Address Resolution Protocol (ARP) Suppression

ARP traffic makes up a large percentage of broadcast traffic within data centers. This traffic is even more taxing when multiple overlay networks share a common underlay network—as is the case with tunneling technologies like VXLAN. Therefore it is desirable to reduce ARP traffic.

This can be done by allowing Virtual Tunnel End Points (VTEPs) to proxy ARP requests and reply on behalf of the remote endpoint. VTEPs snoop ARP replies, exiting the virtual network tunnel to learn the remote endpoint‘s IP to MAC mapping. The VTEP stores this in its ARP cache for the tenant VLAN. Snooped ARP entries are viewable with the normal iparp commands for the tenant VLAN. VTEPS also snoop gratuitous ARPs exiting the tunnel; these may also cause the ARP cache to be updated. ARP entries are also learned from frames entering the tunnel from the tenant VLAN.

When a VTEP intercepts an ARP request it attempts to lookup the IP address in its ARP cache. If an ARP cache entry is found, the VTEP does an immediate ARP reply to the requester; this avoids flooding to both the VLAN and remote tunnel endpoints. The source MAC in the reply is that of the remote endpoint for which the VTEP is proxying the request. On an ARP cache miss, the VTEP floods the request on the VLAN and to the remote tunnel endpoints. Additionally, the VTEP may answer an ARP request on behalf of a locally attached tenant if the tenant is on a different port than the ARP request was received on —this is proxying within the tenant VLAN.

ARP features enabled on the tenant VR (for example, gratuitous protect) may cause provoke actions for ARPs exiting the tunnel. These features should behave the same for local ARPs and ARPs processed from the tunnel. This includes configurable options such as timers and refresh.

This feature may be used even if the tenant VLAN does not have an IP interface. In that case, ARP cache entries are still learned. If an entry needs to be refreshed, the ARP request is sent with a source protocol address of all zeros. This is functionally equivalent to an ARP probe. This feature is disabled by default for configured virtual networks.

To enable/disable ARP suppression on a VXLAN tenant VLAN, use the following command:

configure vlan vlan_name suppress [arp-only |none]

To configure the filter mode for ARP suppression, use the following command:

configure forwarding iparp suppression filters [per-port |per-vlan]

To view ARP information, use the following command:

show iparp {ip_addr |mac | [{vlan} vlan_name | vlan vlan_list] | permanent} {port port {vr vr_name}