Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

header-navigation

Solutions

Featured solutions AI Campus and branch Data center WAN Security Service provider Cloud operator Industries
Campus and Branch

Welcome to the NOW Way to Wi-Fi

Take your networking performance to new heights with a modern, cloud-native, AI-Native architecture. Only Juniper can help you unleash the full potential of Wi-Fi 7 with our AI-Native platform for innovation.
Prepare for liftoff
Business intelligence analyst dashboard on virtual screen. Big data Graphs Charts.

AI Data Center Networking

Juniper’s AI data center solution is a quick way to deploy high performing AI training and inference networks that are the most flexible to design and easiest to manage with limited IT resources.
Find out more
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Zero trust security

Ops4AI Lab

Visit our lab in Sunnyvale, CA and see our AI data center solution for yourself. You can try out your own model’s functionality and performance, too.
Visit the lab
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Higher Education

Shaping Student Experiences: The NOW Way to Build Higher Education Networks

Juniper Networks CIO Sharon Mandell and a virtual summit of C-level IT leaders from prestigious institutions discuss ongoing efforts to support digital transformation on campus.
Watch now
Hand on tablet with healthcare overlay of graphics

Security in healthcare

In this IDC Spotlight report, discover how AI networking can automate and strengthen a healthcare ecosystem to defeat criminals and prevent loss. 
Gain insights into ecosystem security
Retail

The Future of In-Store Technologies

Retail experts Kevin McCartan, Senior IT Service Delivery Engineer at Musgrave; Jack Stratten of Insider Trends; and Christian Gilby, Senior Director of Product Marketing at Juniper Networks, discuss customer experiences.
See the future

Products

Wireless access Wired access SD-WAN / SASE Routing and switching Security Mist AI™ Management software Network operating system Blueprint for AI-Native Acceleration Optics
  • Operations
ACX7020 router

Juniper ACX7020 Cloud Metro Access Router

Legacy networks simply cannot meet the demands of today’s rapidly evolving metro landscape. Unlock a new generation of highly scalable architectures and automated operations with the Juniper ACX7020. 
Learn more
EX4000 Ethernet Switch

Next-gen AI-Native EX4000 line of switches

Lack of AI innovation from your current networking vendor slowing you down? Embrace Juniper’s cloud-native, AI-Native access switches that support every level and layer, across nearly every deployment.
Discover how
The Q and AI text with an image of Bob Friday and Kedar Dhuru.

The Q&AI Podcast

Delivering practical solutions and enriching discussions, this podcast series is a vital resource for those seeking an in-depth exploration of AI's transformative potential.
Catch the latest episode

Services

Services
Services AI Care

Juniper AI Care Services Revolutionize Your Service Experience

Our industry-first AI-Native services couple AIOps with our deep expertise across the full network life cycle. You can move from reactive response to proactive insight and action.
Explore AI Care Services
Services AI Data Center

Juniper AI Data Center Deployment Services Optimize Your AI Model Runs

We use our expertise and validated designs to help design, deploy, validate and tune networks, including GPUs and storage, to get the most from your AI infrastructure operation.
Learn about AI Data Center Deployment Services

Partners

Partners

Support and Documentation

Support and Documentation

Learn

About Juniper Training Events The Feed Resources Technology learning topics Thought leadership and insights
Audience raising hands up while businessman is speaking in training at the office.

Juniper certification and training news

See the latest
Ringing of the bell

All global events

See the latest
AI-native-now

AI-Native NOW event series

Explore events
AINN AI Innovation Impact Virtual Event

AI-Native NOW: AI Innovation and Impact

Register NOW
Juniper's Christina Hendrix at the head of a conference table. With the text "The NOW Way to Network" overlayed, with "NOW" emphasizing the "O" in green color.

The NOW Way to Network

Watch the video series
AI Native Now

Executive insights

Dive deep with leading experts and thought leaders on all the topics that matter most to your business, from AI to network security to driving rapid, relevant transformation for your business.
Learn more
A keynote speaker giving a presentation at a conference. There are dozens of people sitting around them. The presentation is displayed via projector on all the walls in the room.

Leadership voices

Juniper Networks’ leaders operate on the front lines of creating the network of the future. Take a look around to see what’s on their minds.
Watch now
Bob Friday and Jessica Garrison speaking

Bob Friday Talks

Join Bob as he ventures into all the knowns -- and -- unknowns -- of AI.
Catch the latest episode
Documentation
Menu
License Guide
Quick Starts
Validated Designs
Explore Pathfinder Apps
CLI Explorer
Feature Explorer
Hardware Compatibility Tool
Port Checker
Browse All
Collapse

Pathfinder Apps

All

By Software

By Hardware

Learn More
Pathfinder HomeCLI ExplorerCompliance AdvisorFeature ExplorerHardware Compatibility ToolJunos XML API ExplorerJunos YANG Data Model ExplorerPort CheckerPower CalculatorSNMP MIB ExplorerSystem Log Explorer
CLI ExplorerFeature ExplorerJunos XML API ExplorerJunos YANG Data Model ExplorerSNMP MIB ExplorerSystem Log Explorer
Compliance AdvisorFeature ExplorerHardware Compatibility ToolPort CheckerPower Calculator
Home Documentation Junos OS EVPN User Guide Features Common to EVPN-VXLAN, EVPN-MPLS, and EVPN-VPWS Link States and Network Isolation Conditions in EVPN Networks

EVPN User Guide

keyboard_arrow_up
close
keyboard_arrow_left
EVPN User Guide
Table of Contents Expand all
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
ON THIS PAGE
keyboard_arrow_right

Layer 2 Interface Status Tracking and Shutdown Actions for EVPN Core Isolation Conditions

date_range 20-Dec-24
arrow_backward
arrow_forward
You can configure a device in an EVPN network to track the status of Layer 2 (L2) device interfaces, detect EVPN core isolation conditions, and take action to shut down the associated interfaces.

Starting in Junos OS and Junos OS Evolved Release 23.2R1, you can configure a provider edge (PE) device in an EVPN network to:

  • Enable L2 interface service tracking to detect when the device becomes isolated from the EVPN core (a core isolation condition).

  • Immediately take action to perform a hard shutdown or set Link Aggregation Control Protocol (LACP) out-of-sync state on the associated interface or interfaces to single-homed or multihomed customer edge (CE) devices.

    The interfaces might be single physical links, single-homed link aggregation group (LAG) interface bundles, or EVPN segment identifier (ESI) LAG interface bundles.

  • Set a timer to delay before bringing associated interfaces up again when the device is no longer isolated from the core.

Benefits

  • Provides configurable settings to help avoid traffic loss for single-homed or multihomed CE devices during route convergence when a PE device becomes isolated from the EVPN core.

Overview

In EVPN networks, a PE device can become isolated from the EVPN core. That device might have single-homed or multihomed CE devices connected to it.

When the PE device detects it is in a core isolation condition, usually the LACP protocol sets the ESI LAG interfaces to LACP out-of-sync state. That state should trigger the CE device to bring down the interface on the CE side as well. However, the CE device might not bring down the link immediately. Slower LACP responsiveness on the CE side can cause a delay in route convergence and, as a result, some traffic loss. To similarly avoid traffic loss, single-homed CE devices with active-backup link bundles to a PE device also need an immediate action on the active link to trigger a switchover to the backup link.

With this feature, to avoid traffic loss in these core isolation situations, you can configure an immediate action the PE device takes on the associated interface or interfaces to the attached CE devices. You can set the action to either bring an interface down immediately with a hard shutdown, or continue to rely on LACP out-of-sync signaling.

When the PE device recovers its BGP sessions to the EVPN core and is no longer isolated, the LACP protocol on the device immediately brings the associated ESI LAG interfaces up. However, the PE device might still be synchronizing routes from its multhoming peer PE devices. In that case, the multihomed CE device can also lose traffic.

As a result, with this feature you can also set a delay time before the device brings the interface up again after the device becomes reconnected to the core.

To set up core isolation service tracking, you configure a network isolation group at the [edit protocols network-isolation group network-isolation-group-name] hierarchy level. In the network isolation group configuration, set options in the detection and service-tracking-action stanzas, as follows (see the highlighted statements):

content_copy zoom_out_map
[edit]
protocols { 
    network-isolation {
      group network-isolation-group-name { 
        detection { 
          hold-time { 
            up ms; 
          }        
          service-tracking {
             core-isolation; 
          } 
        } 
        service-tracking-action { 
          lacp-out-of-sync | link-down; 
        } 
      }  
    } 
}
Note:

The configuration hierarchy above shows only the options relevant to the core isolation service tracking feature. The [edit protocols network-isolation group network-isolation-group-name] hierarchy includes other options for other features that we don't cover here.

You assign the network isolation group as a network isolation profile to the interface or interfaces the device should shut down upon detecting a core isolation condition. To do this, you configure the network-isolation-profile network-isolation-group-name statement at the [edit interfaces interface-name] hierarchy.

You can enable core isolation service tracking for the following types of Layer 2 (L2) interfaces:

  • A logical single link or aggregated Ethernet (AE) link bundle (LAG) to a single-homed customer edge device in the network.

  • An Ethernet segment identifier (ESI) LAG interface to a multihomed customer edge device in the network.

  • A physical interface.

See Configure Core Isolation Service Tracking and Actions for an L2 Interface for the steps to configure this feature.

Behavior and Limitations

Note the following runtime behaviors and limitations with this feature:

  • The network isolation group configuration detection stanza also has a link-tracking option to determine the state of a Layer 3 (L3) integrated routing and bridging (IRB) interface after network isolation conditions change. (See Set Network Isolation Status Parameters Used to Determine the IRB Interface State).

    In contrast, the service-tracking option tracks L2 interface status and performs the configured service-tracking-action on those L2 interfaces.

    You can only configure either the link-tracking option or the service-tracking option in a particular network isolation group and assign that as a network isolation profile. You can't configure both options in the same network isolation group.

  • When you configure this feature on a LAG or ESI LAG interface bundle, the device takes the configured action on each of its member links.

  • If the device is in already in a core isolation state and you configure core isolation service tracking with action link-down for a new interface, the device immediately brings that interface down.

  • The network isolation group configuration includes a hold timer (hold-time up) to delay before bringing the interfaces up when the core isolation state is resolved.

    The device maintains only one hold-time up timer for each network isolation group you configure. As a result, if you associate the network isolation group with a new interface while the timer is already running, the device brings up all of the interfaces in the group when the timer expires. The device doesn't reset the timer when you add another interface to the group.

    Note:

    We don't support the hold-time down timer option in the detection stanza with this core isolation service tracking feature.

  • If you enable core isolation service tracking when you also have configured the no-core-isolation option, the device will not bring any interfaces down upon detecting a core isolation condition. See Understanding When to Disable EVPN-VXLAN Core Isolation for details on using that option.

  • If you delete a network isolation group profile configuration from an interface, the device brings the interface up again immediately if it had previously brought the interface down due to a core isolation condition.

Configure Core Isolation Service Tracking and Actions for an L2 Interface

Configure the following elements to enable the core isolation service tracking feature for an interface:

  1. Configure the network isolation group:

    1. Enable core isolation service tracking in the detection stanza.

      content_copy zoom_out_map
      set protocols network-isolation group network-isolation-group-name detection service-tracking core-isolation

    2. Set a hold-time up timer value in the detection stanza. The device waits this number of milliseconds before setting the interface state to up again upon detecting that the core isolation condition is resolved.

      This feature has no default hold time, so you usually want to set a hold time greater than 0 so the device isn't excessively processing rapid status changes. Specify a value of 1 or more milliseconds.

      content_copy zoom_out_map
      set protocols network-isolation group network-isolation-group-name detection hold-time up ms

    3. Set the service tracking action in the network-isolation group network-isolation-group-name stanza. The available core isolation interface actions are to either do a hard shutdown on the interface or interfaces, or set interface status to LACP out-of-sync.

      content_copy zoom_out_map
      set protocols network-isolation group network-isolation-group-name service-tracking-action (link-down | lacp-out-of-sync)

  2. Assign the network isolation group to the desired interface or interfaces using the network-isolation-profile network-isolation-group-name statement at the [edit interfaces interface-name] hierarchy level.

    content_copy zoom_out_map
    set interfaces interface-name network-isolation-profile network-isolation-group-name

    For example, the following sample configuration stanza shows a network isolation profile assigned simply to a physical interface:

    content_copy zoom_out_map
    [edit]
interfaces {
    et-0/0/1 {
        network-isolation-profile network-isolation-group-name;
    }
}

    and the following sample configuration stanza shows a network isolation profile assigned to an ESI-LAG interface bundle:

    content_copy zoom_out_map
    [edit]

interfaces {
    ae1 {
        esi {
            00:11:22:33:44:55:66:77:88:99;
            all-active;
        }
        network-isolation-profile network-isolation-group-name;
    }
}

Related Documentation

arrow_backward PREVIOUS Determine IRB Interface State Changes from Local L2 Interface or Remote Connectivity Status in EVPN Fabrics
NEXT arrow_forward EVPN Proxy ARP and ARP Suppression, and Proxy NDP and NDP Suppression
footer-navigation

© 1999 - 2025 Juniper Networks, Inc. All rights reserved.

Scroll to top