Internet Engineering Task Force (IETF) A. Sajassi, Ed.
Request for Comments: 7432 Cisco
Category: Standards Track R. Aggarwal
ISSN: 2070-1721 Arktan
N. Bitar
Verizon
A. Isaac
Bloomberg
J. Uttaro
AT&T
J. Drake
Juniper Networks
W. Henderickx
Alcatel-Lucent
February 2015
BGP MPLS-Based Ethernet VPN
Abstract
This document describes procedures for BGP MPLS-based Ethernet VPNs
(EVPN). The procedures described here meet the requirements
specified in RFC 7209 -- "Requirements for Ethernet VPN (EVPN)".
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc7432.
Sajassi, et al. Standards Track [Page 1]
RFC 7432 BGP MPLS-Based Ethernet VPN February 2015
Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction ....................................................4
2. Specification of Requirements ...................................4
3. Terminology .....................................................4
4. BGP MPLS-Based EVPN Overview ....................................6
5. Ethernet Segment ................................................7
6. Ethernet Tag ID ................................................10
6.1. VLAN-Based Service Interface ..............................11
6.2. VLAN Bundle Service Interface .............................11
6.2.1. Port-Based Service Interface .......................11
6.3. VLAN-Aware Bundle Service Interface .......................11
6.3.1. Port-Based VLAN-Aware Service Interface ............12
7. BGP EVPN Routes ................................................13
7.1. Ethernet Auto-discovery Route .............................14
7.2. MAC/IP Advertisement Route ................................14
7.3. Inclusive Multicast Ethernet Tag Route ....................15
7.4. Ethernet Segment Route ....................................16
7.5. ESI Label Extended Community ..............................16
7.6. ES-Import Route Target ....................................17
7.7. MAC Mobility Extended Community ...........................18
7.8. Default Gateway Extended Community ........................18
7.9. Route Distinguisher Assignment per EVI ....................18
7.10. Route Targets ............................................19
7.10.1. Auto-derivation from the Ethernet Tag ID ..........19
8. Multihoming Functions ..........................................19
8.1. Multihomed Ethernet Segment Auto-discovery ................19
8.1.1. Constructing the Ethernet Segment Route ............19
8.2. Fast Convergence ..........................................20
8.2.1. Constructing Ethernet A-D per Ethernet
Segment Route ......................................21
8.2.1.1. Ethernet A-D Route Targets ................21
Sajassi, et al. Standards Track [Page 2]
RFC 7432 BGP MPLS-Based Ethernet VPN February 2015
8.3. Split Horizon .............................................22
8.3.1. ESI Label Assignment ...............................22
8.3.1.1. Ingress Replication .......................22
8.3.1.2. P2MP MPLS LSPs ............................24
8.4. Aliasing and Backup Path ..................................25
8.4.1. Constructing Ethernet A-D per EVPN Instance Route ..26
8.5. Designated Forwarder Election .............................27
8.6. Interoperability with Single-Homing PEs ...................29
9. Determining Reachability to Unicast MAC Addresses ..............30
9.1. Local Learning ............................................30
9.2. Remote Learning ...........................................30
9.2.1. Constructing MAC/IP Address Advertisement ..........31
9.2.2. Route Resolution ...................................32
10. ARP and ND ....................................................33
10.1. Default Gateway ..........................................34
11. Handling of Multi-destination Traffic .........................36
11.1. Constructing Inclusive Multicast Ethernet Tag Route ......36
11.2. P-Tunnel Identification ..................................37
12. Processing of Unknown Unicast Packets .........................38
12.1. Ingress Replication ......................................38
12.2. P2MP MPLS LSPs ...........................................39
13. Forwarding Unicast Packets ....................................39
13.1. Forwarding Packets Received from a CE ....................39
13.2. Forwarding Packets Received from a Remote PE .............41
13.2.1. Unknown Unicast Forwarding ........................41
13.2.2. Known Unicast Forwarding ..........................41
14. Load Balancing of Unicast Packets .............................41
14.1. Load Balancing of Traffic from a PE to Remote CEs ........41
14.1.1. Single-Active Redundancy Mode .....................42
14.1.2. All-Active Redundancy Mode ........................42
14.2. Load Balancing of Traffic between a PE and a Local CE ....44
14.2.1. Data-Plane Learning ...............................44
14.2.2. Control-Plane Learning ............................44
15. MAC Mobility ..................................................45
15.1. MAC Duplication Issue ....................................47
15.2. Sticky MAC Addresses .....................................47
16. Multicast and Broadcast .......................................47
16.1. Ingress Replication ......................................47
16.2. P2MP LSPs ................................................48
16.2.1. Inclusive Trees ...................................48
17. Convergence ...................................................49
17.1. Transit Link and Node Failures between PEs ...............49
17.2. PE Failures ..............................................49
17.3. PE-to-CE Network Failures ................................49
18. Frame Ordering ................................................50
Sajassi, et al. Standards Track [Page 3]
RFC 7432 BGP MPLS-Based Ethernet VPN February 2015
19. Security Considerations .......................................50
20. IANA Considerations ...........................................52
21. References ....................................................52
21.1. Normative References .....................................52
21.2. Informative References ...................................53
Acknowledgements ..................................................55
Contributors ......................................................55
Authors' Addresses ................................................56
1. Introduction
Virtual Private LAN Service (VPLS), as defined in [RFC4664],
[RFC4761], and [RFC4762], is a proven and widely deployed technology.
However, the existing solution has a number of limitations when it
comes to multihoming and redundancy, multicast optimization,
provisioning simplicity, flow-based load balancing, and multipathing;
these limitations are important considerations for Data Center (DC)
deployments. [RFC7209] describes the motivation for a new solution
to address these limitations. It also outlines a set of requirements
that the new solution must address.
This document describes procedures for a BGP MPLS-based solution
called Ethernet VPN (EVPN) to address the requirements specified in
[RFC7209]. Please refer to [RFC7209] for the detailed requirements
and motivation. EVPN requires extensions to existing IP/MPLS
protocols as described in this document. In addition to these
extensions, EVPN uses several building blocks from existing MPLS
technologies.
2. Specification of Requirements
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
3. Terminology
Broadcast Domain: In a bridged network, the broadcast domain
corresponds to a Virtual LAN (VLAN), where a VLAN is typically
represented by a single VLAN ID (VID) but can be represented
by several VIDs where Shared VLAN Learning (SVL) is used
per [802.1Q].
Bridge Table: An instantiation of a broadcast domain on a MAC-VRF.
CE: Customer Edge device, e.g., a host, router, or switch.
Sajassi, et al. Standards Track [Page 4]
RFC 7432 BGP MPLS-Based Ethernet VPN February 2015
EVI: An EVPN instance spanning the Provider Edge (PE) devices
participating in that EVPN.
MAC-VRF: A Virtual Routing and Forwarding table for Media Access
Control (MAC) addresses on a PE.
Ethernet Segment (ES): When a customer site (device or network) is
connected to one or more PEs via a set of Ethernet links, then
that set of links is referred to as an 'Ethernet segment'.
Ethernet Segment Identifier (ESI): A unique non-zero identifier that
identifies an Ethernet segment is called an 'Ethernet Segment
Identifier'.
Ethernet Tag: An Ethernet tag identifies a particular broadcast
domain, e.g., a VLAN. An EVPN instance consists of one or more
broadcast domains.
LACP: Link Aggregation Control Protocol.
MP2MP: Multipoint to Multipoint.
MP2P: Multipoint to Point.
P2MP: Point to Multipoint.
P2P: Point to Point.
PE: Provider Edge device.
Single-Active Redundancy Mode: When only a single PE, among all the
PEs attached to an Ethernet segment, is allowed to forward traffic
to/from that Ethernet segment for a given VLAN, then the Ethernet
segment is defined to be operating in Single-Active redundancy
mode.
All-Active Redundancy Mode: When all PEs attached to an Ethernet
segment are allowed to forward known unicast traffic to/from that
Ethernet segment for a given VLAN, then the Ethernet segment is
defined to be operating in All-Active redundancy mode.
Sajassi, et al. Standards Track [Page 5]
RFC 7432 BGP MPLS-Based Ethernet VPN February 2015
4. BGP MPLS-Based EVPN Overview
This section provides an overview of EVPN. An EVPN instance
comprises Customer Edge devices (CEs) that are connected to Provider
Edge devices (PEs) that form the edge of the MPLS infrastructure. A
CE may be a host, a router, or a switch. The PEs provide virtual
Layer 2 bridged connectivity between the CEs. There may be multiple
EVPN instances in the provider's network.
The PEs may be connected by an MPLS Label Switched Path (LSP)
infrastructure, which provides the benefits of MPLS technology, such
as fast reroute, resiliency, etc. The PEs may also be connected by
an IP infrastructure, in which case IP/GRE (Generic Routing
Encapsulation) tunneling or other IP tunneling can be used between
the PEs. The detailed procedures in this document are specified only
for MPLS LSPs as the tunneling technology. However, these procedures
are designed to be extensible to IP tunneling as the Packet Switched
Network (PSN) tunneling technology.
In an EVPN, MAC learning between PEs occurs not in the data plane (as
happens with traditional bridging in VPLS [RFC4761] [RFC4762]) but in
the control plane. Control-plane learning offers greater control
over the MAC learning process, such as restricting who learns what,
and the ability to apply policies. Furthermore, the control plane
chosen for advertising MAC reachability information is multi-protocol
(MP) BGP (similar to IP VPNs [RFC4364]). This provides flexibility
and the ability to preserve the "virtualization" or isolation of
groups of interacting agents (hosts, servers, virtual machines) from
each other. In EVPN, PEs advertise the MAC addresses learned from
the CEs that are connected to them, along with an MPLS label, to
other PEs in the control plane using Multiprotocol BGP (MP-BGP).
Control-plane learning enables load balancing of traffic to and from
CEs that are multihomed to multiple PEs. This is in addition to load
balancing across the MPLS core via multiple LSPs between the same
pair of PEs. In other words, it allows CEs to connect to multiple
active points of attachment. It also improves convergence times in
the event of certain network failures.
However, learning between PEs and CEs is done by the method best
suited to the CE: data-plane learning, IEEE 802.1x, the Link Layer
Discovery Protocol (LLDP), IEEE 802.1aq, Address Resolution Protocol
(ARP), management plane, or other protocols.
It is a local decision as to whether the Layer 2 forwarding table on
a PE is populated with all the MAC destination addresses known to the
control plane, or whether the PE implements a cache-based scheme.
For instance, the MAC forwarding table may be populated only with the
MAC destinations of the active flows transiting a specific PE.
Sajassi, et al. Standards Track [Page 6]
RFC 7432 BGP MPLS-Based Ethernet VPN February 2015
The policy attributes of EVPN are very similar to those of IP-VPN.
An EVPN instance requires a Route Distinguisher (RD) that is unique
per MAC-VRF and one or more globally unique Route Targets (RTs). A
CE attaches to a MAC-VRF on a PE, on an Ethernet interface that may
be configured for one or more Ethernet tags, e.g., VLAN IDs. Some
deployment scenarios guarantee uniqueness of VLAN IDs across EVPN
instances: all points of attachment for a given EVPN instance use the
same VLAN ID, and no other EVPN instance uses this VLAN ID. This
document refers to this case as a "Unique VLAN EVPN" and describes
simplified procedures to optimize for it.
5. Ethernet Segment
As indicated in [RFC7209], each Ethernet segment needs a unique
identifier in an EVPN. This section defines how such identifiers are
assigned and how they are encoded for use in EVPN signaling. Later
sections of this document describe the protocol mechanisms that
utilize the identifiers.
When a customer site is connected to one or more PEs via a set of
Ethernet links, then this set of Ethernet links constitutes an
"Ethernet segment". For a multihomed site, each Ethernet segment
(ES) is identified by a unique non-zero identifier called an Ethernet
Segment Identifier (ESI). An ESI is encoded as a 10-octet integer in
line format with the most significant octet sent first. The
following two ESI values are reserved:
- ESI 0 denotes a single-homed site.
- ESI {0xFF} (repeated 10 times) is known as MAX-ESI and is reserved.
In general, an Ethernet segment SHOULD have a non-reserved ESI that
is unique network wide (i.e., across all EVPN instances on all the
PEs). If the CE(s) constituting an Ethernet segment is (are) managed
by the network operator, then ESI uniqueness should be guaranteed;
however, if the CE(s) is (are) not managed, then the operator MUST
configure a network-wide unique ESI for that Ethernet segment. This
is required to enable auto-discovery of Ethernet segments and
Designated Forwarder (DF) election.
Sajassi, et al. Standards Track [Page 7]
RFC 7432 BGP MPLS-Based Ethernet VPN February 2015
In a network with managed and non-managed CEs, the ESI has the
following format:
+---+---+---+---+---+---+---+---+---+---+
| T | ESI Value |
+---+---+---+---+---+---+---+---+---+---+
Where:
T (ESI Type) is a 1-octet field (most significant octet) that
specifies the format of the remaining 9 octets (ESI Value). The
following six ESI types can be used:
- Type 0 (T=0x00) - This type indicates an arbitrary 9-octet ESI
value, which is managed and configured by the operator.
- Type 1 (T=0x01) - When IEEE 802.1AX LACP is used between the PEs
and CEs, this ESI type indicates an auto-generated ESI value
determined from LACP by concatenating the following parameters:
+ CE LACP System MAC address (6 octets). The CE LACP System MAC
address MUST be encoded in the high-order 6 octets of the ESI
Value field.
+ CE LACP Port Key (2 octets). The CE LACP port key MUST be
encoded in the 2 octets next to the System MAC address.
+ The remaining octet will be set to 0x00.
As far as the CE is concerned, it would treat the multiple PEs that
it is connected to as the same switch. This allows the CE to
aggregate links that are attached to different PEs in the same
bundle.
This mechanism could be used only if it produces ESIs that satisfy
the uniqueness requirement specified above.
Sajassi, et al. Standards Track [Page 8]
RFC 7432 BGP MPLS-Based Ethernet VPN February 2015
- Type 2 (T=0x02) - This type is used in the case of indirectly
connected hosts via a bridged LAN between the CEs and the PEs. The
ESI Value is auto-generated and determined based on the Layer 2
bridge protocol as follows: If the Multiple Spanning Tree Protocol
(MSTP) is used in the bridged LAN, then the value of the ESI is
derived by listening to Bridge PDUs (BPDUs) on the Ethernet
segment. To achieve this, the PE is not required to run MSTP.
However, the PE must learn the Root Bridge MAC address and Bridge
Priority of the root of the Internal Spanning Tree (IST) by
listening to the BPDUs. The ESI Value is constructed as follows:
+ Root Bridge MAC address (6 octets). The Root Bridge MAC address
MUST be encoded in the high-order 6 octets of the ESI Value
field.
+ Root Bridge Priority (2 octets). The CE Root Bridge Priority
MUST be encoded in the 2 octets next to the Root Bridge MAC
address.
+ The remaining octet will be set to 0x00.
This mechanism could be used only if it produces ESIs that satisfy
the uniqueness requirement specified above.
- Type 3 (T=0x03) - This type indicates a MAC-based ESI Value that
can be auto-generated or configured by the operator. The ESI Value
is constructed as follows:
+ System MAC address (6 octets). The PE MAC address MUST be
encoded in the high-order 6 octets of the ESI Value field.
+ Local Discriminator value (3 octets). The Local Discriminator
value MUST be encoded in the low-order 3 octets of the ESI Value.
This mechanism could be used only if it produces ESIs that satisfy
the uniqueness requirement specified above.
- Type 4 (T=0x04) - This type indicates a router-ID ESI Value that
can be auto-generated or configured by the operator. The ESI Value
is constructed as follows:
+ Router ID (4 octets). The system router ID MUST be encoded in
the high-order 4 octets of the ESI Value field.
+ Local Discriminator value (4 octets). The Local Discriminator
value MUST be encoded in the 4 octets next to the IP address.
+ The low-order octet of the ESI Value will be set to 0x00.
Sajassi, et al. Standards Track [Page 9]
RFC 7432 BGP MPLS-Based Ethernet VPN February 2015
This mechanism could be used only if it produces ESIs that satisfy
the uniqueness requirement specified above.
- Type 5 (T=0x05) - This type indicates an Autonomous System
(AS)-based ESI Value that can be auto-generated or configured by
the operator. The ESI Value is constructed as follows:
+ AS number (4 octets). This is an AS number owned by the system
and MUST be encoded in the high-order 4 octets of the ESI Value
field. If a 2-octet AS number is used, the high-order extra
2 octets will be 0x0000.
+ Local Discriminator value (4 octets). The Local Discriminator
value MUST be encoded in the 4 octets next to the AS number.
+ The low-order octet of the ESI Value will be set to 0x00.
This mechanism could be used only if it produces ESIs that satisfy
the uniqueness requirement specified above.
6. Ethernet Tag ID
An Ethernet Tag ID is a 32-bit field containing either a 12-bit or
24-bit identifier that identifies a particular broadcast domain
(e.g., a VLAN) in an EVPN instance. The 12-bit identifier is called
the VLAN ID (VID). An EVPN instance consists of one or more
broadcast domains (one or more VLANs). VLANs are assigned to a given
EVPN instance by the provider of the EVPN service. A given VLAN can
itself be represented by multiple VIDs. In such cases, the PEs
participating in that VLAN for a given EVPN instance are responsible
for performing VLAN ID translation to/from locally attached CE
devices.
If a VLAN is represented by a single VID across all PE devices
participating in that VLAN for that EVPN instance, then there is no
need for VID translation at the PEs. Furthermore, some deployment
scenarios guarantee uniqueness of VIDs across all EVPN instances; all
points of attachment for a given EVPN instance use the same VID, and
no other EVPN instances use that VID. This allows the RT(s) for each
EVPN instance to be derived automatically from the corresponding VID,
as described in Section 7.10.1.
The following subsections discuss the relationship between broadcast
domains (e.g., VLANs), Ethernet Tag IDs (e.g., VIDs), and MAC-VRFs as
well as the setting of the Ethernet Tag ID, in the various EVPN BGP
routes (defined in Section 8), for the different types of service
interfaces described in [RFC7209].
Sajassi, et al. Standards Track [Page 10]
RFC 7432 BGP MPLS-Based Ethernet VPN February 2015
The following Ethernet Tag ID value is reserved:
- Ethernet Tag ID {0xFFFFFFFF} is known as MAX-ET.
6.1. VLAN-Based Service Interface
With this service interface, an EVPN instance consists of only a
single broadcast domain (e.g., a single VLAN). Therefore, there is a
one-to-one mapping between a VID on this interface and a MAC-VRF.
Since a MAC-VRF corresponds to a single VLAN, it consists of a single
bridge table corresponding to that VLAN. If the VLAN is represented
by multiple VIDs (e.g., a different VID per Ethernet segment per PE),
then each PE needs to perform VID translation for frames destined to
its Ethernet segment(s). In such scenarios, the Ethernet frames
transported over an MPLS/IP network SHOULD remain tagged with the
originating VID, and a VID translation MUST be supported in the data
path and MUST be performed on the disposition PE. The Ethernet Tag
ID in all EVPN routes MUST be set to 0.
6.2. VLAN Bundle Service Interface
With this service interface, an EVPN instance corresponds to multiple
broadcast domains (e.g., multiple VLANs); however, only a single
bridge table is maintained per MAC-VRF, which means multiple VLANs
share the same bridge table. This implies that MAC addresses MUST be
unique across all VLANs for that EVI in order for this service to
work. In other words, there is a many-to-one mapping between VLANs
and a MAC-VRF, and the MAC-VRF consists of a single bridge table.
Furthermore, a single VLAN must be represented by a single VID --
e.g., no VID translation is allowed for this service interface type.
The MPLS-encapsulated frames MUST remain tagged with the originating
VID. Tag translation is NOT permitted. The Ethernet Tag ID in all
EVPN routes MUST be set to 0.
6.2.1. Port-Based Service Interface
This service interface is a special case of the VLAN bundle service
interface, where all of the VLANs on the port are part of the same
service and map to the same bundle. The procedures are identical to
those described in Section 6.2.
6.3. VLAN-Aware Bundle Service Interface
With this service interface, an EVPN instance consists of multiple
broadcast domains (e.g., multiple VLANs) with each VLAN having its
own bridge table -- i.e., multiple bridge tables (one per VLAN) are
maintained by a single MAC-VRF corresponding to the EVPN instance.
Sajassi, et al. Standards Track [Page 11]
RFC 7432 BGP MPLS-Based Ethernet VPN February 2015
Broadcast, unknown unicast, or multicast (BUM) traffic is sent only
to the CEs in a given broadcast domain; however, the broadcast
domains within an EVI either MAY each have their own P-Tunnel or MAY
share P-Tunnels -- e.g., all of the broadcast domains in an EVI MAY
share a single P-Tunnel.
In the case where a single VLAN is represented by a single VID and
thus no VID translation is required, an MPLS-encapsulated packet MUST
carry that VID. The Ethernet Tag ID in all EVPN routes MUST be set
to that VID. The advertising PE MAY advertise the MPLS Label1 in the
MAC/IP Advertisement route representing ONLY the EVI or representing
both the Ethernet Tag ID and the EVI. This decision is only a local
matter by the advertising PE (which is also the disposition PE) and
doesn't affect any other PEs.
In the case where a single VLAN is represented by different VIDs on
different CEs and thus VID translation is required, a normalized
Ethernet Tag ID (VID) MUST be carried in the EVPN BGP routes.
Furthermore, the advertising PE advertises the MPLS Label1 in the
MAC/IP Advertisement route representing both the Ethernet Tag ID and
the EVI, so that upon receiving an MPLS-encapsulated packet, it can
identify the corresponding bridge table from the MPLS EVPN label and
perform Ethernet Tag ID translation ONLY at the disposition PE --
i.e., the Ethernet frames transported over the MPLS/IP network MUST
remain tagged with the originating VID, and VID translation is
performed on the disposition PE. The Ethernet Tag ID in all EVPN
routes MUST be set to the normalized Ethernet Tag ID assigned by the
EVPN provider.
6.3.1. Port-Based VLAN-Aware Service Interface
This service interface is a special case of the VLAN-aware bundle
service interface, where all of the VLANs on the port are part of the
same service and are mapped to a single bundle but without any VID
translation. The procedures are a subset of those described in
Section 6.3.
Sajassi, et al. Standards Track [Page 12]
RFC 7432 BGP MPLS-Based Ethernet VPN February 2015
7. BGP EVPN Routes
This document defines a new BGP Network Layer Reachability
Information (NLRI) called the EVPN NLRI.
The format of the EVPN NLRI is as follows:
+-----------------------------------+
| Route Type (1 octet) |
+-----------------------------------+
| Length (1 octet) |
+-----------------------------------+
| Route Type specific (variable) |
+-----------------------------------+
The Route Type field defines the encoding of the rest of the EVPN
NLRI (Route Type specific EVPN NLRI).
The Length field indicates the length in octets of the Route Type
specific field of the EVPN NLRI.
This document defines the following Route Types:
+ 1 - Ethernet Auto-Discovery (A-D) route
+ 2 - MAC/IP Advertisement route
+ 3 - Inclusive Multicast Ethernet Tag route
+ 4 - Ethernet Segment route
The detailed encoding and procedures for these route types are
described in subsequent sections.
The EVPN NLRI is carried in BGP [RFC4271] using BGP Multiprotocol
Extensions [RFC4760] with an Address Family Identifier (AFI) of 25
(L2VPN) and a Subsequent Address Family Identifier (SAFI) of 70
(EVPN). The NLRI field in the MP_REACH_NLRI/MP_UNREACH_NLRI
attribute contains the EVPN NLRI (encoded as specified above).
In order for two BGP speakers to exchange labeled EVPN NLRI, they
must use BGP Capabilities Advertisements to ensure that they both are
capable of properly processing such NLRI. This is done as specified
in [RFC4760], by using capability code 1 (multiprotocol BGP) with an
AFI of 25 (L2VPN) and a SAFI of 70 (EVPN).
Sajassi, et al. Standards Track [Page 13]
RFC 7432 BGP MPLS-Based Ethernet VPN February 2015
7.1. Ethernet Auto-discovery Route
An Ethernet A-D route type specific EVPN NLRI consists of the
following:
+---------------------------------------+
| Route Distinguisher (RD) (8 octets) |
+---------------------------------------+
|Ethernet Segment Identifier (10 octets)|
+---------------------------------------+
| Ethernet Tag ID (4 octets) |
+---------------------------------------+
| MPLS Label (3 octets) |
+---------------------------------------+
For the purpose of BGP route key processing, only the Ethernet
Segment Identifier and the Ethernet Tag ID are considered to be part
of the prefix in the NLRI. The MPLS Label field is to be treated as
a route attribute as opposed to being part of the route.
For procedures and usage of this route, please see Sections 8.2
("Fast Convergence") and 8.4 ("Aliasing and Backup Path").
7.2. MAC/IP Advertisement Route
A MAC/IP Advertisement route type specific EVPN NLRI consists of the
following:
+---------------------------------------+
| RD (8 octets) |
+---------------------------------------+
|Ethernet Segment Identifier (10 octets)|
+---------------------------------------+
| Ethernet Tag ID (4 octets) |
+---------------------------------------+
| MAC Address Length (1 octet) |
+---------------------------------------+
| MAC Address (6 octets) |
+---------------------------------------+
| IP Address Length (1 octet) |
+---------------------------------------+
| IP Address (0, 4, or 16 octets) |
+---------------------------------------+
| MPLS Label1 (3 octets) |
+---------------------------------------+
| MPLS Label2 (0 or 3 octets) |
+---------------------------------------+
Sajassi, et al. Standards Track [Page 14]
RFC 7432 BGP MPLS-Based Ethernet VPN February 2015
For the purpose of BGP route key processing, only the Ethernet Tag
ID, MAC Address Length, MAC Address, IP Address Length, and IP
Address fields are considered to be part of the prefix in the NLRI.
The Ethernet Segment Identifier, MPLS Label1, and MPLS Label2 fields
are to be treated as route attributes as opposed to being part of the
"route". Both the IP and MAC address lengths are in bits.
For procedures and usage of this route, please see Sections 9
("Determining Reachability to Unicast MAC Addresses") and 14 ("Load
Balancing of Unicast Packets").
7.3. Inclusive Multicast Ethernet Tag Route
An Inclusive Multicast Ethernet Tag route type specific EVPN NLRI
consists of the following:
+---------------------------------------+
| RD (8 octets) |
+---------------------------------------+
| Ethernet Tag ID (4 octets) |
+---------------------------------------+
| IP Address Length (1 octet) |
+---------------------------------------+
| Originating Router's IP Address |
| (4 or 16 octets) |
+---------------------------------------+
For procedures and usage of this route, please see Sections 11
("Handling of Multi-destination Traffic"), 12 ("Processing of Unknown
Unicast Packets"), and 16 ("Multicast and Broadcast"). The IP
address length is in bits. For the purpose of BGP route key
processing, only the Ethernet Tag ID, IP Address Length, and
Originating Router's IP Address fields are considered to be part of
the prefix in the NLRI.
Sajassi, et al. Standards Track [Page 15]
RFC 7432 BGP MPLS-Based Ethernet VPN February 2015
7.4. Ethernet Segment Route
An Ethernet Segment route type specific EVPN NLRI consists of the
following:
+---------------------------------------+
| RD (8 octets) |
+---------------------------------------+
|Ethernet Segment Identifier (10 octets)|
+---------------------------------------+
| IP Address Length (1 octet) |
+---------------------------------------+
| Originating Router's IP Address |
| (4 or 16 octets) |
+---------------------------------------+
For procedures and usage of this route, please see Section 8.5
("Designated Forwarder Election"). The IP address length is in bits.
For the purpose of BGP route key processing, only the Ethernet
Segment ID, IP Address Length, and Originating Router's IP Address
fields are considered to be part of the prefix in the NLRI.
7.5. ESI Label Extended Community
This Extended Community is a new transitive Extended Community having
a Type field value of 0x06 and the Sub-Type 0x01. It may be
advertised along with Ethernet Auto-discovery routes, and it enables
split-horizon procedures for multihomed sites as described in
Section 8.3 ("Split Horizon"). The ESI Label field represents an ES
by the advertising PE, and it is used in split-horizon filtering by
other PEs that are connected to the same multihomed Ethernet segment.
Each ESI Label extended community is encoded as an 8-octet value, as
follows:
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type=0x06 | Sub-Type=0x01 | Flags(1 octet)| Reserved=0 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Reserved=0 | ESI Label |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The low-order bit of the Flags octet is defined as the
"Single-Active" bit. A value of 0 means that the multihomed site
is operating in All-Active redundancy mode, and a value of 1 means
that the multihomed site is operating in Single-Active redundancy
mode.
Sajassi, et al. Standards Track [Page 16]
RFC 7432 BGP MPLS-Based Ethernet VPN February 2015
7.6. ES-Import Route Target
This is a new transitive Route Target extended community carried with
the Ethernet Segment route. When used, it enables all the PEs
connected to the same multihomed site to import the Ethernet Segment
routes. The value is derived automatically for the ESI Types 1, 2,
and 3, by encoding the high-order 6-octet portion of the 9-octet ESI
Value, which corresponds to a MAC address, in the ES-Import Route
Target. The format of this Extended Community is as follows:
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type=0x06 | Sub-Type=0x02 | ES-Import |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| ES-Import Cont'd |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
This document expands the definition of the Route Target extended
community to allow the value of the high-order octet (Type field) to
be 0x06 (in addition to the values specified in [RFC4360]). The
low-order octet (Sub-Type field) value 0x02 indicates that this
Extended Community is of type "Route Target". The new Type field
value 0x06 indicates that the structure of this RT is a 6-octet value
(e.g., a MAC address). A BGP speaker that implements RT Constraint
[RFC4684] MUST apply the RT Constraint procedures to the ES-Import RT
as well.
For procedures and usage of this attribute, please see Section 8.1
("Multihomed Ethernet Segment Auto-discovery").
Sajassi, et al. Standards Track [Page 17]
RFC 7432 BGP MPLS-Based Ethernet VPN February 2015
7.7. MAC Mobility Extended Community
This Extended Community is a new transitive Extended Community having
a Type field value of 0x06 and the Sub-Type 0x00. It may be
advertised along with MAC/IP Advertisement routes. The procedures
for using this Extended Community are described in Section 15 ("MAC
Mobility").
The MAC Mobility extended community is encoded as an 8-octet value,
as follows:
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type=0x06 | Sub-Type=0x00 |Flags(1 octet)| Reserved=0 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sequence Number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The low-order bit of the Flags octet is defined as the
"Sticky/static" flag and may be set to 1. A value of 1 means that
the MAC address is static and cannot move. The sequence number is
used to ensure that PEs retain the correct MAC/IP Advertisement route
when multiple updates occur for the same MAC address.
7.8. Default Gateway Extended Community
The Default Gateway community is an Extended Community of an Opaque
Type (see Section 3.3 of [RFC4360]). It is a transitive community,
which means that the first octet is 0x03. The value of the second
octet (Sub-Type) is 0x0d (Default Gateway) as assigned by IANA. The
Value field of this community is reserved (set to 0 by the senders,
ignored by the receivers). For procedures and usage of this
attribute, please see Section 10.1 ("Default Gateway").
7.9. Route Distinguisher Assignment per MAC-VRF
The Route Distinguisher (RD) MUST be set to the RD of the MAC-VRF
that is advertising the NLRI. An RD MUST be assigned for a given
MAC-VRF on a PE. This RD MUST be unique across all MAC-VRFs on a PE.
It is RECOMMENDED to use the Type 1 RD [RFC4364]. The value field
comprises an IP address of the PE (typically, the loopback address)
followed by a number unique to the PE. This number may be generated
by the PE. Or, in the Unique VLAN EVPN case, the low-order 12 bits
may be the 12-bit VLAN ID, with the remaining high-order 4 bits set
to 0.
Sajassi, et al. Standards Track [Page 18]
RFC 7432 BGP MPLS-Based Ethernet VPN February 2015
7.10. Route Targets
The EVPN route MAY carry one or more Route Target (RT) attributes.
RTs may be configured (as in IP VPNs) or may be derived
automatically.
If a PE uses RT Constraint, the PE advertises all such RTs using RT
Constraints per [RFC4684]. The use of RT Constraints allows each
EVPN route to reach only those PEs that are configured to import at
least one RT from the set of RTs carried in the EVPN route.
7.10.1. Auto-derivation from the Ethernet Tag ID
For the "Unique VLAN EVPN" scenario, it is highly desirable to
auto-derive the RT from the Ethernet Tag ID (VLAN ID) for that EVPN
instance. The procedure for performing such auto-derivation is as
follows:
+ The Global Administrator field of the RT MUST be set to the
Autonomous System (AS) number with which the PE is associated.
+ The 12-bit VLAN ID MUST be encoded in the lowest 12 bits of the
Local Administrator field, with the remaining bits set to zero.
8. Multihoming Functions
This section discusses the functions, procedures, and associated BGP
routes used to support multihoming in EVPN. This covers both
multihomed device (MHD) and multihomed network (MHN) scenarios.
8.1. Multihomed Ethernet Segment Auto-discovery
PEs connected to the same Ethernet segment can automatically discover
each other with minimal to no configuration through the exchange of
the Ethernet Segment route.
8.1.1. Constructing the Ethernet Segment Route
The Route Distinguisher (RD) MUST be a Type 1 RD [RFC4364]. The
value field comprises an IP address of the PE (typically, the
loopback address) followed by a number unique to the PE.
The Ethernet Segment Identifier (ESI) MUST be set to the 10-octet
value described in Section 5.
The BGP advertisement that advertises the Ethernet Segment route MUST
also carry an ES-Import Route Target, as defined in Section 7.6.
Sajassi, et al. Standards Track [Page 19]
RFC 7432 BGP MPLS-Based Ethernet VPN February 2015
The Ethernet Segment route filtering MUST be done such that the
Ethernet Segment route is imported only by the PEs that are
multihomed to the same Ethernet segment. To that end, each PE that
is connected to a particular Ethernet segment constructs an import
filtering rule to import a route that carries the ES-Import Route
Target, constructed from the ESI.
8.2. Fast Convergence
In EVPN, MAC address reachability is learned via the BGP control
plane over the MPLS network. As such, in the absence of any fast
protection mechanism, the network convergence time is a function of
the number of MAC/IP Advertisement routes that must be withdrawn by
the PE encountering a failure. For highly scaled environments, this
scheme yields slow convergence.
To alleviate this, EVPN defines a mechanism to efficiently and
quickly signal, to remote PE nodes, the need to update their
forwarding tables upon the occurrence of a failure in connectivity to
an Ethernet segment. This is done by having each PE advertise a set
of one or more Ethernet A-D per ES routes for each locally attached
Ethernet segment (refer to Section 8.2.1 below for details on how
these routes are constructed). A PE may need to advertise more than
one Ethernet A-D per ES route for a given ES because the ES may be in
a multiplicity of EVIs and the RTs for all of these EVIs may not fit
into a single route. Advertising a set of Ethernet A-D per ES routes
for the ES allows each route to contain a subset of the complete set
of RTs. Each Ethernet A-D per ES route is differentiated from the
other routes in the set by a different Route Distinguisher (RD).
Upon a failure in connectivity to the attached segment, the PE
withdraws the corresponding set of Ethernet A-D per ES routes. This
triggers all PEs that receive the withdrawal to update their next-hop
adjacencies for all MAC addresses associated with the Ethernet
segment in question. If no other PE had advertised an Ethernet A-D
route for the same segment, then the PE that received the withdrawal
simply invalidates the MAC entries for that segment. Otherwise, the
PE updates its next-hop adjacencies accordingly.
Sajassi, et al. Standards Track [Page 20]
RFC 7432 BGP MPLS-Based Ethernet VPN February 2015
8.2.1. Constructing Ethernet A-D per Ethernet Segment Route
This section describes the procedures used to construct the Ethernet
A-D per ES route, which is used for fast convergence (as discussed
above) and for advertising the ESI label used for split-horizon
filtering (as discussed in Section 8.3). Support of this route is
REQUIRED.
The Route Distinguisher (RD) MUST be a Type 1 RD [RFC4364]. The
value field comprises an IP address of the PE (typically, the
loopback address) followed by a number unique to the PE.
The Ethernet Segment Identifier MUST be a 10-octet entity as
described in Section 5 ("Ethernet Segment"). The Ethernet A-D route
is not needed when the Segment Identifier is set to 0 (e.g., single-
homed scenarios).
The Ethernet Tag ID MUST be set to MAX-ET.
The MPLS label in the NLRI MUST be set to 0.
The ESI Label extended community MUST be included in the route. If
All-Active redundancy mode is desired, then the "Single-Active" bit
in the flags of the ESI Label extended community MUST be set to 0 and
the MPLS label in that Extended Community MUST be set to a valid MPLS
label value. The MPLS label in this Extended Community is referred
to as the ESI label and MUST have the same value in each Ethernet A-D
per ES route advertised for the ES. This label MUST be a downstream
assigned MPLS label if the advertising PE is using ingress
replication for receiving multicast, broadcast, or unknown unicast
traffic from other PEs. If the advertising PE is using P2MP MPLS
LSPs for sending multicast, broadcast, or unknown unicast traffic,
then this label MUST be an upstream assigned MPLS label. The usage
of this label is described in Section 8.3.
If Single-Active redundancy mode is desired, then the "Single-Active"
bit in the flags of the ESI Label extended community MUST be set to 1
and the ESI label SHOULD be set to a valid MPLS label value.
8.2.1.1. Ethernet A-D Route Targets
Each Ethernet A-D per ES route MUST carry one or more Route Target
(RT) attributes. The set of Ethernet A-D routes per ES MUST carry
the entire set of RTs for all the EVPN instances to which the
Ethernet segment belongs.
Sajassi, et al. Standards Track [Page 21]
RFC 7432 BGP MPLS-Based Ethernet VPN February 2015
8.3. Split Horizon
Consider a CE that is multihomed to two or more PEs on an Ethernet
segment ES1 operating in All-Active redundancy mode. If the CE sends
a broadcast, unknown unicast, or multicast (BUM) packet to one of the
non-Designated Forwarder (non-DF) PEs, say PE1, then PE1 will forward
that packet to all or a subset of the other PEs in that EVPN
instance, including the DF PE for that Ethernet segment. In this
case, the DF PE to which the CE is multihomed MUST drop the packet
and not forward back to the CE. This filtering is referred to as
"split-horizon filtering" in this document.
When a set of PEs are operating in Single-Active redundancy mode, the
use of this split-horizon filtering mechanism is highly recommended
because it prevents transient loops at the time of failure or
recovery that would impact the Ethernet segment -- e.g., when two PEs
think that both are DFs for that segment before the DF election
procedure settles down.
In order to achieve this split-horizon function, every BUM packet
originating from a non-DF PE is encapsulated with an MPLS label that
identifies the Ethernet segment of origin (i.e., the segment from
which the frame entered the EVPN network). This label is referred to
as the ESI label and MUST be distributed by all PEs when operating in
All-Active redundancy mode using a set of Ethernet A-D per ES routes,
per Section 8.2.1 above. The ESI label SHOULD be distributed by all
PEs when operating in Single-Active redundancy mode using a set of
Ethernet A-D per ES routes. These routes are imported by the PEs
connected to the Ethernet segment and also by the PEs that have at
least one EVPN instance in common with the Ethernet segment in the
route. As described in Section 8.1.1, the route MUST carry an ESI
Label extended community with a valid ESI label. The disposition PE
relies on the value of the ESI label to determine whether or not a
BUM frame is allowed to egress a specific Ethernet segment.
8.3.1. ESI Label Assignment
The following subsections describe the assignment procedures for the
ESI label, which differ depending on the type of tunnels being used
to deliver multi-destination packets in the EVPN network.
8.3.1.1. Ingress Replication
Each PE that operates in All-Active or Single-Active redundancy mode
and that uses ingress replication to receive BUM traffic advertises a
downstream assigned ESI label in the set of Ethernet A-D per ES
routes for its attached ES. This label MUST be programmed in the
platform label space by the advertising PE, and the forwarding entry
Sajassi, et al. Standards Track [Page 22]
RFC 7432 BGP MPLS-Based Ethernet VPN February 2015
for this label must result in NOT forwarding packets received with
this label onto the Ethernet segment for which the label was
distributed.
The rules for the inclusion of the ESI label in a BUM packet by the
ingress PE operating in All-Active redundancy mode are as follows:
- A non-DF ingress PE MUST include the ESI label distributed by the
DF egress PE in the copy of a BUM packet sent to it.
- An ingress PE (DF or non-DF) SHOULD include the ESI label
distributed by each non-DF egress PE in the copy of a BUM packet
sent to it.
The rule for the inclusion of the ESI label in a BUM packet by the
ingress PE operating in Single-Active redundancy mode is as follows:
- An ingress DF PE SHOULD include the ESI label distributed by the
egress PE in the copy of a BUM packet sent to it.
In both All-Active and Single-Active redundancy mode, an ingress PE
MUST NOT include an ESI label in the copy of a BUM packet sent to an
egress PE that is not attached to the ES through which the BUM packet
entered the EVI.
As an example, consider PE1 and PE2, which are multihomed to CE1 on
ES1 and operating in All-Active multihoming mode. Further, consider
that PE1 is using P2P or MP2P LSPs to send packets to PE2. Consider
that PE1 is the non-DF for VLAN1 and PE2 is the DF for VLAN1, and PE1
receives a BUM packet from CE1 on VLAN1 on ES1. In this scenario,
PE2 distributes an Inclusive Multicast Ethernet Tag route for VLAN1
corresponding to an EVPN instance. So, when PE1 sends a BUM packet
that it receives from CE1, it MUST first push onto the MPLS label
stack the ESI label that PE2 has distributed for ES1. It MUST then
push onto the MPLS label stack the MPLS label distributed by PE2 in
the Inclusive Multicast Ethernet Tag route for VLAN1. The resulting
packet is further encapsulated in the P2P or MP2P LSP label stack
required to transmit the packet to PE2. When PE2 receives this
packet, it determines, from the top MPLS label, the set of ESIs to
which it will replicate the packet after any P2P or MP2P LSP labels
have been removed. If the next label is the ESI label assigned by
PE2 for ES1, then PE2 MUST NOT forward the packet onto ES1. If the
next label is an ESI label that has not been assigned by PE2, then
PE2 MUST drop the packet. It should be noted that in this scenario,
if PE2 receives a BUM packet for VLAN1 from CE1, then it SHOULD
encapsulate the packet with an ESI label received from PE1 when
sending it to PE1 in order to avoid any transient loops during a
failure scenario that would impact ES1 (e.g., port or link failure).
Sajassi, et al. Standards Track [Page 23]
RFC 7432 BGP MPLS-Based Ethernet VPN February 2015
8.3.1.2. P2MP MPLS LSPs
The non-DF PEs that operate in All-Active redundancy mode and that
use P2MP LSPs to send BUM traffic advertise an upstream assigned ESI
label in the set of Ethernet A-D per ES routes for their common
attached ES. This label is upstream assigned by the PE that
advertises the route. This label MUST be programmed by the other PEs
that are connected to the ESI advertised in the route, in the context
label space for the advertising PE. Further, the forwarding entry
for this label must result in NOT forwarding packets received with
this label onto the Ethernet segment for which the label was
distributed. This label MUST also be programmed by the other PEs
that import the route but are not connected to the ESI advertised in
the route, in the context label space for the advertising PE.
Further, the forwarding entry for this label must be a label pop with
no other associated action.
The DF PE that operates in Single-Active redundancy mode and that
uses P2MP LSPs to send BUM traffic should advertise an upstream
assigned ESI label in the set of Ethernet A-D per ES routes for its
attached ES, just as described in the previous paragraph.
As an example, consider PE1 and PE2, which are multihomed to CE1 on
ES1 and operating in All-Active multihoming mode. Also, consider
that PE3 belongs to one of the EVPN instances of ES1. Further,
assume that PE1, which is the non-DF, is using P2MP MPLS LSPs to send
BUM packets. When PE1 sends a BUM packet that it receives from CE1,
it MUST first push onto the MPLS label stack the ESI label that it
has assigned for the ESI on which the packet was received. The
resulting packet is further encapsulated in the P2MP MPLS label stack
necessary to transmit the packet to the other PEs. Penultimate hop
popping MUST be disabled on the P2MP LSPs used in the MPLS transport
infrastructure for EVPN. When PE2 receives this packet, it
decapsulates the top MPLS label and forwards the packet using the
context label space determined by the top label. If the next label
is the ESI label assigned by PE1 to ES1, then PE2 MUST NOT forward
the packet onto ES1. When PE3 receives this packet, it decapsulates
the top MPLS label and forwards the packet using the context label
space determined by the top label. If the next label is the ESI
label assigned by PE1 to ES1 and PE3 is not connected to ES1, then
PE3 MUST pop the label and flood the packet over all local ESIs in
that EVPN instance. It should be noted that when PE2 sends a BUM
frame over a P2MP LSP, it should encapsulate the frame with an ESI
label even though it is the DF for that VLAN, in order to avoid any
transient loops during a failure scenario that would impact ES1
(e.g., port or link failure).
Sajassi, et al. Standards Track [Page 24]
RFC 7432 BGP MPLS-Based Ethernet VPN February 2015
8.4. Aliasing and Backup Path
In the case where a CE is multihomed to multiple PE nodes, using a
Link Aggregation Group (LAG) with All-Active redundancy, it is
possible that only a single PE learns a set of the MAC addresses
associated with traffic transmitted by the CE. This leads to a
situation where remote PE nodes receive MAC/IP Advertisement routes
for these addresses from a single PE, even though multiple PEs are
connected to the multihomed segment. As a result, the remote PEs are
not able to effectively load balance traffic among the PE nodes
connected to the multihomed Ethernet segment. This could be the
case, for example, when the PEs perform data-plane learning on the
access, and the load-balancing function on the CE hashes traffic from
a given source MAC address to a single PE.
Another scenario where this occurs is when the PEs rely on control-
plane learning on the access (e.g., using ARP), since ARP traffic
will be hashed to a single link in the LAG.
To address this issue, EVPN introduces the concept of 'aliasing',
which is the ability of a PE to signal that it has reachability to an
EVPN instance on a given ES even when it has learned no MAC addresses
from that EVI/ES. The Ethernet A-D per EVI route is used for this
purpose. A remote PE that receives a MAC/IP Advertisement route with
a non-reserved ESI SHOULD consider the advertised MAC address to be
reachable via all PEs that have advertised reachability to that MAC
address's EVI/ES via the combination of an Ethernet A-D per EVI route
for that EVI/ES (and Ethernet tag, if applicable) AND Ethernet A-D
per ES routes for that ES with the "Single-Active" bit in the flags
of the ESI Label extended community set to 0.
Note that the Ethernet A-D per EVI route may be received by a remote
PE before it receives the set of Ethernet A-D per ES routes.
Therefore, in order to handle corner cases and race conditions, the
Ethernet A-D per EVI route MUST NOT be used for traffic forwarding by
a remote PE until it also receives the associated set of Ethernet A-D
per ES routes.
The backup path is a closely related function, but it is used in
Single-Active redundancy mode. In this case, a PE also advertises
that it has reachability to a given EVI/ES using the same combination
of Ethernet A-D per EVI route and Ethernet A-D per ES route as
discussed above, but with the "Single-Active" bit in the flags of the
ESI Label extended community set to 1. A remote PE that receives a
MAC/IP Advertisement route with a non-reserved ESI SHOULD consider
the advertised MAC address to be reachable via any PE that has
advertised this combination of Ethernet A-D routes, and it SHOULD
install a backup path for that MAC address.
Sajassi, et al. Standards Track [Page 25]
RFC 7432 BGP MPLS-Based Ethernet VPN February 2015
8.4.1. Constructing Ethernet A-D per EVPN Instance Route
This section describes the procedures used to construct the Ethernet
A-D per EVPN instance (EVI) route, which is used for aliasing (as
discussed above). Support of this route is OPTIONAL.
The Route Distinguisher (RD) MUST be set per Section 7.9.
The Ethernet Segment Identifier MUST be a 10-octet entity as
described in Section 5 ("Ethernet Segment"). The Ethernet A-D route
is not needed when the Segment Identifier is set to 0.
The Ethernet Tag ID is the identifier of an Ethernet tag on the
Ethernet segment. This value may be a 12-bit VLAN ID, in which case
the low-order 12 bits are set to the VLAN ID and the high-order
20 bits are set to 0. Or, it may be another Ethernet tag used by the
EVPN. It MAY be set to the default Ethernet tag on the Ethernet
segment or to the value 0.
Note that the above allows the Ethernet A-D route to be advertised
with one of the following granularities:
+ One Ethernet A-D route per <ESI, Ethernet Tag ID> tuple per
MAC-VRF. This is applicable when the PE uses MPLS-based
disposition with VID translation or may be applicable when the
PE uses MAC-based disposition with VID translation.
+ One Ethernet A-D route for each <ESI> per MAC-VRF (where the
Ethernet Tag ID is set to 0). This is applicable when the PE uses
MAC-based disposition or MPLS-based disposition without VID
translation.
The usage of the MPLS label is described in Section 14 ("Load
Balancing of Unicast Packets").
The Next Hop field of the MP_REACH_NLRI attribute of the route MUST
be set to the IPv4 or IPv6 address of the advertising PE.
The Ethernet A-D route MUST carry one or more Route Target (RT)
attributes, per Section 7.10.
Sajassi, et al. Standards Track [Page 26]
RFC 7432 BGP MPLS-Based Ethernet VPN February 2015
8.5. Designated Forwarder Election
Consider a CE that is a host or a router that is multihomed directly
to more than one PE in an EVPN instance on a given Ethernet segment.
One or more Ethernet tags may be configured on the Ethernet segment.
In this scenario, only one of the PEs, referred to as the Designated
Forwarder (DF), is responsible for certain actions:
- Sending multicast and broadcast traffic, on a given Ethernet tag on
a particular Ethernet segment, to the CE.
- Flooding unknown unicast traffic (i.e., traffic for which a PE does
not know the destination MAC address), on a given Ethernet tag on a
particular Ethernet segment to the CE, if the environment requires
flooding of unknown unicast traffic.
Note that this behavior, which allows selecting a DF at the
granularity of <ES, VLAN> or <ES, VLAN bundle> for multicast,
broadcast, and unknown unicast traffic, is the default behavior in
this specification.
Note that a CE always sends packets belonging to a specific flow
using a single link towards a PE. For instance, if the CE is a host,
then, as mentioned earlier, the host treats the multiple links that
it uses to reach the PEs as a Link Aggregation Group (LAG). The CE
employs a local hashing function to map traffic flows onto links in
the LAG.
If a bridged network is multihomed to more than one PE in an EVPN
network via switches, then the support of All-Active redundancy mode
requires the bridged network to be connected to two or more PEs using
a LAG.
If a bridged network does not connect to the PEs using a LAG, then
only one of the links between the bridged network and the PEs must be
the active link for a given <ES, VLAN> or <ES, VLAN bundle>. In this
case, the set of Ethernet A-D per ES routes advertised by each PE
MUST have the "Single-Active" bit in the flags of the ESI Label
extended community set to 1.
The default procedure for DF election at the granularity of <ES,
VLAN> for VLAN-based service or <ES, VLAN bundle> for VLAN-(aware)
bundle service is referred to as "service carving". With service
carving, it is possible to elect multiple DFs per Ethernet segment
(one per VLAN or VLAN bundle) in order to perform load balancing of
multi-destination traffic destined to a given segment. The load-
balancing procedures carve up the VLAN space per ES among the PE
Sajassi, et al. Standards Track [Page 27]
RFC 7432 BGP MPLS-Based Ethernet VPN February 2015
nodes evenly, in such a way that every PE is the DF for a disjoint
set of VLANs or VLAN bundles for that ES. The procedure for service
carving is as follows:
1. When a PE discovers the ESI of the attached Ethernet segment, it
advertises an Ethernet Segment route with the associated ES-Import
extended community attribute.
2. The PE then starts a timer (default value = 3 seconds) to allow
the reception of Ethernet Segment routes from other PE nodes
connected to the same Ethernet segment. This timer value should
be the same across all PEs connected to the same Ethernet segment.
3. When the timer expires, each PE builds an ordered list of the IP
addresses of all the PE nodes connected to the Ethernet segment
(including itself), in increasing numeric value. Each IP address
in this list is extracted from the "Originating Router's IP
address" field of the advertised Ethernet Segment route. Every PE
is then given an ordinal indicating its position in the ordered
list, starting with 0 as the ordinal for the PE with the
numerically lowest IP address. The ordinals are used to determine
which PE node will be the DF for a given EVPN instance on the
Ethernet segment, using the following rule:
Assuming a redundancy group of N PE nodes, for VLAN-based service,
the PE with ordinal i is the DF for an <ES, VLAN V> when (V mod N)
= i. In the case of VLAN-(aware) bundle service, then the
numerically lowest VLAN value in that bundle on that ES MUST be
used in the modulo function.
It should be noted that using the "Originating Router's IP
address" field in the Ethernet Segment route to get the PE IP
address needed for the ordered list allows for a CE to be
multihomed across different ASes if such a need ever arises.
4. The PE that is elected as a DF for a given <ES, VLAN> or <ES, VLAN
bundle> will unblock multi-destination traffic for that VLAN or
VLAN bundle on the corresponding ES. Note that the DF PE unblocks
multi-destination traffic in the egress direction towards the
segment. All non-DF PEs continue to drop multi-destination
traffic in the egress direction towards that <ES, VLAN> or <ES,
VLAN bundle>.
In the case of link or port failure, the affected PE withdraws its
Ethernet Segment route. This will re-trigger the service carving
procedures on all the PEs in the redundancy group. For PE node
failure, or upon PE commissioning or decommissioning, the PEs
re-trigger the service carving. In the case of Single-Active
Sajassi, et al. Standards Track [Page 28]
RFC 7432 BGP MPLS-Based Ethernet VPN February 2015
multihoming, when a service moves from one PE in the redundancy
group to another PE as a result of re-carving, the PE, which ends
up being the elected DF for the service, SHOULD trigger a MAC
address flush notification towards the associated Ethernet
segment. This can be done, for example, using the IEEE 802.1ak
Multiple VLAN Registration Protocol (MVRP) 'new' declaration.
8.6. Interoperability with Single-Homing PEs
Let's refer to PEs that only support single-homed CE devices as
single-homing PEs. For single-homing PEs, all the above multihoming
procedures can be omitted; however, to allow for single-homing PEs
to fully interoperate with multihoming PEs, some of the multihoming
procedures described above SHOULD be supported even by single-
homing PEs:
- procedures related to processing Ethernet A-D routes for the
purpose of fast convergence (Section 8.2 ("Fast Convergence")), to
let single-homing PEs benefit from fast convergence
- procedures related to processing Ethernet A-D routes for the
purpose of aliasing (Section 8.4 ("Aliasing and Backup Path")), to
let single-homing PEs benefit from load balancing
- procedures related to processing Ethernet A-D routes for the
purpose of a backup path (Section 8.4 ("Aliasing and Backup
Path")), to let single-homing PEs benefit from the corresponding
convergence improvement
Sajassi, et al. Standards Track [Page 29]
RFC 7432 BGP MPLS-Based Ethernet VPN February 2015
9. Determining Reachability to Unicast MAC Addresses
PEs forward packets that they receive based on the destination MAC
address. This implies that PEs must be able to learn how to reach a
given destination unicast MAC address.
There are two components to MAC address learning -- "local learning"
and "remote learning":
9.1. Local Learning
A particular PE must be able to learn the MAC addresses from the CEs
that are connected to it. This is referred to as local learning.
The PEs in a particular EVPN instance MUST support local data-plane
learning using standard IEEE Ethernet learning procedures. A PE must
be capable of learning MAC addresses in the data plane when it
receives packets such as the following from the CE network:
- DHCP requests
- An ARP Request for its own MAC
- An ARP Request for a peer
Alternatively, PEs MAY learn the MAC addresses of the CEs in the
control plane or via management-plane integration between the PEs and
the CEs.
There are applications where a MAC address that is reachable via a
given PE on a locally attached segment (e.g., with ESI X) may move,
such that it becomes reachable via another PE on another segment
(e.g., with ESI Y). This is referred to as "MAC Mobility".
Procedures to support this are described in Section 15 ("MAC
Mobility").
9.2. Remote Learning
A particular PE must be able to determine how to send traffic to MAC
addresses that belong to or are behind CEs connected to other PEs,
i.e., to remote CEs or hosts behind remote CEs. We call such MAC
addresses "remote" MAC addresses.
This document requires a PE to learn remote MAC addresses in the
control plane. In order to achieve this, each PE advertises the MAC
addresses it learns from its locally attached CEs in the control
plane, to all the other PEs in that EVPN instance, using MP-BGP and,
specifically, the MAC/IP Advertisement route.
Sajassi, et al. Standards Track [Page 30]
RFC 7432 BGP MPLS-Based Ethernet VPN February 2015
9.2.1. Constructing MAC/IP Address Advertisement
BGP is extended to advertise these MAC addresses using the MAC/IP
Advertisement route type in the EVPN NLRI.
The RD MUST be set per Section 7.9.
The Ethernet Segment Identifier is set to the 10-octet ESI described
in Section 5 ("Ethernet Segment").
The Ethernet Tag ID may be zero or may represent a valid Ethernet
Tag ID. This field may be non-zero when there are multiple bridge
tables in the MAC-VRF (i.e., the PE needs to support VLAN-aware
bundle service for that EVI).
When the Ethernet Tag ID in the NLRI is set to a non-zero value for a
particular broadcast domain, then this Ethernet Tag ID may be either
the CE's Ethernet tag value (e.g., CE VLAN ID) or the EVPN provider's
Ethernet tag value (e.g., provider VLAN ID). The latter would be the
case if the CE Ethernet tags (e.g., CE VLAN ID) for a particular
broadcast domain are different on different CEs.
The MAC Address Length field is in bits, and it is set to 48. MAC
address length values other than 48 bits are outside the scope of
this document. The encoding of a MAC address MUST be the 6-octet MAC
address specified by [802.1Q] and [802.1D-REV].
The IP Address field is optional. By default, the IP Address Length
field is set to 0, and the IP Address field is omitted from the
route. When a valid IP address needs to be advertised, it is then
encoded in this route. When an IP address is present, the IP Address
Length field is in bits, and it is set to 32 or 128 bits. Other IP
Address Length values are outside the scope of this document. The
encoding of an IP address MUST be either 4 octets for IPv4 or
16 octets for IPv6. The Length field of the EVPN NLRI (which is in
octets and is described in Section 7) is sufficient to determine
whether an IP address is encoded in this route and, if so, whether
the encoded IP address is IPv4 or IPv6.
The MPLS Label1 field is encoded as 3 octets, where the high-order
20 bits contain the label value. The MPLS Label1 MUST be downstream
assigned, and it is associated with the MAC address being advertised
by the advertising PE. The advertising PE uses this label when it
receives an MPLS-encapsulated packet to perform forwarding based on
the destination MAC address toward the CE. The forwarding procedures
are specified in Sections 13 and 14.
Sajassi, et al. Standards Track [Page 31]
RFC 7432 BGP MPLS-Based Ethernet VPN February 2015
A PE may advertise the same single EVPN label for all MAC addresses
in a given MAC-VRF. This label assignment is referred to as a per
MAC-VRF label assignment. Alternatively, a PE may advertise a unique
EVPN label per <MAC-VRF, Ethernet tag> combination. This label
assignment is referred to as a per <MAC-VRF, Ethernet tag> label
assignment. As a third option, a PE may advertise a unique EVPN
label per <ESI, Ethernet tag> combination. This label assignment is
referred to as a per <ESI, Ethernet tag> label assignment. As a
fourth option, a PE may advertise a unique EVPN label per MAC
address. This label assignment is referred to as a per MAC label
assignment. All of these label assignment methods have their
trade-offs. The choice of a particular label assignment methodology
is purely local to the PE that originates the route.
An assignment per MAC-VRF label requires the least number of EVPN
labels but requires a MAC lookup in addition to an MPLS lookup on an
egress PE for forwarding. On the other hand, a unique label per
<ESI, Ethernet tag> or a unique label per MAC allows an egress PE to
forward a packet that it receives from another PE, to the connected
CE, after looking up only the MPLS labels without having to perform a
MAC lookup. This includes the capability to perform appropriate VLAN
ID translation on egress to the CE.
The MPLS Label2 field is an optional field. If it is present, then
it is encoded as 3 octets, where the high-order 20 bits contain the
label value.
The Next Hop field of the MP_REACH_NLRI attribute of the route MUST
be set to the IPv4 or IPv6 address of the advertising PE.
The BGP advertisement for the MAC/IP Advertisement route MUST also
carry one or more Route Target (RT) attributes. RTs may be
configured (as in IP VPNs) or may be derived automatically from the
Ethernet Tag ID, in the Unique VLAN case, as described in
Section 7.10.1.
It is to be noted that this document does not require PEs to create
forwarding state for remote MACs when they are learned in the control
plane. When this forwarding state is actually created is a local
implementation matter.
9.2.2. Route Resolution
If the Ethernet Segment Identifier field in a received MAC/IP
Advertisement route is set to the reserved ESI value of 0 or MAX-ESI,
then if the receiving PE decides to install forwarding state for the
associated MAC address, it MUST be based on the MAC/IP Advertisement
route alone.
Sajassi, et al. Standards Track [Page 32]
RFC 7432 BGP MPLS-Based Ethernet VPN February 2015
If the Ethernet Segment Identifier field in a received MAC/IP
Advertisement route is set to a non-reserved ESI, and the receiving
PE is locally attached to the same ESI, then the PE does not alter
its forwarding state based on the received route. This ensures that
local routes are preferred to remote routes.
If the Ethernet Segment Identifier field in a received MAC/IP
Advertisement route is set to a non-reserved ESI, then if the
receiving PE decides to install forwarding state for the associated
MAC address, it MUST be when both the MAC/IP Advertisement route AND
the associated set of Ethernet A-D per ES routes have been received.
The dependency of MAC route installation on Ethernet A-D per ES
routes is to ensure that MAC routes don't get accidentally installed
during a mass withdraw period.
To illustrate this with an example, consider two PEs (PE1 and PE2)
connected to a multihomed Ethernet segment ES1. All-Active
redundancy mode is assumed. A given MAC address M1 is learned by PE1
but not PE2. On PE3, the following states may arise:
T1 When the MAC/IP Advertisement route from PE1 and the set of
Ethernet A-D per ES routes and Ethernet A-D per EVI routes from
PE1 and PE2 are received, PE3 can forward traffic destined to
M1 to both PE1 and PE2.
T2 If after T1 PE1 withdraws its set of Ethernet A-D per ES
routes, then PE3 forwards traffic destined to M1 to PE2 only.
T2' If after T1 PE2 withdraws its set of Ethernet A-D per ES
routes, then PE3 forwards traffic destined to M1 to PE1 only.
T2'' If after T1 PE1 withdraws its MAC/IP Advertisement route, then
PE3 treats traffic to M1 as unknown unicast.
T3 PE2 also advertises a MAC route for M1, and then PE1 withdraws
its MAC route for M1. PE3 continues forwarding traffic
destined to M1 to both PE1 and PE2. In other words, despite M1
withdrawal by PE1, PE3 forwards the traffic destined to M1 to
both PE1 and PE2. This is because a flow from the CE,
resulting in M1 traffic getting hashed to PE1, can get
terminated, resulting in M1 being aged out in PE1; however, M1
can be reachable by both PE1 and PE2.
10. ARP and ND
The IP Address field in the MAC/IP Advertisement route may optionally
carry one of the IP addresses associated with the MAC address. This
provides an option that can be used to minimize the flooding of ARP
Sajassi, et al. Standards Track [Page 33]
RFC 7432 BGP MPLS-Based Ethernet VPN February 2015
or Neighbor Discovery (ND) messages over the MPLS network and to
remote CEs. This option also minimizes ARP (or ND) message
processing on end-stations/hosts connected to the EVPN network. A PE
may learn the IP address associated with a MAC address in the control
or management plane between the CE and the PE. Or, it may learn this
binding by snooping certain messages to or from a CE. When a PE
learns the IP address associated with a MAC address of a locally
connected CE, it may advertise this address to other PEs by including
it in the MAC/IP Advertisement route. The IP address may be an IPv4
address encoded using 4 octets or an IPv6 address encoded using
16 octets. For ARP and ND purposes, the IP Address Length field MUST
be set to 32 for an IPv4 address or 128 for an IPv6 address.
If there are multiple IP addresses associated with a MAC address,
then multiple MAC/IP Advertisement routes MUST be generated, one for
each IP address. For instance, this may be the case when there are
both an IPv4 and an IPv6 address associated with the same MAC address
for dual-IP-stack scenarios. When the IP address is dissociated with
the MAC address, then the MAC/IP Advertisement route with that
particular IP address MUST be withdrawn.
Note that a MAC-only route can be advertised along with, but
independent from, a MAC/IP route for scenarios where the MAC learning
over an access network/node is done in the data plane and independent
from ARP snooping that generates a MAC/IP route. In such scenarios,
when the ARP entry times out and causes the MAC/IP to be withdrawn,
then the MAC information will not be lost. In scenarios where the
host MAC/IP is learned via the management or control plane, then the
sender PE may only generate and advertise the MAC/IP route. If the
receiving PE receives both the MAC-only route and the MAC/IP route,
then when it receives a withdraw message for the MAC/IP route, it
MUST delete the corresponding entry from the ARP table but not the
MAC entry from the MAC-VRF table, unless it receives a withdraw
message for the MAC-only route.
When a PE receives an ARP Request for an IP address from a CE, and if
the PE has the MAC address binding for that IP address, the PE SHOULD
perform ARP proxy by responding to the ARP Request.
10.1. Default Gateway
When a PE needs to perform inter-subnet forwarding where each subnet
is represented by a different broadcast domain (e.g., a different
VLAN), the inter-subnet forwarding is performed at Layer 3, and the
PE that performs such a function is called the default gateway for
the EVPN instance. In this case, when the PE receives an ARP Request
for the IP address configured as the default gateway address, the PE
originates an ARP Reply.
Sajassi, et al. Standards Track [Page 34]
RFC 7432 BGP MPLS-Based Ethernet VPN February 2015
Each PE that acts as a default gateway for a given EVPN instance MAY
advertise in the EVPN control plane its default gateway MAC address
using the MAC/IP Advertisement route, and each such PE indicates that
such a route is associated with the default gateway. This is
accomplished by requiring the route to carry the Default Gateway
extended community defined in Section 7.8 ("Default Gateway Extended
Community"). The ESI field is set to zero when advertising the MAC
route with the Default Gateway extended community.
The IP Address field of the MAC/IP Advertisement route is set to the
default gateway IP address for that subnet (e.g., an EVPN instance).
For a given subnet (e.g., a VLAN or EVPN instance), the default
gateway IP address is the same across all the participant PEs. The
inclusion of this IP address enables the receiving PE to check its
configured default gateway IP address against the one received in the
MAC/IP Advertisement route for that subnet (or EVPN instance), and if
there is a discrepancy, then the PE SHOULD notify the operator and
log an error message.
Unless it is known a priori (by means outside of this document) that
all PEs of a given EVPN instance act as a default gateway for that
EVPN instance, the MPLS label MUST be set to a valid downstream
assigned label.
Furthermore, even if all PEs of a given EVPN instance do act as a
default gateway for that EVPN instance, but only some, but not all,
of these PEs have sufficient (routing) information to provide
inter-subnet routing for all the inter-subnet traffic originated
within the subnet associated with the EVPN instance, then when such a
PE advertises in the EVPN control plane its default gateway MAC
address using the MAC/IP Advertisement route and indicates that such
a route is associated with the default gateway, the route MUST carry
a valid downstream assigned label.
If all PEs of a given EVPN instance act as a default gateway for that
EVPN instance, and the same default gateway MAC address is used
across all gateway devices, then no such advertisement is needed.
However, if each default gateway uses a different MAC address, then
each default gateway needs to be aware of other gateways' MAC
addresses and thus the need for such an advertisement. This is
called MAC address aliasing, since a single default gateway can be
represented by multiple MAC addresses.
Each PE that receives this route and imports it as per procedures
specified in this document follows the procedures in this section
when replying to ARP Requests that it receives.
Sajassi, et al. Standards Track [Page 35]
RFC 7432 BGP MPLS-Based Ethernet VPN February 2015
Each PE that acts as a default gateway for a given EVPN instance that
receives this route and imports it as per procedures specified in
this document MUST create MAC forwarding state that enables it to
apply IP forwarding to the packets destined to the MAC address
carried in the route.
11. Handling of Multi-destination Traffic
Procedures are required for a given PE to send broadcast or multicast
traffic received from a CE encapsulated in a given Ethernet tag
(VLAN) in an EVPN instance to all the other PEs that span that
Ethernet tag (VLAN) in that EVPN instance. In certain scenarios, as
described in Section 12 ("Processing of Unknown Unicast Packets"), a
given PE may also need to flood unknown unicast traffic to other PEs.
The PEs in a particular EVPN instance may use ingress replication,
P2MP LSPs, or MP2MP LSPs to send unknown unicast, broadcast, or
multicast traffic to other PEs.
Each PE MUST advertise an "Inclusive Multicast Ethernet Tag route" to
enable the above. The following subsection provides the procedures
to construct the Inclusive Multicast Ethernet Tag route. Subsequent
subsections describe its usage in further detail.
11.1. Constructing Inclusive Multicast Ethernet Tag Route
The RD MUST be set per Section 7.9.
The Ethernet Tag ID is the identifier of the Ethernet tag. It may be
set to 0 or to a valid Ethernet tag value.
The Originating Router's IP Address field value MUST be set to an IP
address of the PE that should be common for all the EVIs on the PE
(e.g., this address may be the PE's loopback address). The IP
Address Length field is in bits.
The Next Hop field of the MP_REACH_NLRI attribute of the route MUST
be set to the IPv4 or IPv6 address of the advertising PE.
The BGP advertisement for the Inclusive Multicast Ethernet Tag route
MUST also carry one or more Route Target (RT) attributes. The
assignment of RTs as described in Section 7.10 MUST be followed.
Sajassi, et al. Standards Track [Page 36]
RFC 7432 BGP MPLS-Based Ethernet VPN February 2015
11.2. P-Tunnel Identification
In order to identify the P-tunnel used for sending broadcast, unknown
unicast, or multicast traffic, the Inclusive Multicast Ethernet Tag
route MUST carry a Provider Multicast Service Interface (PMSI) Tunnel
attribute as specified in [RFC6514].
Depending on the technology used for the P-tunnel for the EVPN
instance on the PE, the PMSI Tunnel attribute of the Inclusive
Multicast Ethernet Tag route is constructed as follows.
+ If the PE that originates the advertisement uses a P-multicast tree
for the P-tunnel for EVPN, the PMSI Tunnel attribute MUST contain
the identity of the tree (note that the PE could create the
identity of the tree prior to the actual instantiation of the
tree).
+ A PE that uses a P-multicast tree for the P-tunnel MAY aggregate
two or more EVPN instances (EVIs) present on the PE onto the same
tree. In this case, in addition to carrying the identity of the
tree, the PMSI Tunnel attribute MUST carry an MPLS upstream
assigned label, which the PE has bound uniquely to the EVI
associated with this update (as determined by its RTs).
If the PE has already advertised Inclusive Multicast Ethernet Tag
routes for two or more EVIs that it now desires to aggregate, then
the PE MUST re-advertise those routes. The re-advertised routes
MUST be the same as the original ones, except for the PMSI Tunnel
attribute and the label carried in that attribute.
+ If the PE that originates the advertisement uses ingress
replication for the P-tunnel for EVPN, the route MUST include the
PMSI Tunnel attribute with the Tunnel Type set to Ingress
Replication and the Tunnel Identifier set to a routable address of
the PE. The PMSI Tunnel attribute MUST carry a downstream assigned
MPLS label. This label is used to demultiplex the broadcast,
multicast, or unknown unicast EVPN traffic received over an MP2P
tunnel by the PE.
+ The Leaf Information Required flag of the PMSI Tunnel attribute
MUST be set to zero and MUST be ignored on receipt.
Sajassi, et al. Standards Track [Page 37]
RFC 7432 BGP MPLS-Based Ethernet VPN February 2015
12. Processing of Unknown Unicast Packets
The procedures in this document do not require the PEs to flood
unknown unicast traffic to other PEs. If PEs learn CE MAC addresses
via a control-plane protocol, the PEs can then distribute MAC
addresses via BGP, and all unicast MAC addresses will be learned
prior to traffic to those destinations.
However, if a destination MAC address of a received packet is not
known by the PE, the PE may have to flood the packet. When flooding,
one must take into account "split-horizon forwarding" as follows: The
principles behind the following procedures are borrowed from the
split-horizon forwarding rules in VPLS solutions [RFC4761] [RFC4762].
When a PE capable of flooding (say PEx) receives an unknown
destination MAC address, it floods the frame. If the frame arrived
from an attached CE, PEx must send a copy of that frame on every
Ethernet segment (belonging to that EVI) for which it is the DF,
other than the Ethernet segment on which it received the frame. In
addition, the PE must flood the frame to all other PEs participating
in that EVPN instance. If, on the other hand, the frame arrived from
another PE (say PEy), PEx must send a copy of the packet on each
Ethernet segment (belonging to that EVI) for which it is the DF. PEx
MUST NOT send the frame to other PEs, since PEy would have already
done so. Split-horizon forwarding rules apply to unknown MAC
addresses.
Whether or not to flood packets to unknown destination MAC addresses
should be an administrative choice, depending on how learning happens
between CEs and PEs.
The PEs in a particular EVPN instance may use ingress replication
using RSVP-TE P2P LSPs or LDP MP2P LSPs for sending unknown unicast
traffic to other PEs. Or, they may use RSVP-TE P2MP or LDP P2MP for
sending such traffic to other PEs.
12.1. Ingress Replication
If ingress replication is in use, the P-tunnel attribute, carried in
the Inclusive Multicast Ethernet Tag routes for the EVPN instance,
specifies the downstream label that the other PEs can use to send
unknown unicast, multicast, or broadcast traffic for that EVPN
instance to this particular PE.
The PE that receives a packet with this particular MPLS label MUST
treat the packet as a broadcast, multicast, or unknown unicast
packet. Further, if the MAC address is a unicast MAC address, the PE
MUST treat the packet as an unknown unicast packet.
Sajassi, et al. Standards Track [Page 38]
RFC 7432 BGP MPLS-Based Ethernet VPN February 2015
12.2. P2MP MPLS LSPs
The procedures for using P2MP LSPs are very similar to the VPLS
procedures described in [RFC7117]. The P-tunnel attribute used by a
PE for sending unknown unicast, broadcast, or multicast traffic for a
particular EVPN instance is advertised in the Inclusive Multicast
Ethernet Tag route as described in Section 11 ("Handling of
Multi-destination Traffic").
The P-tunnel attribute specifies the P2MP LSP identifier. This is
the equivalent of an Inclusive tree as described in [RFC7117]. Note
that multiple Ethernet tags, which may be in different EVPN
instances, may use the same P2MP LSP, using upstream labels
[RFC7117]. This is the equivalent of an Aggregate Inclusive tree
[RFC7117]. When P2MP LSPs are used for flooding unknown unicast
traffic, packet reordering is possible.
The PE that receives a packet on the P2MP LSP specified in the PMSI
Tunnel attribute MUST treat the packet as a broadcast, multicast, or
unknown unicast packet. Further, if the MAC address is a unicast MAC
address, the PE MUST treat the packet as an unknown unicast packet.
13. Forwarding Unicast Packets
This section describes procedures for forwarding unicast packets by
PEs, where such packets are received from either directly connected
CEs or some other PEs.
13.1. Forwarding Packets Received from a CE
When a PE receives a packet from a CE, on a given Ethernet Tag ID, it
must first look up the source MAC address of the packet. In certain
environments that enable MAC security, the source MAC address MAY be
used to validate the host identity and determine that traffic from
the host can be allowed into the network. Source MAC lookup MAY also
be used for local MAC address learning.
If the PE decides to forward the packet, the destination MAC address
of the packet must be looked up. If the PE has received MAC address
advertisements for this destination MAC address from one or more
other PEs or has learned it from locally connected CEs, the MAC
address is considered a known MAC address. Otherwise, it is
considered an unknown MAC address.
Sajassi, et al. Standards Track [Page 39]
RFC 7432 BGP MPLS-Based Ethernet VPN February 2015
For known MAC addresses, the PE forwards this packet to one of the
remote PEs or to a locally attached CE. When forwarding to a remote
PE, the packet is encapsulated in the EVPN MPLS label advertised by
the remote PE, for that MAC address, and in the MPLS LSP label stack
to reach the remote PE.
If the MAC address is unknown and if the administrative policy on the
PE requires flooding of unknown unicast traffic, then:
- The PE MUST flood the packet to other PEs. The PE MUST first
encapsulate the packet in the ESI MPLS label as described in
Section 8.3. If ingress replication is used, the packet MUST be
replicated to each remote PE, with the VPN label being an MPLS
label determined as follows: This is the MPLS label advertised by
the remote PE in a PMSI Tunnel attribute in the Inclusive Multicast
Ethernet Tag route for a <MAC-VRF> or <MAC-VRF, Ethernet tag>
combination.
The Ethernet tag in the route may be the same as the Ethernet tag
associated with the interface on which the ingress PE receives the
packet. If P2MP LSPs are being used, the packet MUST be sent on
the P2MP LSP of which the PE is the root, for the Ethernet tag in
the EVPN instance. If the same P2MP LSP is used for all Ethernet
tags, then all the PEs in the EVPN instance MUST be the leaves of
the P2MP LSP. If a distinct P2MP LSP is used for a given Ethernet
tag in the EVPN instance, then only the PEs in the Ethernet tag
MUST be the leaves of the P2MP LSP. The packet MUST be
encapsulated in the P2MP LSP label stack.
If the MAC address is unknown, then, if the administrative policy on
the PE does not allow flooding of unknown unicast traffic:
- the PE MUST drop the packet.
Sajassi, et al. Standards Track [Page 40]
RFC 7432 BGP MPLS-Based Ethernet VPN February 2015
13.2. Forwarding Packets Received from a Remote PE
This section describes the procedures for forwarding known and
unknown unicast packets received from a remote PE.
13.2.1. Unknown Unicast Forwarding
When a PE receives an MPLS packet from a remote PE, then, after
processing the MPLS label stack, if the top MPLS label ends up being
a P2MP LSP label associated with an EVPN instance or -- in the case
of ingress replication -- the downstream label advertised in the
P-tunnel attribute, and after performing the split-horizon procedures
described in Section 8.3:
- If the PE is the designated forwarder of BUM traffic on a
particular set of ESIs for the Ethernet tag, the default behavior
is for the PE to flood the packet on these ESIs. In other words,
the default behavior is for the PE to assume that for BUM traffic
it is not required to perform a destination MAC address lookup. As
an option, the PE may perform a destination MAC lookup to flood the
packet to only a subset of the CE interfaces in the Ethernet tag.
For instance, the PE may decide to not flood a BUM packet on
certain Ethernet segments even if it is the DF on the Ethernet
segment, based on administrative policy.
- If the PE is not the designated forwarder on any of the ESIs for
the Ethernet tag, the default behavior is for it to drop the
packet.
13.2.2. Known Unicast Forwarding
If the top MPLS label ends up being an EVPN label that was advertised
in the unicast MAC advertisements, then the PE either forwards the
packet based on CE next-hop forwarding information associated with
the label or does a destination MAC address lookup to forward the
packet to a CE.
14. Load Balancing of Unicast Packets
This section specifies the load-balancing procedures for sending
known unicast packets to a multihomed CE.
14.1. Load Balancing of Traffic from a PE to Remote CEs
Whenever a remote PE imports a MAC/IP Advertisement route for a given
<ESI, Ethernet tag> in a MAC-VRF, it MUST examine all imported
Ethernet A-D routes for that ESI in order to determine the load-
balancing characteristics of the Ethernet segment.
Sajassi, et al. Standards Track [Page 41]
RFC 7432 BGP MPLS-Based Ethernet VPN February 2015
14.1.1. Single-Active Redundancy Mode
For a given ES, if the remote PE has imported the set of Ethernet A-D
per ES routes from at least one PE, where the "Single-Active" flag in
the ESI Label extended community is set, then the remote PE MUST
deduce that the ES is operating in Single-Active redundancy mode. As
such, the MAC address will be reachable only via the PE announcing
the associated MAC/IP Advertisement route -- this is referred to as
the primary PE. The other PEs advertising the set of Ethernet A-D
per ES routes for the same ES provide backup paths for that ES, in
case the primary PE encounters a failure, and are referred to as
backup PEs. It should be noted that the primary PE for a given <ES,
VLAN> (or <ES, VLAN bundle>) is the DF for that <ES, VLAN> (or <ES,
VLAN bundle>).
If the primary PE encounters a failure, it MAY withdraw its set of
Ethernet A-D per ES routes for the affected ES prior to withdrawing
its set of MAC/IP Advertisement routes.
If there is only one backup PE for a given ES, the remote PE MAY use
the primary PE's withdrawal of its set of Ethernet A-D per ES routes
as a trigger to update its forwarding entries, for the associated MAC
addresses, to point towards the backup PE. As the backup PE starts
learning the MAC addresses over its attached ES, it will start
sending MAC/IP Advertisement routes while the failed PE withdraws its
routes. This mechanism minimizes the flooding of traffic during
fail-over events.
If there is more than one backup PE for a given ES, the remote PE
MUST use the primary PE's withdrawal of its set of Ethernet A-D per
ES routes as a trigger to start flooding traffic for the associated
MAC addresses (as long as flooding of unknown unicast packets is
administratively allowed), as it is not possible to select a single
backup PE.
14.1.2. All-Active Redundancy Mode
For a given ES, if the remote PE has imported the set of Ethernet A-D
per ES routes from one or more PEs and none of them have the
"Single-Active" flag in the ESI Label extended community set, then
the remote PE MUST deduce that the ES is operating in All-Active
redundancy mode. A remote PE that receives a MAC/IP Advertisement
route with a non-reserved ESI SHOULD consider the advertised MAC
address to be reachable via all PEs that have advertised reachability
to that MAC address's EVI/ES via the combination of an Ethernet A-D
per EVI route for that EVI/ES (and Ethernet tag, if applicable) AND
an Ethernet A-D per ES route for that ES. The remote PE MUST use
Sajassi, et al. Standards Track [Page 42]
RFC 7432 BGP MPLS-Based Ethernet VPN February 2015
received MAC/IP Advertisement routes and Ethernet A-D per EVI/per ES
routes to construct the set of next hops for the advertised MAC
address.
Each next hop comprises an MPLS label stack that is to be used by the
egress PE to forward the packet. This label stack is determined as
follows:
- If the next hop is constructed as a result of a MAC route, then
this label stack MUST be used. However, if the MAC route doesn't
exist for that PE, then the next hop and the MPLS label stack are
constructed as a result of the Ethernet A-D routes. Note that the
following description applies to determining the label stack for a
particular next hop to reach a given PE, from which the remote PE
has received and imported Ethernet A-D routes that have the same
ESI and Ethernet tag as the ones present in the MAC advertisement.
The Ethernet A-D routes mentioned in the following description
refer to the ones imported from this given PE.
- If a set of Ethernet A-D per ES routes for that ES AND an Ethernet
A-D route per EVI exist, only then must the label from that latter
route be used.
The following example explains the above.
Consider a CE (CE1) that is dual-homed to two PEs (PE1 and PE2) on a
LAG interface (ES1), and is sending packets with source MAC address
MAC1 on VLAN1 (mapped to EVI1). A remote PE, say PE3, is able to
learn that MAC1 is reachable via PE1 and PE2. Both PE1 and PE2 may
advertise MAC1 in BGP if they receive packets with MAC1 from CE1. If
this is not the case, and if MAC1 is advertised only by PE1, PE3
still considers MAC1 as reachable via both PE1 and PE2, as both PE1
and PE2 advertise a set of Ethernet A-D per ES routes for ES1 as well
as an Ethernet A-D per EVI route for <EVI1, ES1>.
The MPLS label stack to send the packets to PE1 is the MPLS LSP stack
to get to PE1 (at the top of the stack) followed by the EVPN label
advertised by PE1 for CE1's MAC.
The MPLS label stack to send packets to PE2 is the MPLS LSP stack to
get to PE2 (at the top of the stack) followed by the MPLS label in
the Ethernet A-D route advertised by PE2 for <ES1, VLAN1>, if PE2 has
not advertised MAC1 in BGP.
We will refer to these label stacks as MPLS next hops.
Sajassi, et al. Standards Track [Page 43]
RFC 7432 BGP MPLS-Based Ethernet VPN February 2015
The remote PE (PE3) can now load balance the traffic it receives from
its CEs, destined for CE1, between PE1 and PE2. PE3 may use N-tuple
flow information to hash traffic into one of the MPLS next hops for
load balancing of IP traffic. Alternatively, PE3 may rely on the
source MAC addresses for load balancing.
Note that once PE3 decides to send a particular packet to PE1 or PE2,
it can pick one out of multiple possible paths to reach the
particular remote PE using regular MPLS procedures. For instance, if
the tunneling technology is based on RSVP-TE LSPs and PE3 decides to
send a particular packet to PE1, then PE3 can choose from multiple
RSVP-TE LSPs that have PE1 as their destination.
When PE1 or PE2 receives the packet destined for CE1 from PE3, if the
packet is a known unicast, it is forwarded to CE1. If it is a BUM
packet, then only one of PE1 or PE2 must forward the packet to the
CE. Whether PE1 or PE2 forwards this packet to the CE is determined
based on which of the two is the DF.
14.2. Load Balancing of Traffic between a PE and a Local CE
A CE may be configured with more than one interface connected to
different PEs or the same PE for load balancing, using a technology
such as a LAG. The PE(s) and the CE can load balance traffic onto
these interfaces using one of the following mechanisms.
14.2.1. Data-Plane Learning
Consider that the PEs perform data-plane learning for local MAC
addresses learned from local CEs. This enables the PE(s) to learn a
particular MAC address and associate it with one or more interfaces,
if the technology between the PE and the CE supports multipathing.
The PEs can now load balance traffic destined to that MAC address on
the multiple interfaces.
Whether the CE can load balance traffic that it generates on the
multiple interfaces is dependent on the CE implementation.
14.2.2. Control-Plane Learning
The CE can be a host that advertises the same MAC address using a
control protocol on all interfaces. This enables the PE(s) to learn
the host's MAC address and associate it with all interfaces. The PEs
can now load balance traffic destined to the host on all these
interfaces. The host can also load balance the traffic it generates
onto these interfaces, and the PE that receives the traffic employs
EVPN forwarding procedures to forward the traffic.
Sajassi, et al. Standards Track [Page 44]
RFC 7432 BGP MPLS-Based Ethernet VPN February 2015
15. MAC Mobility
It is possible for a given host or end-station (as defined by its MAC
address) to move from one Ethernet segment to another; this is
referred to as 'MAC Mobility' or 'MAC move', and it is different from
the multihoming situation in which a given MAC address is reachable
via multiple PEs for the same Ethernet segment. In a MAC move, there
would be two sets of MAC/IP Advertisement routes -- one set with the
new Ethernet segment and one set with the previous Ethernet segment
-- and the MAC address would appear to be reachable via each of these
segments.
In order to allow all of the PEs in the EVPN instance to correctly
determine the current location of the MAC address, all advertisements
of it being reachable via the previous Ethernet segment MUST be
withdrawn by the PEs, for the previous Ethernet segment, that had
advertised it.
If local learning is performed using the data plane, these PEs will
not be able to detect that the MAC address has moved to another
Ethernet segment, and the receipt of MAC/IP Advertisement routes,
with the MAC Mobility extended community attribute, from other PEs
serves as the trigger for these PEs to withdraw their advertisements.
If local learning is performed using the control or management
planes, these interactions serve as the trigger for these PEs to
withdraw their advertisements.
In a situation where there are multiple moves of a given MAC,
possibly between the same two Ethernet segments, there may be
multiple withdrawals and re-advertisements. In order to ensure that
all PEs in the EVPN instance receive all of these correctly through
the intervening BGP infrastructure, introducing a sequence number
into the MAC Mobility extended community attribute is necessary.
In order to process mobility events correctly, an implementation MUST
handle scenarios in which sequence number wraparound occurs.
Every MAC mobility event for a given MAC address will contain a
sequence number that is set using the following rules:
- A PE advertising a MAC address for the first time advertises it
with no MAC Mobility extended community attribute.
- A PE detecting a locally attached MAC address for which it had
previously received a MAC/IP Advertisement route with a different
Ethernet segment identifier advertises the MAC address in a MAC/IP
Advertisement route tagged with a MAC Mobility extended community
attribute with a sequence number one greater than the sequence
Sajassi, et al. Standards Track [Page 45]
RFC 7432 BGP MPLS-Based Ethernet VPN February 2015
number in the MAC Mobility extended community attribute of the
received MAC/IP Advertisement route. In the case of the first
mobility event for a given MAC address, where the received MAC/IP
Advertisement route does not carry a MAC Mobility extended
community attribute, the value of the sequence number in the
received route is assumed to be 0 for the purpose of this
processing.
- A PE detecting a locally attached MAC address for which it had
previously received a MAC/IP Advertisement route with the same
non-zero Ethernet segment identifier advertises it with:
1. no MAC Mobility extended community attribute, if the received
route did not carry said attribute.
2. a MAC Mobility extended community attribute with the sequence
number equal to the highest of the sequence number(s) in the
received MAC/IP Advertisement route(s), if the received route(s)
is (are) tagged with a MAC Mobility extended community
attribute.
- A PE detecting a locally attached MAC address for which it had
previously received a MAC/IP Advertisement route with the same zero
Ethernet segment identifier (single-homed scenarios) advertises it
with a MAC Mobility extended community attribute with the sequence
number set properly. In the case of single-homed scenarios, there
is no need for ESI comparison. ESI comparison is done for
multihoming in order to prevent false detection of MAC moves among
the PEs attached to the same multihomed site.
A PE receiving a MAC/IP Advertisement route for a MAC address with a
different Ethernet segment identifier and a higher sequence number
than that which it had previously advertised withdraws its MAC/IP
Advertisement route. If two (or more) PEs advertise the same MAC
address with the same sequence number but different Ethernet segment
identifiers, a PE that receives these routes selects the route
advertised by the PE with the lowest IP address as the best route.
If the PE is the originator of the MAC route and it receives the same
MAC address with the same sequence number that it generated, it will
compare its own IP address with the IP address of the remote PE and
will select the lowest IP. If its own route is not the best one, it
will withdraw the route.
Sajassi, et al. Standards Track [Page 46]
RFC 7432 BGP MPLS-Based Ethernet VPN February 2015
15.1. MAC Duplication Issue
A situation may arise where the same MAC address is learned by
different PEs in the same VLAN because of two (or more) hosts being
misconfigured with the same (duplicate) MAC address. In such a
situation, the traffic originating from these hosts would trigger
continuous MAC moves among the PEs attached to these hosts. It is
important to recognize such a situation and avoid incrementing the
sequence number (in the MAC Mobility extended community attribute) to
infinity. In order to remedy such a situation, a PE that detects a
MAC mobility event via local learning starts an M-second timer (with
a default value of M = 180), and if it detects N MAC moves before the
timer expires (with a default value of N = 5), it concludes that a
duplicate-MAC situation has occurred. The PE MUST alert the operator
and stop sending and processing any BGP MAC/IP Advertisement routes
for that MAC address until a corrective action is taken by the
operator. The values of M and N MUST be configurable to allow for
flexibility in operator control. Note that the other PEs in the EVPN
instance will forward the traffic for the duplicate MAC address to
one of the PEs advertising the duplicate MAC address.
15.2. Sticky MAC Addresses
There are scenarios in which it is desired to configure some MAC
addresses as static so that they are not subjected to MAC moves. In
such scenarios, these MAC addresses are advertised with a MAC
Mobility extended community where the static flag is set to 1 and the
sequence number is set to zero. If a PE receives such advertisements
and later learns the same MAC address(es) via local learning, then
the PE MUST alert the operator.
16. Multicast and Broadcast
The PEs in a particular EVPN instance may use ingress replication or
P2MP LSPs to send multicast traffic to other PEs.
16.1. Ingress Replication
The PEs may use ingress replication for flooding BUM traffic as
described in Section 11 ("Handling of Multi-destination Traffic"). A
given broadcast packet must be sent to all the remote PEs. However,
a given multicast packet for a multicast flow may be sent to only a
subset of the PEs. Specifically, a given multicast flow may be sent
to only those PEs that have receivers that are interested in the
multicast flow. Determining which of the PEs have receivers for a
given multicast flow is done using explicit tracking per [RFC7117].
Sajassi, et al. Standards Track [Page 47]
RFC 7432 BGP MPLS-Based Ethernet VPN February 2015
16.2. P2MP LSPs
A PE may use an "Inclusive" tree for sending a BUM packet. This
terminology is borrowed from [RFC7117].
A variety of transport technologies may be used in the service
provider (SP) network. For Inclusive P-multicast trees, these
transport technologies include point-to-multipoint LSPs created by
RSVP-TE or Multipoint LDP (mLDP).
16.2.1. Inclusive Trees
An Inclusive tree allows the use of a single multicast distribution
tree, referred to as an Inclusive P-multicast tree, in the SP network
to carry all the multicast traffic from a specified set of EVPN
instances on a given PE. A particular P-multicast tree can be set up
to carry the traffic originated by sites belonging to a single EVPN
instance, or to carry the traffic originated by sites belonging to
several EVPN instances. The ability to carry the traffic of more
than one EVPN instance on the same tree is termed 'Aggregation', and
the tree is called an Aggregate Inclusive P-multicast tree or
Aggregate Inclusive tree for short. The Aggregate Inclusive tree
needs to include every PE that is a member of any of the EVPN
instances that are using the tree. This implies that a PE may
receive BUM traffic even if it doesn't have any receivers that are
interested in receiving that traffic.
An Inclusive or Aggregate Inclusive tree as defined in this document
is a P2MP tree. A P2MP tree is used to carry traffic only for EVPN
CEs that are connected to the PE that is the root of the tree.
The procedures for signaling an Inclusive tree are the same as those
in [RFC7117], with the VPLS A-D route replaced with the Inclusive
Multicast Ethernet Tag route. The P-tunnel attribute [RFC7117] for
an Inclusive tree is advertised with the Inclusive Multicast Ethernet
Tag route as described in Section 11 ("Handling of Multi-destination
Traffic"). Note that for an Aggregate Inclusive tree, a PE can
"aggregate" multiple EVPN instances on the same P2MP LSP using
upstream labels. The procedures for aggregation are the same as
those described in [RFC7117], with VPLS A-D routes replaced by EVPN
Inclusive Multicast Ethernet Tag routes.
Sajassi, et al. Standards Track [Page 48]
RFC 7432 BGP MPLS-Based Ethernet VPN February 2015
17. Convergence
This section describes failure recovery from different types of
network failures.
17.1. Transit Link and Node Failures between PEs
The use of existing MPLS fast-reroute mechanisms can provide failure
recovery on the order of 50 ms, in the event of transit link and node
failures in the infrastructure that connects the PEs.
17.2. PE Failures
Consider a host CE1 that is dual-homed to PE1 and PE2. If PE1 fails,
a remote PE, PE3, can discover this based on the failure of the BGP
session. This failure detection can be in the sub-second range if
Bidirectional Forwarding Detection (BFD) is used to detect BGP
session failures. PE3 can update its forwarding state to start
sending all traffic for CE1 to only PE2.
17.3. PE-to-CE Network Failures
If the connectivity between the multihomed CE and one of the PEs to
which it is attached fails, the PE MUST withdraw the set of Ethernet
A-D per ES routes that had been previously advertised for that ES.
This enables the remote PEs to remove the MPLS next hop to this
particular PE from the set of MPLS next hops that can be used to
forward traffic to the CE. When the MAC entry on the PE ages out,
the PE MUST withdraw the MAC address from BGP.
When an Ethernet tag is decommissioned on an Ethernet segment, then
the PE MUST withdraw the Ethernet A-D per EVI route(s) announced for
the <ESI, Ethernet tags> that are impacted by the decommissioning.
In addition, the PE MUST also withdraw the MAC/IP Advertisement
routes that are impacted by the decommissioning.
The Ethernet A-D per ES routes should be used by an implementation to
optimize the withdrawal of MAC/IP Advertisement routes. When a PE
receives a withdrawal of a particular Ethernet A-D route from an
advertising PE, it SHOULD consider all the MAC/IP Advertisement
routes that are learned from the same ESI as in the Ethernet A-D
route from the advertising PE as having been withdrawn. This
optimizes the network convergence times in the event of PE-to-CE
failures.
Sajassi, et al. Standards Track [Page 49]
RFC 7432 BGP MPLS-Based Ethernet VPN February 2015
18. Frame Ordering
In a MAC address, if the value of the first nibble (bits 8 through 5)
of the most significant octet of the destination MAC address (which
follows the last MPLS label) happens to be 0x4 or 0x6, then the
Ethernet frame can be misinterpreted as an IPv4 or IPv6 packet by
intermediate P nodes performing ECMP based on deep packet inspection,
thus resulting in load balancing packets belonging to the same flow
on different ECMP paths and subjecting those packets to different
delays. Therefore, packets belonging to the same flow can arrive at
the destination out of order. This out-of-order delivery can happen
during steady state in the absence of any failures, resulting in
significant impact on network operations.
In order to avoid any such misordering, the following rules are
applied:
- If a network uses deep packet inspection for its ECMP, then the
"Preferred PW MPLS Control Word" [RFC4385] SHOULD be used with the
value 0 (e.g., a 4-octet field with a value of zero) when sending
EVPN-encapsulated packets over an MP2P LSP.
- If a network uses entropy labels [RFC6790], then the control word
SHOULD NOT be used when sending EVPN-encapsulated packets over an
MP2P LSP.
- When sending EVPN-encapsulated packets over a P2MP LSP or P2P LSP,
then the control word SHOULD NOT be used.
19. Security Considerations
Security considerations discussed in [RFC4761] and [RFC4762] apply to
this document for MAC learning in the data plane over an Attachment
Circuit (AC) and for flooding of unknown unicast and ARP messages
over the MPLS/IP core. Security considerations discussed in
[RFC4364] apply to this document for MAC learning in the control
plane over the MPLS/IP core. This section describes additional
considerations.
As mentioned in [RFC4761], there are two aspects to achieving data
privacy and protecting against denial-of-service attacks in a VPN:
securing the control plane and protecting the forwarding path.
Compromise of the control plane could result in a PE sending customer
data belonging to some EVPN to another EVPN, or black-holing EVPN
customer data, or even sending it to an eavesdropper, none of which
are acceptable from a data privacy point of view. In addition,
compromise of the control plane could provide opportunities for
Sajassi, et al. Standards Track [Page 50]
RFC 7432 BGP MPLS-Based Ethernet VPN February 2015
unauthorized EVPN data usage (e.g., exploiting traffic replication
within a multicast tree to amplify a denial-of-service attack based
on sending large amounts of traffic).
The mechanisms in this document use BGP for the control plane.
Hence, techniques such as those discussed in [RFC5925] help
authenticate BGP messages, making it harder to spoof updates (which
can be used to divert EVPN traffic to the wrong EVPN instance) or
withdrawals (denial-of-service attacks). In the multi-AS backbone
options (b) and (c) [RFC4364], this also means protecting the
inter-AS BGP sessions between the Autonomous System Border Routers
(ASBRs), the PEs, or the Route Reflectors.
Further discussion of security considerations for BGP may be found in
the BGP specification itself [RFC4271] and in the security analysis
for BGP [RFC4272]. The original discussion of the use of the TCP MD5
signature option to protect BGP sessions is found in [RFC5925], while
[RFC6952] includes an analysis of BGP keying and authentication
issues.
Note that [RFC5925] will not help in keeping MPLS labels private --
knowing the labels, one can eavesdrop on EVPN traffic. Such
eavesdropping additionally requires access to the data path within an
SP network. Users of VPN services are expected to take appropriate
precautions (such as encryption) to protect the data exchanged over
a VPN.
One of the requirements for protecting the data plane is that the
MPLS labels be accepted only from valid interfaces. For a PE, valid
interfaces comprise links from other routers in the PE's own AS. For
an ASBR, valid interfaces comprise links from other routers in the
ASBR's own AS, and links from other ASBRs in ASes that have instances
of a given EVPN. It is especially important in the case of multi-AS
EVPN instances that one accept EVPN packets only from valid
interfaces.
It is also important to help limit malicious traffic into a network
for an impostor MAC address. The mechanism described in Section 15.1
shows how duplicate MAC addresses can be detected and continuous
false MAC mobility can be prevented. The mechanism described in
Section 15.2 shows how MAC addresses can be pinned to a given
Ethernet segment, such that if they appear behind any other Ethernet
segments, the traffic for those MAC addresses can be prevented from
entering the EVPN network from the other Ethernet segments.
Sajassi, et al. Standards Track [Page 51]
RFC 7432 BGP MPLS-Based Ethernet VPN February 2015
20. IANA Considerations
This document defines a new NLRI, called "EVPN", to be carried in BGP
using multiprotocol extensions. This NLRI uses the existing AFI of
25 (L2VPN). IANA has assigned BGP EVPNs a SAFI value of 70.
IANA has allocated the following EVPN Extended Community sub-types in
[RFC7153], and this document is the only reference for them.
0x00 MAC Mobility [RFC7432]
0x01 ESI Label [RFC7432]
0x02 ES-Import Route Target [RFC7432]
This document creates a registry called "EVPN Route Types". New
registrations will be made through the "RFC Required" procedure
defined in [RFC5226]. The registry has a maximum value of 255.
Initial registrations are as follows:
0 Reserved [RFC7432]
1 Ethernet Auto-discovery [RFC7432]
2 MAC/IP Advertisement [RFC7432]
3 Inclusive Multicast Ethernet Tag [RFC7432]
4 Ethernet Segment [RFC7432]
21. References
21.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>.
[RFC4271] Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A
Border Gateway Protocol 4 (BGP-4)", RFC 4271,
January 2006, <http://www.rfc-editor.org/info/rfc4271>.
[RFC4360] Sangli, S., Tappan, D., and Y. Rekhter, "BGP Extended
Communities Attribute", RFC 4360, February 2006,
<http://www.rfc-editor.org/info/rfc4360>.
[RFC4364] Rosen, E. and Y. Rekhter, "BGP/MPLS IP Virtual Private
Networks (VPNs)", RFC 4364, February 2006,
<http://www.rfc-editor.org/info/rfc4364>.
[RFC4760] Bates, T., Chandra, R., Katz, D., and Y. Rekhter,
"Multiprotocol Extensions for BGP-4", RFC 4760,
January 2007, <http://www.rfc-editor.org/info/rfc4760>.
Sajassi, et al. Standards Track [Page 52]
RFC 7432 BGP MPLS-Based Ethernet VPN February 2015
[RFC4761] Kompella, K., Ed., and Y. Rekhter, Ed., "Virtual Private
LAN Service (VPLS) Using BGP for Auto-Discovery and
Signaling", RFC 4761, January 2007,
<http://www.rfc-editor.org/info/rfc4761>.
[RFC4762] Lasserre, M., Ed., and V. Kompella, Ed., "Virtual Private
LAN Service (VPLS) Using Label Distribution Protocol (LDP)
Signaling", RFC 4762, January 2007,
<http://www.rfc-editor.org/info/rfc4762>.
[RFC7153] Rosen, E. and Y. Rekhter, "IANA Registries for BGP
Extended Communities", RFC 7153, March 2014,
<http://www.rfc-editor.org/info/rfc7153>.
21.2. Informative References
[802.1D-REV]
"IEEE Standard for Local and metropolitan area networks -
Media Access Control (MAC) Bridges", IEEE Std. 802.1D,
June 2004.
[802.1Q] "IEEE Standard for Local and metropolitan area networks -
Media Access Control (MAC) Bridges and Virtual Bridged
Local Area Networks", IEEE Std 802.1Q(tm), 2014 Edition,
November 2014.
[RFC4272] Murphy, S., "BGP Security Vulnerabilities Analysis",
RFC 4272, January 2006,
<http://www.rfc-editor.org/info/rfc4272>.
[RFC4385] Bryant, S., Swallow, G., Martini, L., and D. McPherson,
"Pseudowire Emulation Edge-to-Edge (PWE3) Control Word for
Use over an MPLS PSN", RFC 4385, February 2006,
<http://www.rfc-editor.org/info/rfc4385>.
[RFC4664] Andersson, L., Ed., and E. Rosen, Ed., "Framework for
Layer 2 Virtual Private Networks (L2VPNs)", RFC 4664,
September 2006, <http://www.rfc-editor.org/info/rfc4664>.
[RFC4684] Marques, P., Bonica, R., Fang, L., Martini, L., Raszuk,
R., Patel, K., and J. Guichard, "Constrained Route
Distribution for Border Gateway Protocol/MultiProtocol
Label Switching (BGP/MPLS) Internet Protocol (IP) Virtual
Private Networks (VPNs)", RFC 4684, November 2006,
<http://www.rfc-editor.org/info/rfc4684>.
Sajassi, et al. Standards Track [Page 53]
RFC 7432 BGP MPLS-Based Ethernet VPN February 2015
[RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
IANA Considerations Section in RFCs", BCP 26, RFC 5226,
May 2008, <http://www.rfc-editor.org/info/rfc5226>.
[RFC5925] Touch, J., Mankin, A., and R. Bonica, "The TCP
Authentication Option", RFC 5925, June 2010,
<http://www.rfc-editor.org/info/rfc5925>.
[RFC6514] Aggarwal, R., Rosen, E., Morin, T., and Y. Rekhter, "BGP
Encodings and Procedures for Multicast in MPLS/BGP IP
VPNs", RFC 6514, February 2012,
<http://www.rfc-editor.org/info/rfc6514>.
[RFC6790] Kompella, K., Drake, J., Amante, S., Henderickx, W., and
L. Yong, "The Use of Entropy Labels in MPLS Forwarding",
RFC 6790, November 2012,
<http://www.rfc-editor.org/info/rfc6790>.
[RFC6952] Jethanandani, M., Patel, K., and L. Zheng, "Analysis of
BGP, LDP, PCEP, and MSDP Issues According to the Keying
and Authentication for Routing Protocols (KARP) Design
Guide", RFC 6952, May 2013,
<http://www.rfc-editor.org/info/rfc6952>.
[RFC7117] Aggarwal, R., Ed., Kamite, Y., Fang, L., Rekhter, Y., and
C. Kodeboniya, "Multicast in Virtual Private LAN Service
(VPLS)", RFC 7117, February 2014,
<http://www.rfc-editor.org/info/rfc7117>.
[RFC7209] Sajassi, A., Aggarwal, R., Uttaro, J., Bitar, N.,
Henderickx, W., and A. Isaac, "Requirements for Ethernet
VPN (EVPN)", RFC 7209, May 2014,
<http://www.rfc-editor.org/info/rfc7209>.
Sajassi, et al. Standards Track [Page 54]
RFC 7432 BGP MPLS-Based Ethernet VPN February 2015
Acknowledgements
Special thanks to Yakov Rekhter for reviewing this document several
times and providing valuable comments, and for his very engaging
discussions on several topics of this document that helped shape this
document. We would also like to thank Pedro Marques, Kaushik Ghosh,
Nischal Sheth, Robert Raszuk, Amit Shukla, and Nadeem Mohammed for
discussions that helped shape this document. We would also like to
thank Han Nguyen for his comments and support of this work. We would
also like to thank Steve Kensil and Reshad Rahman for their reviews.
We would like to thank Jorge Rabadan for his contribution to
Section 5 of this document. We would like to thank Thomas Morin for
his review of this document and his contribution of Section 8.6.
Many thanks to Jakob Heitz for his help to improve several sections
of this document.
We would also like to thank Clarence Filsfils, Dennis Cai, Quaizar
Vohra, Kireeti Kompella, and Apurva Mehta for their contributions to
this document.
Last but not least, special thanks to Giles Heron (our WG chair) for
his detailed review of this document in preparation for WG Last Call
and for making many valuable suggestions.
Contributors
In addition to the authors listed on the front page, the following
co-authors have also contributed to this document:
Keyur Patel
Samer Salam
Sami Boutros
Cisco
Yakov Rekhter
Ravi Shekhar
Juniper Networks
Florin Balus
Nuage Networks
Sajassi, et al. Standards Track [Page 55]
RFC 7432 BGP MPLS-Based Ethernet VPN February 2015
Authors' Addresses
Ali Sajassi (editor)
Cisco
EMail: sajassi@cisco.com
Rahul Aggarwal
Arktan
EMail: raggarwa_1@yahoo.com
Nabil Bitar
Verizon Communications
EMail : nabil.n.bitar@verizon.com
Aldrin Isaac
Bloomberg
EMail: aisaac71@bloomberg.net
James Uttaro
AT&T
EMail: uttaro@att.com
John Drake
Juniper Networks
EMail: jdrake@juniper.net
Wim Henderickx
Alcatel-Lucent
EMail: wim.henderickx@alcatel-lucent.com
Sajassi, et al. Standards Track [Page 56]