Multiple IP-to-MAC feature on the L2VN with GW outside of the Fabric

Andrii Oliinyk · ‎12-04-2024

Does Subject make sense to be turned on if l.s. some MAC within L2VN generates multiple ARP-entries on the EdgeNode?
It's pure L2VN having no IPv4 EID-space in the Fabric.

Torbjørn · ‎12-05-2024

There is no need for multiple IP to MAC since IP isn't involved in forwarding of the frames in the overlay.

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

Andrii Oliinyk · ‎12-05-2024

thanks man. i was of the same thought. jfyi why Q arose: in some account we have L2VN with DGW (FW) outside of Fabric. & within that L2VN there is endpoint doing NAT from isolated network to subject L2VN. Expectedly multiple IP on the same MAC. application doesnt work reliably. some investigations discovered that on the attached EdgeNode device fails to respond to ARP-queries from FW with interesting observation: there are always no more than 4 ARP-entries for NAT'ed IPs on the EdgeNode any specific time.

UPD. we made local SPAN & it's clear that NAT'ing device respond to each & every ARP-query. Since this point it looks to be something wrong on the EdgeNode.

Torbjørn · ‎12-07-2024

What is the output of "show run | sec instance-id" for the relevant instance on the edge-node? I wonder if "flood arp-nd" could be missing

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

Torbjørn · ‎12-07-2024

No problem! Interesting setup and an interesting problem. This can probably be solved by enabling L2 flooding, but it should "just work" AFAIK. I'm going to reproduce it in my lab this evening.

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

Andrii Oliinyk · ‎12-07-2024

@Torbjørn L2VN with GW outside of the fabric is by default L2-flood enabled.

Torbjørn · ‎12-09-2024

You're right, I thought it was only ARP that would be flooded by default.

I'm curious. Did you get any further on this?

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

Andrii Oliinyk · ‎12-09-2024

still under t/s with Cisco TAC. will update post as soon as there is resolution.

Andrii Oliinyk · ‎12-10-2024

So... it happened to be device-tracking policy dependant.
default stuff for pure L2VN (worth reading more details on device-tracking Security Configuration Guide, Cisco IOS XE Dublin 17.10.x (Catalyst 9200 Switches) - Configuring Switch Integrated Security Features [Support] - Cisco

#sh device-tracking policy LISP-DT-GLEAN-VLAN
Device-tracking policy LISP-DT-GLEAN-VLAN configuration:
security-level glean
device-role node
gleaning from Neighbor Discovery
gleaning from DHCP6
gleaning from ARP
gleaning from DHCP4
NOT gleaning from protocol unkn
limit address-count for IPv4 per mac 4 <<<
limit address-count for IPv6 per mac 12
origin fabric
tracking enable reachable-lifetime 240

"origin fabric" dictates it to be dependent on LISP config for instance & therefore dependent on Subject feature.
option is to configure LISP independent policy. will keep updating

Andrii Oliinyk · ‎12-12-2024

Temporary solution is to enable feature ("dynamic-eid detection multiple-addr" statement) on the affected EN under router lisp / service ethernet of the corresponding L2VN instance's.
bc of arbitrary L2VN's (VLAN's) tracking policy is locked to the instance adding custom policy wont be of help as preference for entries limits will be one of built-in policy...

Torbjørn · ‎12-12-2024

That is interesting. Thank you for updating the thread!

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev