L3VPNv4 over SRv6 BE and EVPN L3VPN

over SRv6 Policy: Lab Guide

This guide covers two labs from the HCIE-Datacom Lab Guide: L3VPNv4 over SRv6 BE
(Section 9.1) and EVPN L3VPN over SRv6 Policy (Section 9.2). Both labs configure networks
using IS-IS for routing, SRv6 for tunneling, and MP-BGP for VPN route exchange, enabling
VPN connectivity between simulated CE interfaces. The SRv6 BE lab uses automatic SID
allocation and best-effort tunnels, while the SRv6 Policy lab uses manual SID allocation,
multiple segment lists, and candidate paths for reliability. The guide includes step-by-step
configurations, verification commands, core concepts, and quiz answers.

Lab 1: L3VPNv4 over SRv6 BE (Section 9.1)

Overview

Objectives

 Configure SRv6 locators for automatic SID allocation to VPN routes.

 Recurse L3VPN tunnels (for CE communication) to SRv6 BE tunnels.
 Observe packet forwarding over SRv6 BE tunnels.

Network Topology

 Devices: PE2, PE4, P2 (all in AS 65100).

 Interfaces: Interconnection interfaces use IPv6 addresses in the format 2001::Y/126
(e.g., 2001::9/126).
 Loopback0: Each device has a Loopback0 interface with an IPv6 address 2001::X:X/128
(e.g., PE2: 2001::2:2/128).
 Loopback1: PE2 (10.1.2.2/32) and PE4 (10.1.4.4/32) have Loopback1 interfaces to
simulate CE IPv4 access.
 Routing Protocols:
o IS-IS: Level-2, area 49.0001, with wide metrics, enabled on Loopback0 and
interconnection interfaces for IPv6.
o SRv6: Configured globally with locators (e.g., PE2: 2001:2::/96) and automatic
SID allocation.
o MP-BGP: IBGP with VPNv4 address family; P2 acts as a Route Reflector (RR)
for PE2 and PE4.
 VPN Instance: Named vpna, with Route Distinguishers (RDs) 100:20 (PE2) and 100:40
(PE4), and VPN target 100:1020.

IP Address Planning
Device Loopback0 IPv6 Interconnection Interfaces (IPv6)
PE2 2001::2:2/128 GE0/5/1: 2001::9/126 (to P2)
PE4 2001::4:4/128 GE0/5/1: 2001::16/126 (to P2)
P2 2001::6:6/128 GE0/5/1: 2001::9/126 (to PE2), GE0/5/2: 2001::15/126 (to PE4)

SRv6 Locator Planning

Device IPv6 Prefix Mask Static Segment Length

PE2 2001:2:: 96 16
PE4 2001:4:: 96 16

Simplified Explanation: The network is like a postal system where IS-IS maps the routes, SRv6
assigns IPv6-based delivery labels (SIDs), MP-BGP shares customer addresses, and L3VPN
provides private delivery for CE interfaces (Loopback1).

Core Concepts

 SRv6: Segment Routing over IPv6 uses 128-bit SIDs in the Segment Routing Header
(SRH) to steer traffic. SIDs include End (device identifier) and End.DT4 (VPNv4 route
lookup).
 IS-IS: Link-state protocol extended for SRv6, advertising locators and routes in area
49.0001 (Level-2).
 MP-BGP (VPNv4): Carries VPN routes with RDs and Route Targets (RTs). P2 as RR
simplifies peering.
 L3VPN: Layer 3 VPN instance vpna isolates CE routes (Loopback1) and uses SRv6 BE
tunnels for transport.
 SRv6 Locator: A prefix (e.g., 2001:2::/96) used to generate SIDs; static segment length
(16 bits) defines the function part.
 Route Recursion: VPN routes (e.g., 10.1.4.4/32) recurse to SRv6 BE tunnels based on
the next-hop SID (e.g., 2001:2::1:0).
 DCN and PnP: Data Communication Network (DCN) and Plug-and-Play (PnP) are
disabled to simplify setup.
 Immediate Validation: Ensures configuration changes are applied instantly.

Analogy: IS-IS is the map, SRv6 is the delivery route with IPv6 addresses, MP-BGP is the
address book, and L3VPN is a private courier for customers.

Configuration Roadmap

1. Basic Setup: Configure IPv6 addresses, disable DCN/PnP, set immediate validation.
2. IS-IS: Deploy Level-2 IS-IS with IPv6 topology on all devices.
 3. L3VPN: Create VPN instance vpna, add Loopback1, and import direct routes to BGP.
4. MP-BGP: Establish IBGP VPNv4 peering with P2 as RR.
5. SRv6: Enable SRv6, configure locators, and enable SID allocation for VPN routes.

Key Commands

Basic Setup

 system-view immediately: Enable immediate validation.

 undo dcn: Disable DCN globally.
 undo pnp enable: Disable Plug-and-Play.
 interface <type><number>: Enter interface configuration.
 ipv6 enable: Enable IPv6.
 ipv6 address <address>/<prefix>: Assign IPv6 address (e.g., ipv6 address 2001::9/126).
 ping ipv6 -c 1 <destination>: Test IPv6 connectivity.

IS-IS

 isis <process-id>: Start IS-IS process (e.g., isis 1).

 is-level level-2: Set Level-2 router.
 cost-style wide: Use wide metrics.
 network-entity <net>: Set NET address (e.g., network-entity
49.0001.0002.0002.0002.00).
 is-name <name>: Set hostname (e.g., is-name PE2).
 ipv6 enable topology ipv6: Enable IPv6 topology.
 interface <type><number>: Enter interface configuration.
 isis ipv6 enable <process-id>: Enable IS-IS IPv6.
 isis circuit-type p2p: Set point-to-point interface.
 display isis peer: Verify neighbors.
 display isis route ipv6: Check IPv6 routing table.

L3VPN

 ip vpn-instance <name>: Create VPN instance (e.g., ip vpn-instance vpna).

 ipv4-family: Enter IPv4 address family.
 route-distinguisher <rd>: Set RD (e.g., route-distinguisher 100:20).
 vpn-target <rt> both: Set VPN target (e.g., vpn-target 100:1020 both).
 interface LoopBack1: Enter Loopback1 configuration.
 ip binding vpn-instance <name>: Bind to VPN instance.
 ip address <address> <mask>: Assign IP address (e.g., ip address 10.1.2.2 32).
 display ip routing-table vpn-instance <name>: Check VPN routing table.

MP-BGP (VPNv4)
  bgp <as>: Start BGP process (e.g., bgp 65100).
 router-id <id>: Set router ID (e.g., router-id 10.0.2.2).
 peer <ipv6> as-number <as>: Configure peer (e.g., peer 2001::6:6 as-number 65100).
 peer <ipv6> connect-interface LoopBack0: Set peering source.
 ipv4-family vpnv4: Enter VPNv4 address family.
 peer <ipv6> enable: Activate peer for VPNv4.
 peer <ipv6> reflect-client: Configure RR client (on P2).
 undo policy vpn-target: Disable RT check on RR.
 ipv4-family vpn-instance <name>: Enter VPN instance address family.
 import-route direct: Import direct routes.
 display bgp vpnv4 all peer: Verify peer status.
 display bgp vpnv4 all routing-table: Check VPNv4 routes.

SRv6

 segment-routing ipv6: Enable SRv6 globally.

 encapsulation source-address <ipv6>: Set source address (e.g., encapsulation source-
address 2001::2:2).
 locator <name> ipv6-prefix <prefix> <mask> static <length>: Configure locator (e.g.,
locator SRv6 ipv6-prefix 2001:2:: 96 static 16).
 isis <process-id>: Enter IS-IS process.
 segment-routing ipv6 locator <name>: Advertise locator.
 bgp <as>: Enter BGP process.
 ipv4-family vpnv4: Enter VPNv4 address family.
 peer <ipv6> prefix-sid: Enable SID advertisement.
 ipv4-family vpn-instance <name>: Enter VPN instance address family.
 segment-routing ipv6 best-effort: Enable SRv6 BE for VPN routes.
 segment-routing ipv6 locator <name>: Specify locator for SIDs.
 display segment-routing ipv6 local-sid end-dt4 forwarding: Check VPN SIDs.
 display isis route ipv6: Verify locator routes.
 ping -vpn-instance <name> -a <source> <destination>: Test VPN connectivity.

Configuration Framework

Step 1: Basic Device Configuration

 Tasks:
o Set immediate validation.
o Disable DCN and PnP.
o Configure IPv6 addresses for interconnection and Loopback0 interfaces.
 Example (PE2):

bash
 Copy

system-view immediately

undo dcn

undo pnp enable

interface LoopBack0

ipv6 enable

ipv6 address 2001::2:2/128

interface GigabitEthernet0/5/1

ipv6 enable

ipv6 address 2001::9/126

 Verification:
o Test connectivity: ping ipv6 -c 1 2001::9 (P2 to PE2; 0% packet loss).

Step 2: Deploy IS-IS

 Tasks:
o Configure IS-IS (process 1, Level-2, area 49.0001, wide metrics) with IPv6
topology.
o Enable on Loopback0 and interconnection interfaces.
 Example (PE2):

bash

Copy

isis 1

is-level level-2

cost-style wide

network-entity 49.0001.0002.0002.0002.00
 is-name PE2

ipv6 enable topology ipv6

interface LoopBack0

isis ipv6 enable 1

interface GigabitEthernet0/5/1

isis ipv6 enable 1

isis circuit-type p2p

 Verification:
o Check neighbors: display isis peer (P2 sees PE2, PE4 in Up state).
o Check routes: display isis route ipv6 (P2 learns 2001::2:2/128, 2001::4:4/128).

Step 3: Configure L3VPN

 Tasks:
o Create VPN instance vpna with RDs and RTs.
o Create Loopback1, bind to vpna, and assign IPv4 addresses.
o Import direct routes to BGP.
 Example (PE2):

bash

Copy

ip vpn-instance vpna

ipv4-family

route-distinguisher 100:20

vpn-target 100:1020 both

interface LoopBack1

ip binding vpn-instance vpna

 ip address 10.1.2.2 32

bgp 65100

ipv4-family vpn-instance vpna

import-route direct

 Verification:
o Check VPN routes later (after BGP and SRv6).

Step 4: Configure MP-BGP

 Tasks:
o Establish IBGP VPNv4 peering between PE2, PE4, and P2 (RR) using
Loopback0.
o Disable RT check on P2.
 Example (PE2):

bash

Copy

bgp 65100

router-id 10.0.2.2

peer 2001::6:6 as-number 65100

peer 2001::6:6 connect-interface LoopBack0

ipv4-family vpnv4

peer 2001::6:6 enable

 Example (P2 - RR):

bash

Copy

bgp 65100
 router-id 10.0.6.6

peer 2001::2:2 as-number 65100

peer 2001::2:2 connect-interface LoopBack0

peer 2001::4:4 as-number 65100

peer 2001::4:4 connect-interface LoopBack0

ipv4-family vpnv4

undo policy vpn-target

peer 2001::2:2 enable

peer 2001::2:2 reflect-client

peer 2001::4:4 enable

peer 2001::4:4 reflect-client

 Verification:
o Check peers: display bgp vpnv4 all peer (P2 shows Established with PE2, PE4).

Step 5: Configure SRv6

 Tasks:
o Enable SRv6 globally, set source addresses, and configure locators.
o Enable SID advertisement in BGP and IS-IS.
o Enable SRv6 BE for VPN routes.
 Example (PE2):

bash

Copy

segment-routing ipv6

encapsulation source-address 2001::2:2

locator SRv6 ipv6-prefix 2001:2:: 96 static 16

 isis 1

segment-routing ipv6 locator SRv6

bgp 65100

ipv4-family vpnv4

peer 2001::6:6 prefix-sid

ipv4-family vpn-instance vpna

segment-routing ipv6 best-effort

segment-routing ipv6 locator SRv6

 Verification:
o Check SIDs: display segment-routing ipv6 local-sid end-dt4 forwarding (PE2:
2001:2::1:0 for vpna).
o Check locator routes: display isis route ipv6 (P2 learns 2001:2::/96, 2001:4::/96).
o Check VPNv4 routes: display bgp vpnv4 all routing-table (PE2 learns 10.1.4.4/32
with SID 2001:2::1:0).
o Check VPN routing: display ip routing-table vpn-instance vpna (PE4: 10.1.2.2/32
via SID 2001:2::1:0).
o Test connectivity: ping -vpn-instance vpna -a 10.1.4.4 10.1.2.2 (0% packet loss).

Quiz Answer (9.1.3)

In an L3VPNv6 over SRv6 BE scenario, which type of SID do BGP routes in a VPN
instance carry?

Answer: End.DT6

Explanation: In an L3VPNv6 over SRv6 BE scenario, BGP routes in a VPN instance carry
End.DT6 SIDs. The End.DT6 SID instructs the router to decapsulate the SRv6 header and
perform an IPv6 route lookup in the specified VPN instance. This is analogous to the End.DT4
SID used for IPv4 VPN routes (as in this lab’s L3VPNv4 setup, e.g., 2001:2::1:0). The End.DT6
SID ensures that IPv6 VPN traffic is correctly forwarded to the destination CE within the VPN
instance.

Simplified Analogy: The End.DT6 SID is like a delivery label that tells the router, “Open the
package and deliver the IPv6 contents to the customer’s private mailbox.”
Lab 2: EVPN L3VPN over SRv6 Policy (Section 9.2)
Overview

Objectives

 Manually allocate SIDs to VPN routes.

 Recurse L3VPN tunnels to SRv6 Policies with multiple segment lists and candidate
paths.
 Configure high-reliability paths using multiple segment lists and candidate paths.
 Test path switchover during faults.

Network Topology

 Devices: PE1, PE2, PE3, PE4, P1, P2 (all in AS 65100).

 Interfaces: Interconnection interfaces use IPv6 addresses in the format 2001::Y/126
(e.g., 2001::1/126).
 Loopback0: Each device has a Loopback0 interface with an IPv6 address 2001::X:X/128
(e.g., PE1: 2001::1:1/128).
 Loopback1: PE1 (10.1.1.1/32) and PE4 (10.1.4.4/32) have Loopback1 interfaces for
IPv4 CE access.
 Loopback2: PE1 (2002::1:1/128) and PE4 (2002::4:4/128) have Loopback2 interfaces
for IPv6 CE access.
 Routing Protocols:
o IS-IS: Level-2, area 49.0001, with wide metrics, enabled for IPv6.
o SRv6: Configured with manual SID allocation, locators (e.g., PE1: 2001:1::/96),
and SRv6 Policies.
o MP-BGP: IBGP with EVPN and VPNv4 address families; P1 and P2 are RRs.
 VPN Instances:
o vpna: IPv4 VPN (RDs 100:10 for PE1, 100:40 for PE4; RT 100:1020).
o vpna6: IPv6 VPN (RDs 100:10 for PE1, 100:40 for PE4; RT 100:1020).
 SRv6 Policy: Policy p1 with multiple segment lists (e.g., via P1-PE3, P1-P2, PE2-P2)
and candidate paths (preference 100 and 50) for reliability.

IP Address Planning

Loopback0
Device Interconnection Interfaces (IPv6)
IPv6
PE1 2001::1:1/128 GE0/5/0: 2001::1/126 (to PE2), GE0/5/1: 2001::5/126 (to P1)
PE2 2001::2:2/128 GE0/5/0: 2001::2/126 (to PE1), GE0/5/1: 2001::9/126 (to P2)
PE3 2001::3:3/128 GE0/5/0: 2001::19/126 (to PE4), GE0/5/1: 2001::12/126 (to P1)
PE4 2001::4:4/128 GE0/5/0: 2001::1a/126 (to PE3), GE0/5/1: 2001::16/126 (to P2)
P1 2001::5:5/128 GE0/5/0: 2001::d/126 (to P2), GE0/5/1: 2001::6/126 (to PE1), GE0/5/2:
 Loopback0
Device Interconnection Interfaces (IPv6)
IPv6
2001::11/126 (to PE3)
GE0/5/0: 2001::e/126 (to P1), GE0/5/1: 2001::a/126 (to PE2), GE0/5/2:
P2 2001::6:6/128
2001::15/126 (to PE4)

SRv6 Locator and SID Planning

Device Locator Prefix Mask Static Length End SID End.DT4 SID End.DT6 SID
PE1 2001:1:: 96 16 2001:1::1 2001:1::11 2001:1::61
PE4 2001:4:: 96 16 2001:4::1 2001:4::11 2001:4::61

Simplified Explanation: This is a more advanced postal system where SRv6 Policies define
specific delivery routes (segment lists) with backup paths (candidate paths) for reliability. EVPN
and VPNv4 handle both IPv4 and IPv6 customer addresses, and IS-IS ensures all routers know
the map.

Core Concepts

 SRv6 Policy: A tunnel with explicit paths defined by segment lists (e.g.,
PE1_PE4_VPNA_1) and candidate paths (e.g., preference 100). Multiple paths ensure
reliability.
 EVPN: Uses BGP to advertise both IPv4 and IPv6 VPN routes with Type 5 (IP Prefix)
routes, carrying End.DT4 (IPv4) and End.DT6 (IPv6) SIDs.
 Manual SID Allocation: SIDs (e.g., 2001:1::11 for End.DT4) are explicitly configured,
unlike automatic allocation in Lab 1.
 Segment Lists: Ordered lists of SIDs (e.g., 2001:5::1, 2001:3::1, 2001:4::1) defining
traffic paths.
 Candidate Paths: Multiple paths with preferences (e.g., 100 > 50) for failover.
 Tunnel Policy: Directs VPN routes to SRv6 Policies using color attributes (e.g., color
100).
 Fault Detection: Headend-based detection switches traffic to backup paths during
failures.
 End.OP: An opcode for testing SRv6 Policy paths (e.g., 2001:4::2).

Analogy: SRv6 Policies are like pre-planned delivery routes with alternate paths. EVPN is a
smart address book for both IPv4 and IPv6, and fault detection is a GPS rerouting traffic during
roadblocks.

Configuration Roadmap
 1. Basic Setup: Configure IPv6 addresses, disable DCN/PnP, set immediate validation.
2. IS-IS: Deploy Level-2 IS-IS with IPv6 topology.
3. L3VPN: Create VPN instances vpna (IPv4) and vpna6 (IPv6), add Loopback1 and
Loopback2, and import direct routes.
4. MP-BGP: Establish IBGP EVPN and VPNv4 peering with P1 and P2 as RRs.
5. Route Policy: Apply color values to VPN routes.
6. SRv6: Enable SRv6, configure locators, manually allocate SIDs, and define SRv6
Policies.
7. Tunnel Policy: Recurse VPN routes to SRv6 Policies.
8. Fault Detection: Test path switchover during simulated failures.

Key Commands (Additional for Lab 2)

Route Policy

 route-policy <name> permit node <number>: Create route policy.

 apply extcommunity color <value>: Set color (e.g., apply extcommunity color 100).
 bgp <as>: Enter BGP process.
 ipv4-family vpnv4: Enter VPNv4 address family.
 peer <ipv6> route-policy <name> export: Apply route policy.

SRv6 Policy

 segment-routing ipv6: Enter SRv6 configuration.

 locator <name>: Enter locator configuration.
 opcode <sid> end-dt4 vpn <name>: Allocate End.DT4 SID (e.g., opcode 2001:1::11 end-
dt4 vpn vpna).
 opcode <sid> end-dt6 vpn <name>: Allocate End.DT6 SID.
 segment-list <name>: Define segment list (e.g., segment-list PE1_PE4_VPNA_1).
 index <number> sid ipv6 <sid>: Add SID to list (e.g., index 5 sid ipv6 2001:5::1).
 srv6-te policy <name> endpoint <ipv6> color <value>: Create SRv6 Policy (e.g., srv6-te
policy p1 endpoint 2001::4:4 color 100).
 candidate-path preference <value>: Define candidate path (e.g., candidate-path
preference 100).
 segment-list <name> weight <value>: Assign segment list (e.g., segment-list
PE1_PE4_VPNA_1 weight 2).
 srv6-te-policy path verification enable: Enable fault detection.
 display segment-routing ipv6 local-sid end-dt6 forwarding: Check End.DT6 SIDs.
 tracert srv6-te policy policy-name <name> end-op <sid>: Test SRv6 Policy path.

Tunnel Policy

 tunnel-policy <name>: Create tunnel policy (e.g., tunnel-policy p1).

  tunnel select-seq ipv6 srv6-te-policy load-balance-number <number>: Select SRv6
Policy.
 bgp <as>: Enter BGP process.
 ipv4-family vpn-instance <name>: Enter VPN instance.
 tunnels select tunnel-policy <name>: Apply tunnel policy.
 display tunnel-info all: Check tunnel status.

Fault Detection

 interface <type><number>: Enter interface configuration.

 shutdown: Disable interface to simulate failure.
 ping ipv6 vpn-instance <name> -a <source> <destination>: Test IPv6 VPN connectivity.

Configuration Framework

Step 1: Basic Device Configuration

 Tasks:
o Set immediate validation, disable DCN/PnP.
o Configure IPv6 addresses for Loopback0 and interconnection interfaces.
 Example (PE1):

bash

Copy

system-view immediately

undo dcn

undo pnp enable

interface LoopBack0

ipv6 enable

ipv6 address 2001::1:1/128

interface GigabitEthernet0/5/0

ipv6 enable
 ipv6 address 2001::1/126

interface GigabitEthernet0/5/1

ipv6 enable

ipv6 address 2001::5/126

 Verification:
o Test connectivity: ping ipv6 -c 1 2001::5 (P1 to PE1; 0% packet loss).

Step 2: Deploy IS-IS

 Tasks:
o Configure IS-IS (process 1, Level-2, area 49.0001, wide metrics) with IPv6
topology.
 Example (PE1):

bash

Copy

isis 1

is-level level-2

cost-style wide

network-entity 49.0001.0001.0001.0001.00

is-name PE1

ipv6 enable topology ipv6

interface LoopBack0

isis ipv6 enable 1

interface GigabitEthernet0/5/0

isis ipv6 enable 1

 isis circuit-type p2p

interface GigabitEthernet0/5/1

isis ipv6 enable 1

isis circuit-type p2p

 Verification:
o Check neighbors: display isis peer.
o Check routes: display isis route ipv6.

Step 3: Configure L3VPN

 Tasks:
o Create VPN instances vpna (IPv4) and vpna6 (IPv6).
o Add Loopback1 (vpna) and Loopback2 (vpna6); import direct routes.
 Example (PE1):

bash

Copy

ip vpn-instance vpna

ipv4-family

route-distinguisher 100:10

vpn-target 100:1020 both

ip vpn-instance vpna6

ipv6-family

route-distinguisher 100:10

vpn-target 100:1020 both

interface LoopBack1

ip binding vpn-instance vpna

 ip address 10.1.1.1 32

interface LoopBack2

ip binding vpn-instance vpna6

ipv6 address 2002::1:1/128

bgp 65100

ipv4-family vpn-instance vpna

import-route direct

ipv6-family vpn-instance vpna6

import-route direct

Step 4: Configure MP-BGP

 Tasks:
o Establish IBGP EVPN and VPNv4 peering with P1 and P2 as RRs.
 Example (PE1):

bash

Copy

bgp 65100

router-id 10.0.1.1

peer 2001::5:5 as-number 65100

peer 2001::5:5 connect-interface LoopBack0

peer 2001::6:6 as-number 65100

peer 2001::6:6 connect-interface LoopBack0

l2vpn-family evpn
 peer 2001::5:5 enable

peer 2001::6:6 enable

ipv4-family vpnv4

peer 2001::5:5 enable

peer 2001::6:6 enable

 Example (P1 - RR):

bash

Copy

bgp 65100

router-id 10.0.5.5

peer 2001::1:1 as-number 65100

peer 2001::1:1 connect-interface LoopBack0

peer 2001::4:4 as-number 65100

peer 2001::4:4 connect-interface LoopBack0

l2vpn-family evpn

undo policy vpn-target

peer 2001::1:1 enable

peer 2001::1:1 reflect-client

peer 2001::4:4 enable

peer 2001::4:4 reflect-client

ipv4-family vpnv4
 undo policy vpn-target

peer 2001::1:1 enable

peer 2001::1:1 reflect-client

peer 2001::4:4 enable

peer 2001::4:4 reflect-client

 Verification:
o Check peers: display bgp evpn all peer, display bgp vpnv4 all peer.

Step 5: Configure Route Policy

 Tasks:
o Create route policy to apply color 100 to VPN routes.
 Example (PE1):

bash

Copy

route-policy color100 permit node 10

apply extcommunity color 100

bgp 65100

ipv4-family vpnv4

peer 2001::5:5 route-policy color100 export

peer 2001::6:6 route-policy color100 export

l2vpn-family evpn

peer 2001::5:5 route-policy color100 export

peer 2001::6:6 route-policy color100 export

Step 6: Configure SRv6

 Tasks:
o Enable SRv6, configure locators, and manually allocate SIDs.
o Define SRv6 Policy p1 with segment lists and candidate paths.
 Example (PE1):

bash

Copy

segment-routing ipv6

encapsulation source-address 2001::1:1

locator SRv6 ipv6-prefix 2001:1:: 96 static 16

opcode 2001:1::1 end psp

opcode 2001:1::11 end-dt4 vpn vpna

opcode 2001:1::61 end-dt6 vpn vpna6

segment-list PE1_PE4_VPNA_1

index 5 sid ipv6 2001:5::1

index 10 sid ipv6 2001:3::1

index 15 sid ipv6 2001:4::1

segment-list PE1_PE4_VPNA_2

index 5 sid ipv6 2001:5::1

index 10 sid ipv6 2001:6::1

index 15 sid ipv6 2001:4::1

segment-list PE1_PE4_VPNA_3

index 5 sid ipv6 2001:2::1

 index 10 sid ipv6 2001:6::1

index 15 sid ipv6 2001:4::1

srv6-te policy p1 endpoint 2001::4:4 color 100

candidate-path preference 100

segment-list PE1_PE4_VPNA_1 weight 2

segment-list PE1_PE4_VPNA_2 weight 1

candidate-path preference 50

segment-list PE1_PE4_VPNA_3

isis 1

segment-routing ipv6 locator SRv6 auto-sid-disable

bgp 65100

ipv4-family vpn-instance vpna

segment-routing ipv6 locator SRv6 evpn

segment-routing ipv6 traffic-engineer best-effort evpn

ipv6-family vpn-instance vpna6

segment-routing ipv6 locator SRv6 evpn

segment-routing ipv6 traffic-engineer best-effort evpn

 Verification:
o Check SIDs: display segment-routing ipv6 local-sid end-dt4 forwarding, display
segment-routing ipv6 local-sid end-dt6 forwarding.
o Check EVPN routes: display bgp evpn all routing-table prefix-route.

Step 7: Configure Tunnel Policy

  Tasks:
o Create tunnel policy to recurse VPN routes to SRv6 Policy p1.
 Example (PE1):

bash

Copy

tunnel-policy p1

tunnel select-seq ipv6 srv6-te-policy load-balance-number 1

bgp 65100

ipv4-family vpn-instance vpna

tunnels select tunnel-policy p1

ipv6-family vpn-instance vpna6

tunnels select tunnel-policy p1

 Verification:
o Check routing: display ip routing-table vpn-instance vpna (route to 10.1.4.4/32
via p1).
o Check tunnel: display tunnel-info all (SRv6 Policy p1 is UP).

Step 8: Fault Detection and Path Switchover

 Tasks:
o Enable fault detection and test path switchover by shutting down interfaces.
 Example (PE1):

bash

Copy

segment-routing ipv6

srv6-te-policy path verification enable

srv6-te policy p1
 path verification enable

 Simulate Failure (PE3):

bash

Copy

interface GigabitEthernet0/5/0

shutdown

interface GigabitEthernet0/5/1

shutdown

 Verification:
o Test connectivity: ping -vpn-instance vpna -a 10.1.1.1 10.1.4.4 (0% packet loss).
o Test IPv6: ping ipv6 vpn-instance vpna6 -a 2002::1:1 2002::4:4 (0% packet loss).
o Check path: tracert srv6-te policy policy-name p1 end-op 2001:4::2 (traffic uses
segment list 2).

Quiz Answer (9.2.3)

In addition to headend-based fault detection, what methods can be used to check whether a
segment list works properly?

Answer:

 Traceroute for SRv6 Policy: Use the tracert srv6-te policy policy-name <name> end-op
<sid> command to trace the path and verify segment list functionality.
 Ping with SRv6 Policy: Use ping srv6-te policy policy-name <name> <destination> to
test reachability through the segment list.
 Segment List Status Check: Use display segment-routing ipv6 srv6-te policy to check
the status and operational state of segment lists.
 BFD (Bidirectional Forwarding Detection): Configure BFD for SRv6 Policies to detect
path failures and verify segment list availability.
 OAM (Operations, Administration, and Maintenance): Use SRv6 OAM tools to
perform path continuity and performance checks on segment lists.

Explanation: These methods verify segment list functionality by testing connectivity, tracing
paths, or monitoring path health. Traceroute and ping directly test the SRv6 Policy path, while
BFD and OAM provide automated or detailed diagnostics. The lab uses tracert srv6-te policy to
confirm segment list operation (e.g., switching to segment list 2 or 3 during failures).

Simplified Analogy: These methods are like checking a delivery route by tracking the package
(traceroute), calling the destination (ping), checking the route status (status check), or using GPS
monitoring (BFD/OAM) to ensure the path is clear.

Additional Explanations

 SRv6 vs. SR-MPLS: SRv6 uses IPv6 addresses as SIDs, offering greater scalability and
flexibility compared to SR-MPLS’s label-based approach.
 EVPN Advantage: Supports both IPv4 and IPv6 VPNs with efficient route
advertisement using Type 5 routes.
 SRv6 Policy Reliability: Multiple segment lists and candidate paths ensure failover, as
demonstrated by path switchover during PE3 and P1 failures.
 Manual vs. Automatic SIDs: Manual allocation (Lab 2) provides control for specific
paths, while automatic allocation (Lab 1) simplifies configuration.
 Verification Importance: Commands like display segment-routing ipv6 local-sid and
tracert srv6-te policy confirm SRv6 functionality and path integrity.

Analogy: Lab 1 is a basic courier service with automatic routing, while Lab 2 is a premium
service with custom routes, backup paths, and real-time tracking for reliability.

This guide provides a clear, artifact-free framework for configuring L3VPNv4 over SRv6 BE
and EVPN L3VPN over SRv6 Policy. Let me know if you need specific device configurations,
additional verification steps, or further clarification on any section!