Distributed Anycast Gateway is a default gateway addressing mechanism in a BGP EVPN fabric. The feature enables the use of the same gateway IP and MAC address across all the devices in an EVPN over MPLS network. This ensures that every device functions as the default gateway for the workloads directly connected to it. The feature facilitates flexible workload placement, host mobility, and optimal traffic forwarding across the BGP EVPN fabric.

In this topology, the Distributed Anycast Gateways are directly attached to hosts or network with IP-VRF routing enabled on the IRB (BDI) interfaces on the gateways. To reduce the complexity, only virtual MAC DAGs is supported and the duplication address detection (DAD) for IPv6 on the BDI interfaces on Distributed Anycast Gateways is disabled.

On the DAG, the bridge domain check if an Address Resolution Protocol or Neighbor Discovery Protocol packet from a local host is sent to the BDI (Gateway) IP addresses. If the packet is sent to BDI (Gateway) IP addresses, this packet is handled by local BDI and it is not flooded into the bridge domain and sent across the EVPN fabric.

Symmetric IRB is a distributed routing model which utilizes direct IP-VRF to IP-VRF connectivity for inter-subnet traffic. To support Symmetric IRB, the native IRB needs to be enabled on Distributed Gateways by creating the BDIs, configuring virtual MAC, IP-VRF, and anycast IP address.

After the native IRB is enabled, BGP allocates the L3 label for the RT-2’s and RT-5’s per VRF basis and advertises it.

On Distributed Gateways, if the IP-VRF Stitching is configured and IP-VRF to EVPN redistribution is enabled, the IP Prefixes in IP-VRF are advertised as the RT-5 routes. These routes can be a locally connected subnet, a static route, or a route IP Prefix on the CE side.

On the receiving Distributed Gateways, RT-5 is imported into the corresponding IP-VRF and installed as a remote IP route.

In the case of a Distributed Anycast Gateway, many Distributed Gateways could advertise the same subnet prefix route. If the receiving Distributed Gateway has the same local subnet prefix, the local subnet prefix takes precedence. If a remote Distributed Gateway doesn’t have the same local subnet prefix, remote routes are chosen or ECMP load balancing is used for forwarding. Host discovery and MAC-IP learning procedures are triggered when traffic is sent to the host before it’s learned on any DAGs.

On Border Gateways that handle the Layer 3 hand-off to Multi-VRF, the IP-VRF Stitching needs to be configured and IP-VRF to EVPN redistribution needs to be enabled. The IP Prefix that is locally connected, a static route, or a learned route from the other side in IP-VRF is advertised as the RT-5 routes to EVPN Fabric. The IP Prefixes (RT-5) and Host Routes (RT-2) imported from EVPN are installed into IP-VRF and redistributed.

On Border Gateways that handle the Layer 3 hand-off to MPLS VPN (L3VPN), the IP-VRF Stitching needs to be configured. The cross-importing between VPN and EVPN Address-Family needs to be enabled as well. The IP Prefixes imported from VPN AF are advertised as RT-5 routes to EVPN Fabric. The IP Prefixes (RT-5) and Host Routes (RT-2) imported from EVPN AF are re-originated and advertised to the VPN side.

The host routes might be filtered if it’s not desired to advertise or redistribute. The IP Prefix route can be used to inject the default route.

The Host MAC-IP binding is learned by snooping Address Resolution Protocol (ARP), Neighbor Discovery Protocol, or DHCP packets. After the MAC-IP binding is learned, an age timer (AGE_TIME) is applied to the locally learned binding entry. The binding entry is refreshed whenever the host initiates ARP or ND procedures.

When the age timer expires, the MAC-IP binding is deleted and withdrawn from the network. To avoid premature deletion of the MAC-IP bindings, the gateways initiates the ARP or ND procedure to refresh the binding entries. It also initiates the ARP or ND probe procedure with the data plane MAC_AGE_OUT event. The local MAC_AGE_OUT event triggers the probe of all the MAC-IP bindings derived from that specific MAC to refresh the binding entries.

For the hosts on a Multi-Homing All-Active Ethernet Segment, the Host MAC-IP Binding might be initially learned on only one of the multihoming peers. Other peers in the Multi-Homing Group rely on the received remote RT-2 to get the MAC-IP Binding or might locally learn the MAC-IP Bindings.

After the MAC-IP Binding is learned locally on any peer, an age timer (AGE_TIME) is applied to the binding entry, and the binding entry is refreshed whenever the host initiates ARP/ND to this peer. When the age timer expires, this locally learned MAC-IP Binding is deleted, and RT-2 is withdrawn or updated if RT-2 Proxy Route is enabled. When the age timer expires, the MAC-IP binding is deleted and withdrawn from the network.

To avoid premature deletion of the MAC-IP bindings, the gateways initiate the ARP or ND procedure to refresh the binding entries. This is triggered by a refresh timer (SEND_REFRESH_TIME). It also initiates the ARP or ND probe procedure with the data plane MAC_AGE_OUT event. The data plane usually has a shorter age timer. The local MAC_AGE_OUT event triggers the probe of all the MAC-IP bindings derived from that specific MAC to refresh the binding entries across the Multi-Homing Group Peers.

During fast convergence and slow convergence, gateways can initiate the ARP/ND Refresh procedure using local Bindings or the previously received remote MAC-IP Bindings.

The host MAC-IP mobility helps to handle the following events:

• Host Move Learn from Data Packet and GARP

• Host Move Detection for Silent Host

Also, the host MAC-IP mobility supports the following scenarios:

• Moving MAC from local to local

• Moving MAC from local to remote

• Moving MAC from remote to local

• Moving IP local to local

• Moving IP from local to remote

• Moving IP from remote to local

From Cisco IOS XE Cupertino 17.7.1a, the host MAC-IP mobility is supported for hosts on a Multi-Homing All-Active Ethernet Segment.

When the MAC-IP Route is imported on remote Distributed Gateways, it can be used for inter-subnet routing. Because Symmetric IRB uses the IP-VRF to IP-VRF Layer 3 Label or VNI for the routing, it doesn’t need ARP/ND entries on remote Distributed Gateways, and a remote IP Route with Layer 3 Label (VNI) is installed.

Considering the Multihoming Distributed Gateways, the remote Distributed Gateways could receive multiple MAC-IP routes from that multihoming group members with the same MAC and IP Binding for Layer 3 Load Balancing. The fast convergence on the multihomed Gateways changes the Layer 2 Bridging in the MAC-VRF on the remote Gateways as it does, but it won’t affect the remote IP Route entries and Layer 3 Load Balancing which are sourced from MAC-IP Routes. The withdrawal of the contributing remote MAC-IP route changes Layer 3 Load Balancing on the Remote Distributed Gateways. The withdrawal of all the contributing remote MAC-IP routes triggers the deletion of the remote MAC-IP Route on the Remote Distributed Gateway.

On a Multihoming All-Active Ethernet Segment, the Host MAC-IP Binding might be learned on only one of the multihoming peers. To enable the inter-subnet traffic forwarding to the Ethernet Segment LOCALLY on other multihoming peers, ARP/ND entries need to be synced to those peers via RT-2 MAC-IP Route.

When a remote RT-2 MAC-IP Route for an MH-AA host is received from a multihoming peer, the RT-2 import on BGP installs a remote IP Route with the L3 Label (VNI). The ARP or ND entry needs to be installed or synced as well. From the forwarding point of view, both RIB (BGP and other routing components) and Adjacency (ARP or others) contribute to forwarding.

When BGP receives a Local or Aliasing MAC-IP Route from L2RIB, it is installed as static into RIB directly with a lower distance, so that RIB would prefer the local route, that is, the best path. During convergence or recovery, if the local or aliasing route is removed, RIB runs best path again.

The ARP and ND Flooding Suppression feature depends on device-tracking enabled on the same VLAN or interface. The Switch Integrated Security Features based (SIS-based) device tracking helps to track the presence,location, and movement of end-nodes in the network. SISF snoops traffic received by the device, extracts the device identity (MAC and IP address), and stores them in a binding table. SIS-based device tracking supports both IPv4 and IPv6.

When you enable IPv4 or IPv6 flooding suppression, it helps to minimize the flooding of a broadcast or multicast packet over the EVPN fabric and to remote CEs such as host, router, and switch. For example, Address Resolution packets such as ARP (broadcast) and NS (multicast). The multicast and broadcast suppression capabilities helps to preserve bandwidth in wireless networks.

This feature helps to suppress the broadcast (ARP) or link-local multicast (NDP) messages circulating in the layer 2 domain and the packets are relayed after converting their L2 addresses to unicast. By default, this feature is enable and you can use the disable flooding suppression command to disable flooding suppression.

From Cisco IOS XE Cupertino 17.7.1a, ARP and ND flooding suppression is supported on Multi-Homing All-Active (MH-AA) hosts. This feature reduces the ARP/ND Flooding traffic across a fabric since the gateway attached to the host might have already learned the MAC-IP Bindings from the control plane. By default, this feature is enabled. For more information, see Disabling ARP or ND Suppression.

Due to load balancing between hosts and the gateways in a Multi-Homing Group, the host MAC-IP binding might be learned and advertised from only one or more gateways. For routing traffic from a remote gateway, the host is only reachable through the advertising gateways. For Layer 2 Bridging, an aliasing path using the EAD Per EVI route is implemented to achieve Layer 2 load balancing. However, the aliasing path is only valid in a Layer 2 topology (MAC-VRF), and cannot be used in a Layer 3 topology (IP-VRF). To achieve Layer 3 ECMP for a Multi-Homing All-Active Host, a peer in the Multi-Homing Group can choose to be a proxy or readvertise a remote MAC-IP Route that it received for the All-Active host. This feature is enabled by default, and it can be implemented by a peer if it has not locally learned the MAC-IP route.

This feature requires the following configuration on Cisco ASR 1000 Series Aggregation Services Routers:

• Host MAC-IP learning

• Symmetric IRB for IP-VRF to IP-VRF inter-subnet traffic over MPLS

• Distributed anycast gateway with bridge-domain

• Host MAC-IP mobility

• ARP/ND flooding suppression

• Unknown unicast suppression

• Only Dual-Homing (two peers) Active-Active is supported.

• Only Symmetric IRB is supported. Asymmetric IRB and centralized IRB are not supported for BGP EVPN over MPLS.

• Only Gateway virtual MAC address is supported.

• Global VRF is not supported for MPLS IRB.

• VPLS Stitching is not covered and verified for BGP EVPN over MPLS.

• RT-5-only based routing is not applicable to Multi-Homing All-Active Subnets on DAGs if RT-2 is disabled. This routing is not applicable because Multi-Homing peers need RT-2 MAC-IP route for ARP/ND SYNC.

• SISF security feature is not supported on Multi-Homing All-Active DAGs.

Use the following steps to configure the basic EVPN over MPLS:

interface Loopback2
 description L2VPN EVPN ROUTER-ID
 ip address 1.1.1.3 255.255.255.255
 ip ospf 1 area 0
 ipv6 address ABCD:1::3/128
end

l2vpn evpn
!! Only Ingress Replication is supported for EVPN MPLS
 replication-type ingress
 router-id Loopback2
end
!

!! EVPN MPLS supports vlan-based, vlan-aware, vlan-bundle types for L2
!! vlan-bundle type won’t be supported for IRB
!! default encapsulation is MPLS
l2vpn evpn instance 1 vlan-based

interface Ethernet0/1
 no ip address
 service instance 11 ethernet
  encapsulation dot1q 11
end

bridge-domain 11
 !! link point of BD, EFP and EVI
 member Ethernet0/1 service-instance 11
 member evpn-instance 1
end

interface Loopback0
 description BGP UPDATE SOURCE
 ip address 1.1.1.1 255.255.255.255
 ip ospf 1 area 0
 ipv6 address ABCD:1::1/128
end

router bgp 100
 bgp log-neighbor-changes
 bgp graceful-restart
 neighbor 99.99.99.99 remote-as 100
 neighbor 99.99.99.99 update-source Loopback0
 !
 address-family l2vpn evpn
  neighbor 99.99.99.99 activate
  neighbor 99.99.99.99 send-community both
 exit-address-family
end

Use the following steps to configure the basic EVPN over MPLS with IRB.

vrf definition red
 rd 100:1
 !
 address-family ipv4
  route-target export 100:100
  route-target import 100:100
  route-target export 100:100 stitching
  route-target import 100:100 stitching
 exit-address-family
 !
 address-family ipv6
  route-target export 100:200
  route-target import 100:200
  route-target export 100:200 stitching
  route-target import 100:200 stitching
 exit-address-family
end

interface BDI11
 !! virtual MAC for Distributed Anycast Gateway
 mac-address 0011.0011.0011
 vrf forwarding red
 ip address 192.168.11.254 255.255.255.0
 ipv6 address 2001:11::254/64
 encapsulation dot1Q 11
end

router bgp 100
 bgp log-neighbor-changes
 bgp graceful-restart
 neighbor 99.99.99.99 remote-as 100
 neighbor 99.99.99.99 update-source Loopback0
 !
 address-family l2vpn evpn
  neighbor 99.99.99.99 activate
  neighbor 99.99.99.99 send-community both
 exit-address-family
!! IP Prefix Advertisement
address-family ipv4 vrf red
  advertise l2vpn evpn
  redistribute connected
exit-address-family
address-family ipv6 vrf red
  advertise l2vpn evpn
  redistribute connected
exit-address-family           
End

Use the following steps to configure EVPN-MPLS Multi-VRF:

router bgp 100
 bgp log-neighbor-changes
 bgp graceful-restart
 neighbor 99.99.99.99 remote-as 100
 neighbor 99.99.99.99 update-source Loopback0
 !
 address-family l2vpn evpn
  neighbor 99.99.99.99 activate
  neighbor 99.99.99.99 send-community both
 exit-address-family
address-family ipv4 vrf red
  advertise l2vpn evpn
  redistribute connected
  neighbor 192.168.0.1 remote-as 10
  neighbor 192.168.0.1 activate
  !! If using MPLS between PE and CE 
  neighbor 192.168.0.1 send-label
 exit-address-family
 !
 address-family ipv6 vrf red
  advertise l2vpn evpn
  redistribute connected
  neighbor 2001:0::1 remote-as 10
  neighbor 2001:0::1 activate
  !! If using MPLS between PE and CE
  !! neighbor 2001:0::1 send-label <= MPLS is only supported on IPv4 Core (6PE)
 exit-address-family

Use the following steps to configure the VPN over MPLS Layer-3 VPN.

router bgp 100
 bgp log-neighbor-changes
 bgp graceful-restart
 !! eBGP peering
 neighbor 10.5.0.1 remote-as 10
 neighbor 99.99.99.99 remote-as 100
 neighbor 99.99.99.99 update-source Loopback0
 !
 address-family vpnv4
 !! EVPN to VPNv4 
  import l2vpn evpn re-originate
  neighbor 10.5.0.1 activate
  neighbor 10.5.0.1 send-community both
 exit-address-family
 !
 address-family vpnv6
 !! EVPN to VPNv6
  import l2vpn evpn re-originate
  neighbor 10.5.0.1 activate
  neighbor 10.5.0.1 send-community both
 exit-address-family
 !
 address-family l2vpn evpn
 !! VNPv4/VPNv6 to EVPN
  import vpnv4 unicast re-originate
  import vpnv6 unicast re-originate
  neighbor 99.99.99.99 activate
  neighbor 99.99.99.99 send-community both
  neighbor 99.99.99.99 next-hop-self
 exit-address-family

Use the following steps to configure Layer 2 Multihoming for EVPN over MPLS:

l2vpn evpn ethernet-segment 1
 !! Support both type 3 and type 0
 identifier type 3 system-mac aabb.0000.0001
 !! Only all-active is support for EVPN MPLS
 redundancy all-active
 df-election wait-time 3
end

!! EVPN MPLS supports vlan-based, vlan-aware, vlan-bundle types for L2
!! vlan-bundle type won’t be supported for IRB
!! default encapsulation is MPLS
l2vpn evpn instance 1 vlan-based

bridge-domain 11
!! link point of BD, EFP, and EVI
member Port-channel1 service-instance 11
member evpn-instance 1

interface Port-channel1
no ip address
no negotiation auto
no mop enabled
no mop sysid
!! link point of interface and ESI
evpn ethernet-segment 1
lacp device-id 0005.0005.0005
service instance 11 ethernet
encapsulation dot1q 11
!
!

!! interface linking PE to MH CE
interface GigabitEthernet0/0/1
no ip address
negotiation auto
lacp rate fast
!! link to Port-channel
channel-group 1 mode active

Proxy MAC-IP route is enabled by default. Use the following command to disable proxy MAC-IP route:

l2vpn evpn  
 multihoming proxy-mac-ip disable

Use the following command to suppress unknown unicast flooding:

flooding-suppression unknown-unicast 

This command is supported only at the bridge domain level. By default, suppression of unknown unicast flooding is disabled.

Use the following command to configure the bridge domain MAC Age timer:

bridge-domain 11
 mac aging-time 10

The default aging time is 5 minutes for a bridge domain and 30 minutes for overlay bridge domains. The range is from 1 to 600 minutes.

Use the following command to configure the ARP timeout:

int BDI11
  arp timeout 600

Use the following command to configure the ND cache expiry:

int BDI12
  ipv6 nd cache expire 300

Use the following command to disable IP local learning from the data plane:

l2vpn evpn 
 ip local-learning disable

Use the following command to limit the number of locally learned IP addresses that can be stored:

ip local-learning limit per-mac ipv4
ip local-learning limit per-mac ipv6

The default number of IPv4 addresses is 4 and IPv6 addresses is 12.

Use the following command to configure timers:

ip local-learning time poll| reachable | stale time

The default polling interval is 1 minute, the reachable lifetime is 5 minutes, and the stale lifetime is 30 minutes.

To configure the ARP and ND flooding suppression, perform the following steps.

Note	By default, ARP/ND flooding suppression is enabled.

Device(config)#l2vpn evpn 
Device(config-evpn)#flooding-suppression address-resolution ? 
  disable  Disable flooding suppression