While it may not be applicable for C9K cases, but for N9K, if a VLAN has a silent host, you should redistribute the direct (SVI subnet) in the Tenant VRF. 

The problem is I have a layer 2 EVPN network, that is to say there are only type 2 host routes in BGP and no SVI's configured on the VTEPs. This layer 2 EVPN network is just connecting two segments of the same VLAN which are separated by a routed underlay network. In my scenario the VTEPs don't need to be involved in routing IP traffic for the subnet, we just need them to forward ethernet frames between the two sites, and replicate broadcast frames using the multicast underlay. The problem with a silent host (at least in the C9K implementation) is that VTEP on the silent side wil withdraw its BGP routes when the mac address times out taking down the VNI peering on the loud side. Once the VNI peering is gone the loud side VTEP doesn't seem to be able to use the multicast underlay to forward BUM traffic to the other side. Thus the loud hosts are not even able to "wake" the silent host with ARP to trigger BGP updates and bring up the VNI.

The creation of an SVI for the VLAN on the silent side (even with no IP address) seems to keep the mac address in the table and BGP up. I'm not sure what it's doing, it doesn't look like it should do anything, but it's clearly doing something. Ideally I don't want to deploy anycast gateway on every VTEP, and from the C9K guide on layer 2 EVPN it doesn't seem neccessary, or at least there is no mention of how to deal with silent hosts in the documentation.

Also:

• ARP suppression is only supported for a VNI if the VTEP hosts the First-Hop Gateway (Distributed Anycast Gateway) for this VNI. The VTEP and the SVI for this VLAN have to be properly configured for the distributed Anycast Gateway operation, for example, global Anycast Gateway MAC address configured and Anycast Gateway feature with the virtual IP address on the SVI.

• The ARP suppression setting must match across the entire fabric. For a specific VNID, all VTEPs must be either configured or not configured.

https://www.cisco.com/c/en/us/td/docs/dcn/nx-os/nexus9000/103x/configuration/vxlan/cisco-nexus-9000-series-nx-os-vxlan-configuration-guide-release-103x/m_configuring_vxlan_bgp_evpn.html

So for suppress ARP anycast gateway should be configured across all VTEPs

It's been months since I raised this but since there was some traffic on this post I wanted to share some information. The answer provided by Pavel is correct.

Some pointers to keep others out of trouble...

An Anycast SVI needs to be configured on all leaf nodes (BGW/LEAF) where endpoints will connected to the VLAN. This is needed for ARP flows to function across the old/new switches properly. In my situation, the GW remained on the old routers on the old environment, so I didn't have an SVI on the LEAF switches yet. The plan was to bring this up as a Layer 3 cutover at a later point. So, if you get into this situation, and ARP suppression is on, configure a dummy unused IP on the LEAF nodes as an interim. This allows each LEAF node to resolve ARP for you even if ARP suppression is turned on.

When you move the gateway across to be on the VXLAN switches (i.e. as an Anycast gateway). Every leaf node (that has devices on the VLAN connected to it) needs the gateway IP configured on its respective Anycast SVI.

ARPs are not forwarded by LEAF nodes when ARP suppression is enabled. The first leaf node that sees the ARP will try ARP resolve but won't forward it to other LEAF nodes.

Get familiar with the "show bgp l2vpn evpn" command on Nexus switches. It shows you how the switch will route L2 traffic destined to IP (i.e. packets) and/or MAC address (i.e. frames). Very useful to understand whether ARP is working.

Run a "show arp" on each leaf node to understand whether ARP resolution is working on each LEAF node.

I can't recall the specifics on this from memory, but there is some funky stuff with running pings from LEAF nodes. Don't assume that a ping will work just because the LEAF node has the correct Anycast gateway on it. EVERY switch has the same IP and will intercept the response packets on return flows.

That's about all I can remember for the moment. I hope it helps.

>ARPs are not forwarded by LEAF nodes when ARP suppression is enabled. The first leaf node that sees the ARP will try ARP resolve but won't forward it to other LEAF nodes.

ARPs not forwarded in case if switch have a record in ARP cache. Otherwise, it should be forwarded as usual.

Also, couple useful commands for ARP suppression cache:

"ip arp suppression-cache clear remote vlan <vlan> <ip>"
"ip arp suppression-cache download remote vlan <vlan> <ip>"

>I can't recall the specifics on this from memory, but there is some funky stuff with running pings from LEAF nodes.

Indeed, it's not a valid test, as ping reply can be consumed by another switch with the same IP.

Two options here:

- ping from client to AGW

- configure Loopback with unique IP in tenant and use it as a source.