLS Proxy "
 pre-lines 1 post-lines 20
===============================================================================
VPLS Proxy ND Entries
===============================================================================
IP Address             Mac Address       Type Status Flags  Last Update
-------------------------------------------------------------------------------
2001:db8::113:6f       00:00:5e:00:53:6f evpn active R  O   06/23/2025 15:11:27
-------------------------------------------------------------------------------
Number of entries : 1
Legend : I=Immutable, O=Override, R=Router, H=Host
===============================================================================

Similar for PE-4.

Reconfigure PE-2, PE-3, and PE-4, so that proxy ND entries are advertised and processes for all types, as follows:

# On PE-2, PE-3, PE-4:
configure {
    service vpls "VPLS 1" {
            bgp-evpn routes mac-ip {
                        arp-nd-extended-community true
                    }
                }
            }
            proxy-nd evpn {
                    advertise-neighbor-type router-host
                }
            }

Dynamic proxy ND entries

Proxy ND entries can be learned dynamically from received ND requests or ND responses.

Enable dynamic learning of proxy ND entries, as follows:

# On PE-2, PE-3, PE-4:
configure {
    service vpls "VPLS 1" {
            proxy-nd {
                dynamic-populate true

PEs that support proxy ND advertise dynamically learned proxy ND entries, depending on the configured type:

router type: the PE only advertises proxy ND entries for which R=1
host type: the PE only advertises proxy ND entries for which R=0
router-host type: the PE advertises proxy ND entries for which R=0 or R=1

The PEs advertise dynamically learned proxy ND entries with the appropriate Router flag, Immutable flag = 0, and the appropriate Override flag.

Configure and enable VPRN 2 on PE-2, PE-3 and PE-4, in the same way as for Dynamic proxy ARP entries.

A proxy ND entry that is learned dynamically can originate from a router or from a host. The following use cases illustrate the behavior:

Router proxy ND entries

As an example, PE-2 launches a dynamic proxy ND entry for a router. Execute an IPv6 ping to PE-4 from PE-2: ping 2001:db8::16:4:4 source-address 2001:db8::16:4:2 count 12 router-instance "VPRN 2".

PE-2 adds in its proxy ND table the dynamic entry for 2001:db8::16:4:2 with type router (R) and advertises it. PE-2 also adds in its proxy ND table the EVPN entry for 2001:db8::16:4:4 with type router (R) that PE-4 advertises.

[/]
A:admin@PE-2# show service id 1 proxy-nd detail | match "VPLS Proxy "
 pre-lines 1 post-lines 20
===============================================================================
VPLS Proxy ND Entries
===============================================================================
IP Address             Mac Address       Type Status Flags  Last Update
-------------------------------------------------------------------------------
2001:db8::16:4:2       00:00:5e:00:53:02 dyn  active R  O   06/23/2025 15:22:58
2001:db8::16:4:4       00:00:5e:00:53:04 evpn active R  O   06/23/2025 15:22:53
-------------------------------------------------------------------------------
Number of entries : 2
Legend : I=Immutable, O=Override, R=Router, H=Host
===============================================================================

PE-4 adds in its proxy ND table the EVPN entry for 2001:db8::16:4:2 with type router (R) that PE-2 advertises. PE-4 also adds in its proxy ND table the dynamic entry for 2001:db8::16:4:4 with type router (R) and advertises it.

[/]
A:admin@PE-4# show service id 1 proxy-nd detail | match "VPLS Proxy "
 pre-lines 1 post-lines 20
===============================================================================
VPLS Proxy ND Entries
===============================================================================
IP Address             Mac Address       Type Status Flags  Last Update
-------------------------------------------------------------------------------
2001:db8::16:4:2       00:00:5e:00:53:02 evpn active R  O   06/23/2025 15:22:58
2001:db8::16:4:4       00:00:5e:00:53:04 dyn  active R  O   06/23/2025 15:22:53
-------------------------------------------------------------------------------
Number of entries : 2
Legend : I=Immutable, O=Override, R=Router, H=Host
===============================================================================

PE-3 adds in its proxy ND table the EVPN entry for 2001:db8::16:4:2 with type router (R) that PE-2 advertises and the EVPN entry for 2001:db8::16:4:4 with type router (R) that PE-4 advertises.

[/]
A:admin@PE-3# show service id 1 proxy-nd detail | match "VPLS Proxy "
 pre-lines 1 post-lines 20
===============================================================================
VPLS Proxy ND Entries
===============================================================================
IP Address             Mac Address       Type Status Flags  Last Update
-------------------------------------------------------------------------------
2001:db8::16:4:2       00:00:5e:00:53:02 evpn active R  O   06/23/2025 15:22:58
2001:db8::16:4:4       00:00:5e:00:53:04 evpn active R  O   06/23/2025 15:22:53
-------------------------------------------------------------------------------
Number of entries : 2
Legend : I=Immutable, O=Override, R=Router, H=Host
===============================================================================

Host proxy ND entries

As an example, a test center port connected to PE-4 with IPv6 address 2001:db8::16:4:14 and MAC 00:00:5e:00:53:14 pings IPv6 address 2001:db8::16:4:3 on PE-3.

PE-4 adds in its proxy ND table the dynamic entry for 2001:db8::16:4:14 with type host (H) and advertises it. PE-4 also adds in its proxy ND table the EVPN entry for 2001:db8::16:4:3 with type router (R) that PE-3 advertises.

[/]
A:admin@PE-4# show service id 1 proxy-nd detail | match "VPLS Proxy "
 pre-lines 1 post-lines 20
===============================================================================
VPLS Proxy ND Entries
===============================================================================
IP Address             Mac Address       Type Status Flags  Last Update
-------------------------------------------------------------------------------
2001:db8::16:4:2       00:00:5e:00:53:02 evpn active R  O   06/23/2025 15:28:31
2001:db8::16:4:3       00:00:5e:00:53:03 evpn active R  O   06/23/2025 15:28:13
2001:db8::16:4:4       00:00:5e:00:53:04 dyn  active R  O   06/23/2025 15:28:30
2001:db8::16:4:14      00:00:5e:00:53:14 dyn  active H  O   06/23/2025 15:28:03
---snip---
-------------------------------------------------------------------------------
Number of entries : 5
Legend : I=Immutable, O=Override, R=Router, H=Host
===============================================================================

[/]
A:admin@PE-4# show service id 1 proxy-nd 2001:db8::16:4:14 detail |
 match "IP Address" post-lines 3
IP Address        : 2001:db8::16:4:14   MAC Address       : 00:00:5e:00:53:14
Type              : dyn                 Status            : active
Rtr/Host          : Host                
Immutable         : No                  EVPN Override     : Yes

PE-3 adds in its proxy ND table the EVPN entry for 2001:db8::16:4:14 with type host (H) that PE-4 advertises. PE-3 also adds in its proxy ND table the dynamic entry for 2001:db8::16:4:3 with type router (R) and advertises it.

[/]
A:admin@PE-3# show service id 1 proxy-nd detail | match "VPLS Proxy "
 pre-lines 1 post-lines 20
===============================================================================
VPLS Proxy ND Entries
===============================================================================
IP Address             Mac Address       Type Status Flags  Last Update
-------------------------------------------------------------------------------
2001:db8::16:4:2       00:00:5e:00:53:02 evpn active R  O   06/23/2025 15:22:58
2001:db8::16:4:3       00:00:5e:00:53:03 dyn  active R  O   06/23/2025 15:28:03
2001:db8::16:4:4       00:00:5e:00:53:04 evpn active R  O   06/23/2025 15:22:53
2001:db8::16:4:14      00:00:5e:00:53:14 evpn active H  O   06/23/2025 15:28:03
---snip---
-------------------------------------------------------------------------------
Number of entries : 5
Legend : I=Immutable, O=Override, R=Router, H=Host
===============================================================================

[/]
A:admin@PE-3# show service id 1 proxy-nd 2001:db8::16:4:3 detail |
 match "IP Address" post-lines 3
IP Address        : 2001:db8::16:4:3    MAC Address       : 00:00:5e:00:53:03
Type              : dyn                 Status            : active
Rtr/Host          : Rtr                 
Immutable         : No                  EVPN Override     : Yes

PE-2 adds in its proxy ND table the EVPN entry for 2001:db8::16:4:14 with type host (H) that PE-4 advertises and the EVPN entry for 2001:db8::16:4:3 with type router (R) that PE-3 advertises.

[/]
A:admin@PE-2# show service id 1 proxy-nd detail | match "VPLS Proxy "
 pre-lines 1 post-lines 20
===============================================================================
VPLS Proxy ND Entries
===============================================================================
IP Address             Mac Address       Type Status Flags  Last Update
-------------------------------------------------------------------------------
2001:db8::16:4:2       00:00:5e:00:53:02 dyn  active R  O   06/23/2025 15:22:58
2001:db8::16:4:3       00:00:5e:00:53:03 evpn active R  O   06/23/2025 15:28:13
2001:db8::16:4:4       00:00:5e:00:53:04 evpn active R  O   06/23/2025 15:22:53
2001:db8::16:4:14      00:00:5e:00:53:14 evpn active H  O   06/23/2025 15:28:03
---snip---
-------------------------------------------------------------------------------
Number of entries : 5
Legend : I=Immutable, O=Override, R=Router, H=Host
===============================================================================

[/]
A:admin@PE-2# show service id 1 proxy-nd 2001:db8::16:4:3 detail |
 match "IP Address" post-lines 3
IP Address        : 2001:db8::16:4:3    MAC Address       : 00:00:5e:00:53:03
Type              : evpn                Status            : active
Rtr/Host          : Rtr                 
Immutable         : No                  EVPN Override     : Yes

[/]
A:admin@PE-2# show service id 1 proxy-nd 2001:db8::16:4:14 detail |
 match "IP Address" post-lines 3
IP Address        : 2001:db8::16:4:14   MAC Address       : 00:00:5e:00:53:14
Type              : evpn                Status            : active
Rtr/Host          : Host                
Immutable         : No                  EVPN Override     : Yes

Dynamic proxy ND entries with a duplicate IPv6 address for different MAC addresses

When a proxy ND entry is learned dynamically, a new IPv6 address may be learned for a MAC address for which an old IPv6 address was already known.

Configure VPRN 2 on two additional routers CE-5 and CE-7 that are wired to PE-2 and PE-4 respectively, as for Dynamic proxy ARP entries with a duplicate IPv4 address for different MAC addresses.

Configure an anti spoof MAC for address proxy ND duplicates, as follows:

# On PE-2, PE-3, PE-4:
configure {
    service vpls "VPLS 1" {
            proxy-nd
                admin-state enable
                dynamic-populate true
                evpn {
                    advertise-neighbor-type router-host
                }
                duplicate-detect {
                    anti-spoof-mac 00:00:5e:00:53:60
                    window 3
                    num-moves 5
                    hold-down-time 9
                }

Nokia recommends that the proxy ND anti spoof MAC address is the same on all PEs.

The applicable configuration for proxy ND can be verified with:

[/]
A:admin@PE-2# show service id 1 proxy-nd detail
-------------------------------------------------------------------------------
Proxy ND
-------------------------------------------------------------------------------
Admin State       : enabled             
Dyn Populate      : enabled             
Age Time          : disabled            Send Refresh      : disabled
Table Size        : 250                 Total             : 0
Static Count      : 0                   EVPN Count        : 0
Dynamic Count     : 0                   Duplicate Count   : 0
Process DAD NS    : enabled             
Restrict Non Conf*: disabled            
Sponge MAC        : None

Dup Detect
-------------------------------------------------------------------------------
Detect Window     : 3 mins              Num Moves         : 5
Hold down         : 9 mins              
Anti Spoof MAC    : 00:00:5e:00:53:60

VPLS Flood Control
-------------------------------------------------------------------------------
Rcvd Unknown NS F*: enabled             
Rcvd Rtr Unsol NA*: enabled             Rcvd Host Unsol N*: enabled

EVPN
-------------------------------------------------------------------------------
Unknown NS Flood  : enabled             ND Advertise      : Host
Rtr Unsol NA Flood: enabled             Host Unsol NA Fld : enabled
EVPN Route Tag    : 0                   
-------------------------------------------------------------------------------
* indicates that the corresponding row element may have been truncated.

Execute in the given order:

an IPv6 ping to PE-4 from CE-5: ping 2001:db8::16:4:4 source-address 2001:db8::16:4:57 count 12 router-instance "VPRN 2"
an IPv6 ping to PE-2 from CE-7: ping 2001:db8::16:4:2 source-address 2001:db8::16:4:57 count 12 router-instance "VPRN 2"

As a result of the first ping, PE-2 adds in its proxy ND table the dynamic entry for 2001:db8::16:4:57 with type router (R) that PE-2 receives from CE-5 and the EVPN entry for 2001:db8::16:4:4 with type router (R) that PE-4 advertises. PE-2 advertises the dynamic entry.

[/]
A:admin@PE-2# show service id 1 proxy-nd detail | match "VPLS Proxy "
 pre-lines 1 post-lines 20
===============================================================================
VPLS Proxy ND Entries
===============================================================================
IP Address             Mac Address       Type Status Flags  Last Update
-------------------------------------------------------------------------------
2001:db8::16:4:4       00:00:5e:00:53:04 evpn active R  O   06/23/2025 15:58:47
2001:db8::16:4:57      00:00:5e:00:53:15 dyn  active R  O   06/23/2025 15:58:52
-------------------------------------------------------------------------------
Number of entries : 2
Legend : I=Immutable, O=Override, R=Router, H=Host
===============================================================================

PE-4 adds in its proxy ND table the EVPN entry for 2001:db8::16:4:57 with type router (R) that PE-2 advertises and the dynamic entry for 2001:db8::16:4:4 with type router (R). PE-4 advertises the dynamic entry.

[/]
A:admin@PE-4# show service id 1 proxy-nd detail | match "VPLS Proxy "
 pre-lines 1 post-lines 20
===============================================================================
VPLS Proxy ND Entries
===============================================================================
IP Address             Mac Address       Type Status Flags  Last Update
-------------------------------------------------------------------------------
2001:db8::16:4:4       00:00:5e:00:53:04 dyn  active R  O   06/23/2025 15:58:47
2001:db8::16:4:57      00:00:5e:00:53:15 evpn active R  O   06/23/2025 15:58:52
-------------------------------------------------------------------------------
Number of entries : 2
Legend : I=Immutable, O=Override, R=Router, H=Host
===============================================================================

[/]
A:admin@PE-4# show service id 1 proxy-nd 2001:db8::16:4:57 detail |
 match "IP Address" post-lines 3
IP Address        : 2001:db8::16:4:57   MAC Address       : 00:00:5e:00:53:15
Type              : evpn                Status            : active
Rtr/Host          : Rtr                 
Immutable         : No                  EVPN Override     : Yes

PE-3 adds in its proxy ND table the EVPN entry for 2001:db8::16:4:57 with type router (R) that PE-2 advertises and the EVPN entry for 2001:db8::16:4:4 with type router (R) that PE-4 advertises.

[/]
A:admin@PE-3# show service id 1 proxy-nd detail | match "VPLS Proxy "
 pre-lines 1 post-lines 20
===============================================================================
VPLS Proxy ND Entries
===============================================================================
IP Address             Mac Address       Type Status Flags  Last Update
-------------------------------------------------------------------------------
2001:db8::16:4:4       00:00:5e:00:53:04 evpn active R  O   06/23/2025 15:58:47
2001:db8::16:4:57      00:00:5e:00:53:15 evpn active R  O   06/23/2025 15:58:52
-------------------------------------------------------------------------------
Number of entries : 2
Legend : I=Immutable, O=Override, R=Router, H=Host
===============================================================================

As a result of the second ping, PE-4 adds in its proxy ND table the EVPN entry for 2001:db8::16:4:2 with type router (R) that PE-2 advertises. Because the entry for 2001:db8::16:4:57 was already in its proxy ND table with a different MAC address, PE-4 recognizes the entry as a duplicate, replaces its initial MAC address with the configured proxy ND anti spoof MAC address 00:00:5e:00:53:60, and advertises it with the Router flag, the Immutable flag, and the Override flag.

[/]
A:admin@PE-4# show service id 1 proxy-nd detail | match "VPLS Proxy "
 pre-lines 1 post-lines 20
===============================================================================
VPLS Proxy ND Entries
===============================================================================
IP Address             Mac Address       Type Status Flags  Last Update
-------------------------------------------------------------------------------
2001:db8::16:4:2       00:00:5e:00:53:02 evpn active R  O   06/23/2025 15:59:25
2001:db8::16:4:4       00:00:5e:00:53:04 dyn  active R  O   06/23/2025 15:58:47
2001:db8::16:4:57      00:00:5e:00:53:60 dup  active R I O  06/23/2025 15:59:30
-------------------------------------------------------------------------------
Number of entries : 3
Legend : I=Immutable, O=Override, R=Router, H=Host
===============================================================================

[/]
A:admin@PE-4# show service id 1 proxy-nd 2001:db8::16:4:57 detail |
 match "IP Address" post-lines 3
IP Address        : 2001:db8::16:4:57   MAC Address       : 00:00:5e:00:53:60
Type              : dup                 Status            : active
Rtr/Host          : Rtr                 
Immutable         : Yes                 EVPN Override     : Yes

PE-2 adds in its proxy ND table the dynamic entry for 2001:db8::16:4:2 with type router (R) and advertises it. PE-2 also updates the EVPN entry for 2001:db8::16:4:57 with the flags and the proxy ND anti spoof MAC address that PE-4 advertises.

[/]
A:admin@PE-2# show service id 1 proxy-nd detail | match "VPLS Proxy "
 pre-lines 1 post-lines 20
===============================================================================
VPLS Proxy ND Entries
===============================================================================
IP Address             Mac Address       Type Status Flags  Last Update
-------------------------------------------------------------------------------
2001:db8::16:4:2       00:00:5e:00:53:02 dyn  active R  O   06/23/2025 15:59:25
2001:db8::16:4:4       00:00:5e:00:53:04 evpn active R  O   06/23/2025 15:58:47
2001:db8::16:4:57      00:00:5e:00:53:60 evpn active R I O  06/23/2025 15:59:30
-------------------------------------------------------------------------------
Number of entries : 3
Legend : I=Immutable, O=Override, R=Router, H=Host
===============================================================================

PE-3 adds in its proxy ND table the EVPN entry for 2001:db8::16:4:2 with type router (R) that PE-2 advertises and updates the EVPN entry for 2001:db8::16:4:57 with the flags and the proxy ND anti spoof MAC address that PE-4 advertises.

[/]
A:admin@PE-3# show service id 1 proxy-nd detail | match "VPLS Proxy "
 pre-lines 1 post-lines 20
===============================================================================
VPLS Proxy ND Entries
===============================================================================
IP Address             Mac Address       Type Status Flags  Last Update
-------------------------------------------------------------------------------
2001:db8::16:4:2       00:00:5e:00:53:02 evpn active R  O   06/23/2025 15:59:25
2001:db8::16:4:4       00:00:5e:00:53:04 evpn active R  O   06/23/2025 15:58:47
2001:db8::16:4:57      00:00:5e:00:53:60 evpn active R I O  06/23/2025 15:59:30
-------------------------------------------------------------------------------
Number of entries : 3
Legend : I=Immutable, O=Override, R=Router, H=Host
===============================================================================

When the duplicate entry's hold-down period expires, PE-4 does not consider it as a duplicate any longer. If the duplicate proxy ND entry was on the PE that initially held the dynamic proxy ND entry (PE-2), that PE restores the initial dynamic proxy ND entry and advertises the updated entry with the initial MAC address, but without the Immutable flag. If the duplicate proxy ND entry was on another PE (PE-4), that PE removes it from its proxy ND table and advertises the removal.

[/]
A:admin@PE-4# show service id 1 proxy-nd detail | match "VPLS Proxy "
 pre-lines 1 post-lines 20
===============================================================================
VPLS Proxy ND Entries
===============================================================================
IP Address             Mac Address       Type Status Flags  Last Update
-------------------------------------------------------------------------------
2001:db8::16:4:2       00:00:5e:00:53:02 evpn active R  O   06/23/2025 16:16:32
2001:db8::16:4:4       00:00:5e:00:53:04 dyn  active R  O   06/23/2025 16:15:01
---snip---
-------------------------------------------------------------------------------
Number of entries : 3
Legend : I=Immutable, O=Override, R=Router, H=Host
===============================================================================

PE-2 and PE-3 receive the removal advertisement from PE-4 and also remove the corresponding EVPN entry from their proxy ND table:

[/]
A:admin@PE-2# show service id 1 proxy-nd detail | match "VPLS Proxy "
 pre-lines 1 post-lines 20
===============================================================================
VPLS Proxy ND Entries
===============================================================================
IP Address             Mac Address       Type Status Flags  Last Update
-------------------------------------------------------------------------------
2001:db8::16:4:2       00:00:5e:00:53:02 dyn  active R  O   06/23/2025 16:16:32
2001:db8::16:4:4       00:00:5e:00:53:04 evpn active R  O   06/23/2025 16:15:01
---snip---
-------------------------------------------------------------------------------
Number of entries : 3
Legend : I=Immutable, O=Override, R=Router, H=Host
===============================================================================

[/]
A:admin@PE-3# show service id 1 proxy-nd detail | match "VPLS Proxy "
 pre-lines 1 post-lines 20
===============================================================================
VPLS Proxy ND Entries
===============================================================================
IP Address             Mac Address       Type Status Flags  Last Update
-------------------------------------------------------------------------------
2001:db8::16:4:2       00:00:5e:00:53:02 evpn active R  O   06/23/2025 16:16:32
2001:db8::16:4:4       00:00:5e:00:53:04 evpn active R  O   06/23/2025 16:15:01
---snip---
-------------------------------------------------------------------------------
Number of entries : 3
Legend : I=Immutable, O=Override, R=Router, H=Host
===============================================================================

SR OS behaves in a similar way for duplicate host type proxy ND entries.

As an example, two test center ports have the same IPv6 address 2001:db8::16:4:24, but different MAC addresses: a test center port connected to PE-2 (MAC 00:00:5e:00:53:24) and a test center port connected to PE-4 (00:00:5e:00:53:44). The test center port on PE-2 pings IPv6 address 2001:db8::16:4:4 on PE-4, and the test center port on PE-4 pings IPv6 address 2001:db8::16:4:2 on PE-2.

As a result of the first ping, PE-2 adds in its proxy ND table the dynamic entry for 2001:db8::16:4:24 with type host (H) that PE-2 receives from the test center and the EVPN entry for 2001:db8::16:4:4 with type router (R) that PE-4 advertises. PE-2 advertises the dynamic entry.

[/]
A:admin@PE-2# show service id 1 proxy-nd detail | match "VPLS Proxy "
 pre-lines 1 post-lines 20
===============================================================================
VPLS Proxy ND Entries
===============================================================================
IP Address             Mac Address       Type Status Flags  Last Update
-------------------------------------------------------------------------------
2001:db8::16:4:2       00:00:5e:00:53:02 dyn  active R  O   06/24/2025 22:14:32
2001:db8::16:4:4       00:00:5e:00:53:04 evpn active R  O   06/24/2025 22:10:43
2001:db8::16:4:24      00:00:5e:00:53:24 dyn  pendng H  O   06/24/2025 22:14:27
---snip---
-------------------------------------------------------------------------------
Number of entries : 7
Legend : I=Immutable, O=Override, R=Router, H=Host
===============================================================================

[/]
A:admin@PE-2# show service id 1 proxy-nd 2001:db8::16:4:24 detail |
 match "IP Address" post-lines 3
IP Address        : 2001:db8::16:4:24   MAC Address       : 00:00:5e:00:53:24
Type              : dyn                 Status            : pendng
Rtr/Host          : Host                
Immutable         : No                  EVPN Override     : Yes

As a result of the second ping, PE-4 adds in its proxy ND table the dynamic entry for 2001:db8::16:4:24 with type host (H) that PE-4 receives from the test center and the EVPN entry for 2001:db8::16:4:2 with type router (R) that PE-2 advertises.

[/]
A:admin@PE-4# show service id 1 proxy-nd detail | match "VPLS Proxy "
 pre-lines 1 post-lines 20
===============================================================================
VPLS Proxy ND Entries
===============================================================================
IP Address             Mac Address       Type Status Flags  Last Update
-------------------------------------------------------------------------------
2001:db8::16:4:2       00:00:5e:00:53:02 evpn active R  O   06/24/2025 22:12:44
2001:db8::16:4:4       00:00:5e:00:53:04 dyn  active R  O   06/24/2025 22:12:46
2001:db8::16:4:24      00:00:5e:00:53:44 dyn  pendng H  O   06/24/2025 22:14:27
---snip---
-------------------------------------------------------------------------------
Number of entries : 7
Legend : I=Immutable, O=Override, R=Router, H=Host
===============================================================================

[/]
A:admin@PE-4# show service id 1 proxy-nd 2001:db8::16:4:24 detail |
 match "IP Address" post-lines 3
IP Address        : 2001:db8::16:4:24   MAC Address       : 00:00:5e:00:53:44
Type              : dyn                 Status            : pendng
Rtr/Host          : Host                
Immutable         : No                  EVPN Override     : Yes

Because the entry for 2001:db8::16:4:24 was already in its proxy ND table with a different MAC address, PE-4 recognizes the entry as a duplicate, as a result of the second ping. PE-4, replaces the entry's initial MAC address with the configured proxy ND anti spoof MAC address 00:00:5e:00:53:60, and advertises the updated entry with the Router flag, the Immutable flag, and the Override flag.

[/]
A:admin@PE-4# show service id 1 proxy-nd detail | match "VPLS Proxy "
 pre-lines 1 post-lines 20
===============================================================================
VPLS Proxy ND Entries
===============================================================================
IP Address             Mac Address       Type Status Flags  Last Update
-------------------------------------------------------------------------------
2001:db8::16:4:2       00:00:5e:00:53:02 evpn active R  O   06/24/2025 22:12:44
2001:db8::16:4:4       00:00:5e:00:53:04 dyn  active R  O   06/24/2025 22:12:46
2001:db8::16:4:24      00:00:5e:00:53:60 dup  active R I O  06/24/2025 22:14:57
---snip---
-------------------------------------------------------------------------------
Number of entries : 6
Legend : I=Immutable, O=Override, R=Router, H=Host
===============================================================================

[/]
A:admin@PE-4# show service id 1 proxy-nd 2001:db8::16:4:24 detail |
 match "IP Address" post-lines 3
IP Address        : 2001:db8::16:4:24   MAC Address       : 00:00:5e:00:53:60
Type              : dup                 Status            : active
Rtr/Host          : Rtr                 
Immutable         : Yes                 EVPN Override     : Yes

PE-2 updates in its proxy ND table the EVPN entry for 2001:db8::16:4:24 with the flags and the proxy ND MAC address that PE-4 advertises.

[/]
A:admin@PE-2# show service id 1 proxy-nd detail | match "VPLS Proxy "
 pre-lines 1 post-lines 20
===============================================================================
VPLS Proxy ND Entries
===============================================================================
IP Address             Mac Address       Type Status Flags  Last Update
-------------------------------------------------------------------------------
2001:db8::16:4:2       00:00:5e:00:53:02 dyn  active R  O   06/24/2025 22:14:32
2001:db8::16:4:4       00:00:5e:00:53:04 evpn active R  O   06/24/2025 22:10:43
2001:db8::16:4:24      00:00:5e:00:53:60 evpn active R I O  06/24/2025 22:14:57
---snip---
-------------------------------------------------------------------------------
Number of entries : 7
Legend : I=Immutable, O=Override, R=Router, H=Host
===============================================================================

[/]
A:admin@PE-2# show service id 1 proxy-nd 2001:db8::16:4:24 detail |
 match "IP Address" post-lines 3
IP Address        : 2001:db8::16:4:24   MAC Address       : 00:00:5e:00:53:60
Type              : evpn                Status            : active
Rtr/Host          : Rtr                 
Immutable         : Yes                 EVPN Override     : Yes

Conclusion

SR OS supports the ARP/ND extended community in EVPN MAC/IP advertisement routes, in line with RFC 9047.