EVPN MPLS E-Tree Scenario 2
Overview
Ethernet VPN Ethernet-Tree (EVPN E-Tree) Scenario 2 (SC-2) [RFC 8317] enables Root and Leaf sites to co-exist on the same Provider Edge (PE) device within a single EVPN Instance (EVI). The solution enforces traffic filtering rules both within a PE (intra-PE) and across PEs (inter-PE), ensuring strict Leaf-to-Leaf communication control while maintaining flexible service deployment.
Scenario 2 supports both single-homed (SH) and multi-homed (MH) configurations and applies to Qumran2 (Q2) series platforms. All other EVPN E-Tree functionality and route types conform to [RFC 7432], except where extended for Scenario 2 behavior.
Inter-PE E-tree: New Route Advertisements
Scenario 2 introduces the following new route advertisements to support Leaf traffic isolation across PEs:
|
•
|
Leaf Host Advertisement (RT-2): RT-2 advertisements for Leaf hosts include a new E-Tree Extended Community attribute. This attribute identifies the host as a Leaf for unicast traffic handling. |
|
•
|
EAD per ES Advertisement (RT-1): A new EAD per ES Route Type-1 (RT-1) is advertised with ESI=0. This route carries the E-Tree Extended Community attribute, which contains the Leaf Label. This mechanism is used to filter unknown traffic between a leaf source and a leaf destination. |
Feature Characteristics
EVPN E-Tree Scenario 2 allows Root and Leaf Attachment Circuits (ACs) to exist within the same EVI on a PE. Traffic between Leaf ACs is restricted both locally and across PEs, maintaining E-Tree hierarchy and service separation.
Intra-PE Traffic Filtering
OcNOS filters traffic locally between Leaf ACs that belong to the same EVI on a single PE.
Traffic Flow (Unicast or BUM):
Leaf AC to Leaf AC (same PE): Traffic originating from one Leaf AC and destined for another Leaf AC on the same PE is dropped. This is due to the enforcement of split-horizon, which prevents Leaf-to-Leaf communication within the same PE. Any unicast or unknown traffic is filtered based on the source and destination ACs; if both are Leaf ACs, the traffic is dropped.
Inter-PE Traffic Filtering (Leaf ACs in the Same EVI)
To restrict communication between Leaf Access Circuits (ACs) located on different Provider Edges (PEs) within the same EVPN Instance (EVI), the amended routes described previously are utilized.
Unicast Traffic Filtering
Traffic filtering for Unicast traffic between Leaf ACs is performed at the originating Leaf AC PE node (the ingress PE node). This is possible because the host advertised from a Leaf AC at a remote PE is identified as a Leaf through the new RT-2 E-TREE attribute. Consequently, the Local PE recognizes the remote Host as one advertised from a Leaf AC, enabling ingress filtering. Reference: RFC 8317, Section 4.1.
BUM Traffic Filtering
|
•
|
Traffic filtering for Unknown Broadcast, Unknown Unicast, Multicast (BUM) traffic between Leaf ACs is implemented at the egress PE device. In the case of BUM traffic, the receivers include all ACs in the EVPN instance, some of which may be Root and others Leaf. Therefore, filtering cannot be restricted at the ingress PE. |
|
•
|
The remote PE uses RT-1 with ESI=0 and the E-TREE attribute to advertise a Leaf Label. The local Leaf AC uses this Leaf Label when sending BUM traffic. |
Reference: RFC 8317, Section 4.2
Handling Multi-Homing (MH)
In Multi-Homing scenarios, if a Leaf AC is also on an ESI Multi-Homing port, the Leaf Label is prioritized over the ESI Label for advertising.
Intra-PE Traffic Flow Details
|
•
|
Co-existing Root and Leaf Sites on the Same PE: A given Provider Edge (PE) may simultaneously host both Root and Leaf Attachment Circuits (ACs) for a specific Ethernet Virtual Instance (EVI). |
|
•
|
Ingress Filtering (Unicast or Known Traffic):
|
|
•
|
Traffic is subjected to filtering upon entering the PE via a Leaf AC. |
|
•
|
A dedicated grouping identifies all Media Access Control (MAC) addresses learned from remote Leaf ACs. |
|
•
|
Leaf-to-Leaf unicast traffic is discarded to prevent unauthorized communication. |
|
•
|
Egress Filtering (BUM Traffic):
|
|
•
|
BUM traffic includes a Leaf Label, which is advertised by the remote PE. |
|
•
|
The Egress PE utilizes the Leaf Label to inhibit traffic transmission towards Leaf ACs. |
|
•
|
This mechanism is effective for both single-homed (SH) and multi-homed (MH) Leaf ACs. |
|
•
|
Route Exchange and Attributes:
|
| RT-2 (MAC/IP Advertisement) |
Carries Leaf indication for ingress unicast filtering |
Ingress PE |
| RT-1 (Ethernet A-D per ES, ESI=0) |
Carries Leaf Label for egress BUM filtering |
Egress PE |
The Leaf Label is scoped per PE, not per EVI or per ES.
Traffic Filtering Rules for All Combinations
Unicast
|
•
|
Leaf AC to Leaf MAC: Traffic originating from a Leaf AC and destined for a MAC address learned from any Leaf AC on a remote PE is dropped, thereby preventing Leaf-to-Leaf communication across PEs. |
|
•
|
Root AC to Leaf MAC: Traffic is permitted, facilitating Root-to-Leaf communication. |
|
•
|
Root AC to non-Leaf (Root) MAC: Traffic is permitted, facilitating Root-to-Root communication. |
|
•
|
Leaf AC to non-Leaf (Root) MAC: Traffic is permitted, facilitating Leaf-to-Root communication. |
BUM
|
•
|
SH Leaf AC: Traffic is tagged with the Leaf Label; the egress PE drops it toward Leaf ACs. |
|
•
|
MH Leaf AC on ESI port: Traffic carries the Leaf Label; the egress PE blocks delivery to all Leaf ACs (both SH and MH). |
|
•
|
Leaf-to-Leaf traffic within the same PE: Traffic is dropped (via split-horizon functionality). |
Configure hardware-profile filter evpn-mpls-mh group even for single-homing nodes to enable Leaf Label enforcement.
Benefits
|
•
|
Strict traffic enforcement: Leaf-to-Leaf communication is always blocked, maintaining E-Tree hierarchy and isolation. |
|
•
|
Flexible service deployment: Root and Leaf sites can co-exist on the same PE, simplifying design and reducing the number of EVIs. |
|
•
|
Simplified control-plane operation: A single route type per EVI with the E-Tree Extended Community and Leaf Label reduces BGP processing complexity. |
|
•
|
Enhanced traffic security: Ingress and egress filtering ensure unauthorized or misrouted traffic is dropped at the hardware level. |
|
•
|
Consistent SH or MH operation: Unified filtering logic supports both single-homed and multi-homed Leaf ACs. |
|
•
|
Efficient hardware utilization: Leaf Label allocation per PE enables hardware-level enforcement without additional per-EVI or per-ES labels. |