This feature provides support to configure ARP-suppression on the switch.
Network Virtualization Overlay (NVO) is a solution in which an overlay network is used to extend L2 connectivity among VMs belonging to a tenant segment (or virtual network) over an underlay IP network.
This feature encapsulates the payload tenant within an IP packet at the originating end-point (ingress VTEP) and strips the encapsulated packets to access the payload at the destination end-point (egress VTEP). VXLAN is an example of NVO encapsulation.
Ethernet Virtual Private Network (EVPN) is a standards-based technology that is used to exchange control-plane information between the VTEPs. This control-plane information is exchanged using BGP, instead of manual configuration or flooding and learning in hardware. EVPN supports exchange of tenant IP-MAC binding between all VTEPs as part of its Type-2 route.
ARP suppression provides an option to minimize the flooding of tenant ARP or NS or NA packets in the underlay IP fabric to all the remote VTEPs saving both underlay bandwidth and CPU cycles on the end hosts. It requires each VTEP to maintain a cache of all the remote tenant IP-MAC bindings, so that when an ARP-request or NS is received for a remote tenant host within the tenant IP subnet (within virtual network), the ingress VTEP can retrieve the remote IP-MAC binding from its cache and responds on behalf of the remote host instead of flooding the ARP-requests or NS. This optimization is called ARP-suppression.
ARP flooding can occur for the initial ARP request to a silent host in the network. The VTEPs in the network do not see any traffic from the silent host until another host sends an ARP request for its IP address and an ARP response is sent back.
After the local VTEP learns about the MAC and IP addresses of the silent host, the information is distributed through BGP-EVPN control-plane to all other VTEPs. Any subsequent ARP requests do not must be flooded. Most end hosts send GARP, or RARP requests to announce themselves to the network immediately after they come online.
The local VTEP immediately has the opportunity to learn their MAC and IP addresses and distribute this information to other VTEPs through the BGP-EVPN control-plane. As a result, most active IP hosts in VXLAN EVPN must be learned by the VTEPs either through local learning or control-plane-based remote learning. So, ARP-suppression reduces the network flooding that is caused by host ARP learning behavior.
You can use the following figure to understand how OS10 learns host's MAC-IP by snooping the ARP or ND exchanges between hosts. Every VTEP learns the MAC-IP bindings of the hosts present in the local access ports and update the ARP-cache locally. It is exchanged to other VTEPs through BGP-EVPN. Only MAC-IP bindings corresponding to the local hosts are learned through packet snooping. MAC-IP bindings corresponding to the remote hosts are learned through BGP-EVPN.
Both the MAC-IP bindings are updated in the same ARP cache. After the VTEPs learn the MAC-IP bindings of both local and remote hosts, the VTEPs can avoid flooding the broadcast ARP-request or multicast NS received on any access port by ARP or NS proxy replying to the originator on behalf of the local or remote hosts. It helps reduce the flooding of ARP-request or NS to all other VTEPs, where the host is not present. It reduces network bandwidth utilization and CPU cycles of actual end host and other hosts, which unnecessarily process and ignore the transient ARP-request or NS.
In the figure, gratuitous-ARP is taken as an example to show how ARP-snooping module learns the host's MAC-IP bindings. Also, the snooper module learns through other packets (ARP-request or reply and NA).
Restrictions and limitations
Following are the restrictions and limitations that apply for this feature:
ARP-suppression is not supported on the S4200-ON and Z9664F-ON platforms.
ARP suppression must be disabled in the following scenarios:
Same host IP is mapped to multiple MACs and hosts are learned in L2 VN deployment.
Adaptive Load Balancing (ALB) is configured in L2 VN deployment.
Impact on software upgrade or downgrade
There is no impact on software upgrades or downgrades because of the ARP-suppression feature.
ARP-suppression feature an optimization feature that helps in reducing the ARP or NS packets flooding in the VXLAN network. So, it can work with other VTEPs that runs old software versions, which do not support ARP-suppression.
You can upgrade the VLT-nodes with ARP-suppression supported software one after the other without any impact. Until the other VLT-node is upgraded, the peer VLT-node snoops the ARP or ND packets and performs proxy-reply for ARP-req or NS packets received on that node. After other the VLT-node is upgraded, VLT-sync synchronizes the snooped MAC-IP binding of local hosts.
Configuration notes
The ARP-suppression feature is disabled by default.
ARP-suppression is supported only on VxLAN bridges (Virtual network interfaces) and is not supported on legacy VLAN bridges.
ARP-suppression is supported on both Layer 2 and Layer 3 VxLAN bridges.
ARP-suppression is supported on both asymmetric and symmetric BGP-EVPN modes.
Disable ARP-suppression globally using the following command in the EVPN configuration mode:
OS10(config-evpn)# arp-nd-suppression disable
Reenable ARP-suppression using the following command:
OS10(config-evpn)# no arp-nd-suppression disable
VLT functionality
VLT-sync for L2-VXLAN bridges is enabled in OS10, so that snooped ARP-entries are synchronized between VLT-nodes.
Proxy-replies to the ARP-requests sent by the local-host are replied only by the first VLT-node.
No proxy-replies for the ARP-requests are received on the VLTi link. These proxy-replies are flooded to other virtual network interfaces by following VLT and VXLAN split-horizon rules.
If there is a VLTi link failure, there is no change in the existing behavior.
After clearing ARP or IPv6 neighbor entries in VLT peers, learning of ARP or IPv6 neighbors through ARP request or neighbor solicitation frames from host to gateway (virtual IP) happens only on VLT peer which receives the frame. Other VLT peer learns the ARP or IPv6 neighbor once traffic hits the other node or the ARP/IPv6 neighbor resolution packets hashes to other peer.
Data is not available for the Topic
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\