EVPN

What Is EVPN?

EVPN, or Ethernet Virtual Private Network, represents a modern full-service bearer VPN solution. It simplifies control planes for various VPN services and uses BGP extensions to transmit Layer 2 or Layer 3 reachability information, effectively separating the forwarding and control planes.

Unlike traditional L2VPN, which lacks load balancing capabilities and consumes significant network resources, EVPN overcomes these limitations. It brings the advantages of traffic balancing and flexible deployment from IP VPNs into the Ethernet domain. EVPN is commonly used to interconnect Layer 2 networks in large data centers and can also carry L3VPN services, simplifying protocol complexity.

What Is EVPN and BGP EVPN?

EVPN stands as a modern, comprehensive VPN solution, departing from the conventional L2VPN approach of learning MAC addresses solely on the forwarding plane. Instead, it introduces a control plane and utilizes BGP extensions for the transmission of MAC address information. Leveraging MP-BGP, EVPN defines a range of novel BGP EVPN route types facilitating the exchange of MAC addresses among different sites.

BGP EVPN routes encompass various types, including:

1. Ethernet auto-discovery route: This route communicates the local PE's reachability to MAC addresses at its connected sites. It is primarily employed for rapid convergence, redundancy protection, aliasing, and split horizon scenarios, facilitating load balancing in multi-homing networks.

2. MAC/IP advertisement route: The EVPN MAC/IP route broadcasts MAC addresses, IP addresses, and related information of sites. This eliminates the need for flooding ARP requests on the network, consequently reducing broadcast traffic volume and conserving bandwidth resources.

3. Inclusive multicast route: This route conveys the reachability of broadcast, unknown unicast, and multicast (BUM) traffic, promoting mutual neighbor discovery in a broadcast domain. It empowers the local PE to forward BUM traffic received from CEs to the remote PE, featuring tunnel attributes for establishing a data plane traffic tunnel between PEs.

4. Ethernet segment route: Enabling PEs connected to the same CE to discover one another, this route is crucial for designated forwarder (DF) election. To prevent a CE multi-homed to multiple PEs from receiving redundant traffic, DF election selects a single PE to forward BUM traffic to the CE among all PEs on the same Ethernet segment (ES).

5. IP prefix route: Serving as an avenue for EVPN to connect with external networks, this route advertises externally imported routes as IP prefix routes.

Why Do We Need EVPN?

Challenges of Traditional L2VPN Technologies

Challenges in traditional L2VPN technologies, exemplified by virtual private LAN service (VPLS), hinder their effectiveness in large-scale and intricate data center interconnection (DCI) scenarios. VPLS, an early MPLS VPN technology commonly used for multipoint-to-multipoint wide area Ethernet services in data centers, faces several limitations that impede its suitability for complex environments.

Traditional L2VPN deployment on a DCI network

- Difficulty in network deployment

Deploying traditional L2VPN technologies poses challenges as Provider Edge (PE) devices struggle to accommodate the vast number of MAC addresses from Customer Edge (CE) devices. Limited capacity in PE MAC address tables requires high specifications, and extensive manual configurations further complicate network setup.

- Limited scalability

VPLS necessitates the establishment of full-mesh pseudowires (PWs) between PE devices, making it unsuitable for large-scale networks. Additionally, the absence of a control plane in VPLS results in suboptimal convergence during MAC address changes or faults, as Layer 2 forwarding entries must be re-learned through flooding.

- Suboptimal link bandwidth utilization

To prevent loops between PE and CE devices, PEs must operate in single-active mode. Unfortunately, this precautionary measure results in low link bandwidth utilization. In other words, the requirement for single-active mode limits the efficiency of link utilization, contributing to suboptimal network performance.

Benefits of EVPN Technologies

EVPN addresses the mentioned issues through the following approaches:

- Illustrated in the figure below, EVPN utilizes BGP extensions to shift MAC address learning and advertisement from the data plane to the control plane in Layer 2 networks. This allows devices to manage MAC addresses akin to route management, facilitating load balancing between EVPN routes with identical destination MAC addresses but diverse next hops.

Comparing EVPN with traditional L2VPN

- EVPN eliminates the necessity for establishing full-mesh connections among PEs. This is achieved by leveraging BGP communication on the EVPN, incorporating the route reflection function. Consequently, a route reflector (RR) can be deployed on an EVPN to reflect EVPN routes to PEs with established peer relationships, significantly reducing network complexity and signaling message volume.

- EVPN empowers PEs to acquire local MAC addresses through ARP and gather remote MAC and IP addresses using MAC/IP advertisement routes. These addresses are then stored locally. Upon receiving an ARP request, a PE searches its cached MAC and IP address information based on the destination IP address in the request. By finding the corresponding information, the PE can promptly issue an ARP reply. This approach diminishes the utilization of network resources, as the PE no longer needs to broadcast ARP requests to other PEs.

How Does EVPN Work?

Basic Concepts

EVPN Networking

- Ethernet Segment (ES)

When a Customer Edge (CE) device is connected to two or more Provider Edge (PE) devices, the Ethernet links between the CE and different PEs constitute an Ethernet Segment (ES). In the depicted network, CE1 is dual-homed to both PE1 and PE2, and the Ethernet links connecting CE1 to each PE form an ES.

- Ethernet Segment Identifier (ESI)

The Ethernet Segment Identifier (ESI) serves as a unique identifier for an ES. In the network illustrated below, interfaces of different PEs connected to the same CE must share the same ESI. In cases where the ESI is set to 0, it indicates that the CE is singly connected to the PE.

- EVPN Instance (EVI)

Similar to the Virtual Switch Instance (VSI) in Virtual Private LAN Service (VPLS), an EVPN Instance (EVI) is employed to distinguish a VPN customer. Given that EVPN is a type of VPN, a PE can support multiple EVIs.

- MAC-VRF

The MAC-VRF is responsible for storing MAC addresses acquired by an EVPN Instance through BGP extensions. Each EVPN Instance maintains an independent MAC-VRF. In simpler terms, each EVI possesses its dedicated MAC-VRF for managing learned MAC addresses.

EVPN Startup Process

EVPN Network Topology

In the depicted diagram, the initiation of the EVPN process involves the following sequential steps:

1. Establish EVIs:

Formulate an EVI for every PE, configuring the RD and RT attributes for each EVI.

2. Set up BGP peers and activate EVPN:

Each PE dispatches a Type 3 route to its peers, containing RD and label data assigned by MPLS.

Upon reception, peers incorporate the route details into their local BUM traffic forwarding table for directing BUM packet forwarding.

3. Associate the ESI with the EVI:

Establish a linkage between the generated ESI and the EVI.

Subsequently, each PE initiates the transmission of a Type 4 route to its peers. This route includes RD, ESI, and PE source address information.

Peers store the received ESI information in the ESI member information table.

4. Exchange Type 1 routes among PEs to update ESI labels:

Post the completion of DF election, PEs disseminate Type 1 routes to one another. These routes encompass ESIs and the corresponding assigned labels.

Upon receipt of a Type 1 route from a peer, a PE verifies if the ESI in the route matches the local ESI. In case of a match, the PE incorporates the ESI into its local ES member list. In other words, the PE checks whether the ESIs are identical before adding them to its local ES member list.

MAC Address Learning

Assuming CE1 initiates an ARP request towards PE1, PE1 acquires the MAC address (mac1) of CE1 through the forwarding plane and records it in its local MAC-VRF. Subsequently, PE1 constructs a Type 2 route to broadcast mac1 information to other PEs. This route encompasses the RD of the EVI, ESI, mac1, and the MPLS label assigned to mac1.

Type 2 route advertisement

In the illustrated network, upon receiving the Type 2 route from PE1, PE3 and PE4 update their respective local MAC-VRFs, thereby gaining knowledge of CE1's MAC address through the control plane. Upon processing the route, PE2 identifies that it carries the same ESI as its local ESI. Consequently, PE2 opts for the route with a local next hop pointing to Port2.

Similarly, PE2 generates a Type 2 route to disseminate mac1 details based on its local MAC address, broadcasting this route to its peer PEs. This comprehensive process ensures that all PEs effectively learn the MAC address associated with CE1. In other words, the MAC address propagation occurs seamlessly across all participating PEs.

Traffic Forwarding

Traffic forwarding

In the illustrated scenario, CE1 initiates an ARP request, prompting PE1 to forward the packet to all its peers using the local BUM traffic forwarding table. Upon reception, PE3, identifying itself as the designated forwarder (DF), removes the tunnel header and confirms that the destination (DF) is indeed itself. Subsequently, PE3 forwards the packet to CE2. Conversely, PE4, lacking DF status, refrains from forwarding the packet to CE2.

When the packet reaches PE2 through PE1, PE1 appends PE2's ESI label to the packet due to their matching ESIs. Upon receipt, PE2 extracts the tunnel header and detects that the ESI label corresponds to its own. Recognizing the packet as originating from the local ES, PE2 opts to discard it. In essence, the packet forwarding process remains unchanged in this alternate explanation.

Unicast Traffic Forwarding

Unicast traffic forwarding

In the depicted network, when CE1 initiates an ARP request, CE2 responds by sending a unicast ARP reply specifically to PE3. Upon receiving the ARP reply, PE3 acquires and stores CE2's MAC address, subsequently relaying this information to both PE1 and PE2 using a Type 2 route. The respective MAC addresses are then recorded in the corresponding MAC-VRF on PE1 and PE2.

Upon receiving the ARP reply, PE3 consults its local MAC-VRF for the destination MAC address, mac1. The lookup reveals that PE1 and PE2 are the designated next hops. Employing a load balancing algorithm, PE3 selects a path, such as the one where PE1 is the next hop. Upon receiving the packet, PE1 strips off the tunnel header and queries its local MAC-VRF based on the destination MAC address. Identifying Port1 as the next hop, PE1 forwards the packet to CE1 via Port1.

This process encapsulates the flow from CE1's ARP request to CE2's ARP reply, and ultimately, CE1's reception of the ARP reply.

Typical Applications of EVPN

PBB

PBB-EVPN represents a cutting-edge L2VPN technology that relies on MPLS and Ethernet principles. Employing BGP for MAC address information exchange among PEs on the control plane, PBB-EVPN governs the flow of data packets across distinct sites within the MPLS network.

A PBB-EVPN service comprises two essential components: I-EVPN and B-EVPN. The I-EVPN instance binds to the interface connected to a CE to facilitate service access, while the B-EVPN instance interfaces with the backbone network to oversee EVPN routes transmitted from other PEs.

EVPN VPWS

Functioning similarly to traditional Virtual Private Wire Service (VPWS), EVPN VPWS offers point-to-point (P2P) services. This solution streamlines the original EVPN technology, utilizing MPLS tunneling to traverse the backbone network without requiring MAC address learning.

In the depicted network, a VPWS connection is established through Attachment Circuit (AC) IDs. It is imperative that the local ACID on one PE matches the remote ACID on the peer PE, and likewise, the remote ACID on the local PE must align with the local ACID on the peer PE.

EVPN VPWS Networking

EVPN E-Tree

EVPN E-Tree facilitates the segregation of interfaces that do not require communication within the same broadcast domain. Resembling a tree structure, E-Tree involves two roles: root and leaf. The root node can communicate with any leaf node, while leaf nodes are restricted from direct communication with each other. There are three E-Tree service models:

1. Per leaf/root node per PE (also known as the instance mode): In this mode, a PE can function solely as an EVI root or leaf node.

2. Per leaf/root node per AC: This mode allows an AC interface to operate as either a root or leaf node, and a PE may have both root and leaf AC interfaces.

3. Per leaf/root node per MAC: In this mode, an AC interface can perform both root and leaf roles, distinguished by MAC address. Only unicast traffic, not BUM (Broadcast, Unknown unicast, Multicast) traffic, is supported.

EVPN L3VPN

Currently, IP bearer networks utilize complex L2VPN and L3VPN (HVPN) for Layer 2 and Layer 3 service carriage, respectively. In contrast, EVPN has the capability to transport both Layer 2 and Layer 3 services, simplifying service bearer protocols. Specifically, L3VPN HVPN carrying Layer 3 services is expected to evolve into EVPN L3VPN HVPN. EVPN L3VPN offers the following advantages:

1. Control plane: Traditional L3VPN transmits route information using VPNv4 routes, while EVPN L3VPN employs Type 5 routes extended by MP-BGP. This unification of Layer 2 and Layer 3 control planes streamlines deployment and maintenance.

2. Data plane: Implementation consistency exists between traditional L3VPN and EVPN L3VPN. In other words, the data plane remains unchanged in the transition.