Solved: L3OUT and ARP Handling

snarayanaraju · ‎10-01-2020

Hello All - I am trying to understand what should be the L2 UNKNOWN UNICAST and ARP FLOODING in BD configuration for L3OUT configuration

L2 UKNOWN UNICAST = Hardware Proxy / Flood

ARP FLOODING = Enabled / Disabled

regards,Sairam

Claudia de Luna · ‎10-01-2020

Hi @snarayanaraju ,

Maybe it will help to think of it this way.

When you associate your L3Out to your BD you are basically setting up advertising the subnet or subnets associated with your BD out that L3Out. Layer 3/Routing stuff right?

The Bridge Domain settings you are asking about have to do with the Layer 2 characteristics of your Bridge Domain (think Vlan if that helps).

- If your bridge domain is only connected to end hosts (servers etc. that are well behaved) then I always recommend leaving the BD optimized (no flooding). Take advantage of that capability in ACI!

L2 UKNOWN UNICAST = Hardware Proxy

ARP FLOODING = Disabled

- If your bridge domain has external connectivity to say network devices or any host that needs see the flooding then disable the optimized behavior and enable flooding.

L2 UKNOWN UNICAST = Flood

ARP FLOODING = Enabled

These settings relate more to the hosts on your Bridge Domain and what they need from a Layer 2 perspective rather than the L3Out, if that makes sense. That is what @balaji.bandi and @jgomezve have been explaining.

View solution in original post

jgomezve · ‎10-01-2020

As Claudia said the BD settings are mostly dependent on the type End hosts connected to that bridge domain. That said, if “silent hosts” are connected you should enable flooding on the BD.

However the ACI Fabric also uses ARP Gleaning and sends probe packets once the endpoint is about to be flushed. These features are activated when the BD has a Subnet and ‘Unicast Routing’ enabled.

Then I would say that a BD which is associated with a L3Out can be configured with Hardware Proxy and ‘ARP Flooding’ enabled to deal with silent hosts as it must have ‘Unicast Routing’ and a Subnet configured.

View solution in original post

balaji.bandi · ‎10-01-2020

Cisco ACI uses a behavior similar to that in traditional networks for L3Out connectivity. The Cisco ACI L3Out domain learns the MAC address only from the data plane. IP addresses are not learned from the data plane in an L3Out domain; instead, Cisco ACI uses ARP to resolve next-hop IP and MAC relationships to reach the prefixes behind external routers.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

snarayanaraju · ‎10-01-2020

Thanks for responding. With that said, i should enable ARP Flooding. What about L2 Unknown Unicast? It should be in Flood or Hardware Proxy. As far as i know, Hardware Proxy should be DISABLED. Is that righ?

balaji.bandi · ‎10-01-2020

yes it should be, any way it flood only respect EPG.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

jgomezve · ‎10-01-2020

Hello,

What do you mean by a BD in a L3OUT configuration? You mean a BD that is associated with a L3Out. In that case, most probably you have ‘unicast routing’ enabled and a Subnet configured, therefore is should be fine to Disable ‘ARP Flooding’ and use ‘Hardware Proxy’

Regards,
Jorge

snarayanaraju · ‎10-01-2020

Thank you Jorge. I meant BD because we attach the L3OUT to the BD under L3 Configuration where "Unicast Routing" enabled and IP address configured.

The question is, in that BD what should be the configuration for L2 UNKNOWN UNICAST (Flood/Hardware Proxy) and ARP FLOODING (Disable/Enable)

regards,sairam

Claudia de Luna · ‎10-01-2020

Hi @snarayanaraju ,

Maybe it will help to think of it this way.

When you associate your L3Out to your BD you are basically setting up advertising the subnet or subnets associated with your BD out that L3Out. Layer 3/Routing stuff right?

The Bridge Domain settings you are asking about have to do with the Layer 2 characteristics of your Bridge Domain (think Vlan if that helps).

- If your bridge domain is only connected to end hosts (servers etc. that are well behaved) then I always recommend leaving the BD optimized (no flooding). Take advantage of that capability in ACI!

L2 UKNOWN UNICAST = Hardware Proxy

ARP FLOODING = Disabled

- If your bridge domain has external connectivity to say network devices or any host that needs see the flooding then disable the optimized behavior and enable flooding.

L2 UKNOWN UNICAST = Flood

ARP FLOODING = Enabled

These settings relate more to the hosts on your Bridge Domain and what they need from a Layer 2 perspective rather than the L3Out, if that makes sense. That is what @balaji.bandi and @jgomezve have been explaining.

jgomezve · ‎10-01-2020

As Claudia said the BD settings are mostly dependent on the type End hosts connected to that bridge domain. That said, if “silent hosts” are connected you should enable flooding on the BD.

However the ACI Fabric also uses ARP Gleaning and sends probe packets once the endpoint is about to be flushed. These features are activated when the BD has a Subnet and ‘Unicast Routing’ enabled.

Then I would say that a BD which is associated with a L3Out can be configured with Hardware Proxy and ‘ARP Flooding’ enabled to deal with silent hosts as it must have ‘Unicast Routing’ and a Subnet configured.

snarayanaraju · ‎10-01-2020

Thanks everybody how shared their thoughts @balaji.bandi and @jgomezve and Claudia

L3OUT and ARP Handling

Question with ARP Flooding Handling

ACI: L3Out で ARP 解決ができず通信ができない

Ataques L2 - Arp spoofing

Enhanced BGP Route Advertisement and AS Path Handling by Secure Access

ACI L3Out Basic Troubleshooting