Implementing Layer2 VPN Over SRv6 Transport on NCS 5500/500

6 minutes read

Paban Sarma, Technical Marketing Engineer ([email protected])
Tejas Lad, Technical Marketing Engineer ([email protected])


Until now we covered setting up, SRv6 Transport and bringing up Layer3 VPN using that on NCS 5500 and NCS 500 platforms. In this tutorial, we will cover the impelementaion of EVPN based point-to-point (E-Line) L2 service (EVPN-VPWS) over SRv6.


Screenshot 2022-08-16 at 12.53.39 PM.png

The topology used is a simple four node network comprising of Cisco NCS 540 and NCS 5500 series platforms. There are two CE nodes connected to PE1 and PE4 respectively to simulate customer networks. Details of each node along with Loopback IPs are mentioned in the below table.

Nodes Device Type Software Version Loopback0
PE1 NCS 540 IOS XR 7.5.2 fcbb:bb00:1::1/128
P2 NCS 5500 IOS XR 7.5.2 fcbb:bb00:2::1/128
P3 NCS 5500 IOS XR 7.5.2 fcbb:bb00:3::1/128
PE4 NCS 5500 IOS XR 7.5.2 fcbb:bb00:4::1/128

The loopback0 IPs are chosen as per the SRv6 addressing best practice (check out for more details).

In this tutorial, we will establish a L2VPN (EVPN-VPWS) connecting CE1 and CE2. the example will demonstrate VLAN based E-Line (EVPL) service and establish L2 stretch across CE1 and CE2 for VLAN 100.

Configuration Steps

EVPN based P2P service over SRv6 transport will involve 3 steps, viz.

  • Establishing EVPN control plane over BGP
  • Configuring l2transport between CE-PE links
  • Configuring EVPN EVI and L2VPN Service

BGP Control Plane

Traditional L2 services uses LDP for signalling, which is simplified by EVPN with the use of BGP for control plane operation. In our previous tutorial, we established BGP neighborship between PE1 and PE4 with VPNv4 AFI. Now we need to enable EVPN AFI over BGP. Below snippet shows full BGP configuration needed for layer2 service over SRv6.


router bgp 100
 bgp router-id
 address-family l2vpn evpn
 neighbor fcbb:bb00:4::1
  remote-as 100
  update-source Loopback0
  address-family l2vpn evpn


router bgp 100
 bgp router-id
 address-family l2vpn evpn
 neighbor fcbb:bb00:1::1
  remote-as 100
  update-source Loopback0
 address-family l2vpn evpn

Configuring Layer2 Attachment Circuits

We need to configure l2transport sub-interface (on the PE-CE link) with appropriate VLAN encapsulations. This tutorial is showing VLAN based service with VLAN ID 100. We are not showing any VLAN translation operation (rewrite commands) as the are out of scope of this tutorial.

PE1 and PE4

interface TenGigE0/0/0/0.2 l2transport
 encapsulation dot1q 2

Configuring EVPN and L2VPN Service

Next step is to configure EVPN and L2VPN service construct on both the PE. since we have a symmetric topology, our configuration on both node will be similar. Configure the below on PE1 and PE4.

 interface TenGigE0/0/0/0
 segment-routing srv6
  locator POD0
 xconnect group 2
  p2p 2
   interface TenGigE0/0/0/0.2
   neighbor evpn evi 2 service 2 segment-routing srv6

The interface under EVPN configuration doesn’t have any ESI configured, this is because of single homed service and default ESI being used. For detailed understanding on evpn configuration and modes refer We have globally enabled srv6 locator POD0 under evpn, this means l2vpn SIDs (UDX2) will be allocated from the same locator. The srv6 configuration under l2vpn xconnect group service construct can be used to override the global evpn configuration and assign new locator.

Verifiation Steps

At first we will verify that the layer2 P2P service is up,

RP/0/RP0/CPU0:LABSP-3393-PE1#show l2vpn xconnect 
Legend: ST = State, UP = Up, DN = Down, AD = Admin Down, UR = Unresolved,
        SB = Standby, SR = Standby Ready, (PP) = Partially Programmed,
        LU = Local Up, RU = Remote Up, CO = Connected, (SI) = Seamless Inactive

XConnect                   Segment 1                       Segment 2                
Group      Name       ST   Description            ST       Description            ST    
------------------------   -----------------------------   -----------------------------
2          2          UP   Te0/0/0/0.2            UP       EVPN 2,2,::ffff: 

The local SID information for the configured service is updated in the SRv6 SID table as well.

RP/0/RP0/CPU0:LABSP-3393-PE1#show  segment-routing srv6  locator POD0 sid 
SID                         Behavior          Context                           Owner               State  RW
--------------------------  ----------------  ------------------------------    ------------------  -----  --
fcbb:bb00:1::               uN (PSP/USD)      'default':1                       sidmgr              InUse  Y 
fcbb:bb00:1:e001::          uA (PSP/USD)      [BE12, Link-Local]:0:P            isis-1              InUse  Y 
fcbb:bb00:1:e002::          uA (PSP/USD)      [BE12, Link-Local]:0              isis-1              InUse  Y 
fcbb:bb00:1:e003::          uA (PSP/USD)      [BE13, Link-Local]:0:P            isis-1              InUse  Y 
fcbb:bb00:1:e004::          uA (PSP/USD)      [BE13, Link-Local]:0              isis-1              InUse  Y 
fcbb:bb00:1:e005::          uDT4              '1'                               bgp-100             InUse  Y 
fcbb:bb00:1:e006::          uDX2              2:2                               l2vpn_srv6          InUse  Y 


The SID details and functions can also be verified using SID details CLI as shown below. It shows that the SID function is 0xe0006 and it is in the context of EVPN EVI 2 with AC IDs 2 (eth-tag=2).

RP/0/RP0/CPU0:LABSP-3393-PE1#show  segment-routing srv6 sid fcbb:bb00:1:e006::  detail 

*** Locator: 'POD0' *** 

SID                         Behavior          Context                           Owner               State  RW
--------------------------  ----------------  ------------------------------    ------------------  -----  --
fcbb:bb00:1:e006::          uDX2              2:2                               l2vpn_srv6          InUse  Y 
  SID Function: 0xe006
  SID context: { evi=2, eth-tag=2 }
  Locator: 'POD0'
  Allocation type: Dynamic
  Created: Nov 14 04:49:43.505 (00:08:54 ago)

We can also view, the SRv6 uDX2 SID assigned to each segment of the service in the detailed show command below:

RP/0/RP0/CPU0:LABSP-3393-PE1#show  l2vpn xconnect group 2 detail 

Group 2, XC 2, state is up; Interworking none
  AC: TenGigE0/0/0/0.2, state is up
    Type VLAN; Num Ranges: 1
    Rewrite Tags: []
    VLAN ranges: [2, 2]
    MTU 1504; XC ID 0x2; interworking none
      packets: received 0, sent 0
      bytes: received 0, sent 0
      drops: illegal VLAN 0, illegal length 0
  EVPN: neighbor ::ffff:, PW ID: evi 2, ac-id 2, state is up ( established )
    XC ID 0xc0000002
    Encapsulation SRv6
    Encap type Ethernet
    Ignore MTU mismatch: Enabled
    Transmit MTU zero: Enabled
    Reachability: Up

      SRv6              Local                        Remote                      
      ----------------  ---------------------------- --------------------------
       uDX2              fcbb:bb00:1:e006::           fcbb:bb00:4:e006::
      AC ID             2                            2                           
      MTU               1518                         0                           
      Locator           POD0                         N/A                         
      Locator Resolved  Yes                          N/A                         
      SRv6 Headend      H.Encaps.L2.Red              N/A                         
      packets: received 0, sent 0
      bytes: received 0, sent 0

We can verify the Remote uSID advertised via BGP with the help of the below CLI outputs.

RP/0/RP0/CPU0:PE1#show  bgp  l2vpn evpn 
BGP router identifier, local AS number 100
BGP generic scan interval 60 secs
Non-stop routing is enabled
BGP table state: Active
Table ID: 0x0
BGP main routing table version 20
BGP NSR Initial initsync version 1 (Reached)
BGP NSR/ISSU Sync-Group versions 0/0
BGP scan interval 60 secs

Status codes: s suppressed, d damped, h history, * valid, > best
              i - internal, r RIB-failure, S stale, N Nexthop-discard
Origin codes: i - IGP, e - EGP, ? - incomplete
   Network            Next Hop            Metric LocPrf Weight Path
Route Distinguisher: (default for vrf VPWS:2)
*> [1][0000.0000.0000.0000.0000][2]/120
                                            0 i
* i                   fcbb:bb00:4::1                100      0 i
Route Distinguisher:
                      fcbb:bb00:4::1                100      0 i

Processed 2 prefixes, 3 paths

RP/0/RP0/CPU0:LABSP-3393-PE1#show  bgp  l2vpn evpn rd [1][0000.0000.0000.0000.0000][2]/120
BGP routing table entry for [1][0000.0000.0000.0000.0000][2]/120, Route Distinguisher:
  Process           bRIB/RIB  SendTblVer
  Speaker                  19           19
Last Modified: Nov 14 04:50:18.448 for 2d00h
Paths: (1 available, best #1)
  Not advertised to any peer
  Path #1: Received by speaker 0
  Not advertised to any peer
    fcbb:bb00:4::1 (metric 30) from fcbb:bb00:4::1 (
      Received Label 0xe00600
      Origin IGP, localpref 100, valid, internal, best, group-best, import-candidate, not-in-vrf
      Received Path ID 0, Local Path ID 1, version 19
      Extended community: EVPN L2 ATTRS:0x02:0 RT:100:2 
      PSID-Type:L2, SubTLV Count:1
        T:1(Sid information), Sid:fcbb:bb00:4::, Behavior:65, SS-TLV Count:1
          T:1(Sid structure):

There is single RT1 coming from PE4 with all zero ESI as we have only used single-homing. A detailed look into the advertised route shows that the remote uDX2 sid comprise of the two parts, the Sid information fcbb:bb00:4:: with Behavior:65 meaning this is uDX2. Also the received label is 0xe00600 . Thus, we can see that the remote uDX2 SID fcbb:bb00:4:e006:: comprises of SID and the Received_Label.

Finally, to verify the data plane operation we will initiate ICMP ping from CE1 to CE2. we already have configured CE1 & CE2 in the same subnet and established the L2 stretch between the two nodes with EVPN-VPWS over SRv6 transort.

RP/0/RP0/CPU0:CE1#show run int tenGigE 0/0/0/0.2
interface TenGigE0/0/0/0.2
 ipv4 address
 encapsulation dot1q 2

RP/0/RP0/CPU0:CE2#show run int tenGigE 0/0/0/0.2
interface TenGigE0/0/0/0.2
 ipv4 address
 encapsulation dot1q 2

RP/0/RP0/CPU0:CE1#ping repeat 20
Type escape sequence to abort.
Sending 20, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 100 percent (20/20), round-trip min/avg/max = 1/3/45 ms


This concludes Part 3 of our tutorial explaing point-to-point l2 serviec over SRv6 transport. Stay tuned for our upcoming tutorials.


Leave a Comment