Verifying and Disabling Proxy ARP and ARP Suppression for the Edge-Routed Bridging Overlay
Verifying Proxy ARP and ARP Suppression for the Edge-Routed Bridging Overlay
Proxy ARP and ARP suppression are enabled by default on the QFX10000 line of switches, so there is no configuration needed to enable these features. To verify proxy ARP is working on supported devices and ARP suppression prevents other leaf devices from seeing the ARP requests, perform the following:
- Select a remote end system entry to verify that proxy
ARP is enabled on a supported leaf device. In this example, Leaf 10
is a QFX10002 switch.
user@leaf-10> show arp no-resolve expiration-time | match 10.1.4.20102:0c:10:04:02:01 10.1.4.201 irb.500 [.local..9] none 1157
- Verify that the entry was learned from a remote leaf device.
In this case, the ARP entry was learned from Leaf 4 and 5.
user@leaf-10> show evpn database mac-address 02:0c:10:04:02:01 extensiveInstance: default-switch VN Identifier: 50000, MAC address:: 02:0c:10:04:02:01 Source: 00:00:00:00:00:00:51:10:00:01, Rank: 1, Status: Active Remote origin: 192.168.1.4 # Leaf 4 Remote origin: 192.168.1.5 # Leaf 5 Timestamp: Sep 11 00:37:32 (0x59b63d3c) State: <Remote-To-Local-Adv-Done> IP address: 10.1.4.201 Remote origin: 192.168.1.4 Remote origin: 192.168.1.5 IP address: 2001:db8::10:1:4:201 Flags: <Proxy> Remote origin: 192.168.1.4 Remote origin: 192.168.1.5 History db: Time Event Sep 11 00:37:33 2017 Active ESI unchanged (00:00:00:00:00:00:51:10:00:01) Sep 11 00:37:33 2017 Updating output state (change flags 0x0) Sep 11 00:37:33 2017 Advertisement route cannot be created (no local state present) Sep 11 00:37:33 2017 Updating output state (change flags 0x0) Sep 11 00:37:33 2017 Advertisement route cannot be created (no local source present) Sep 11 00:37:33 2017 IP host route cannot be created (No remote host route for non-MPLS instance) Sep 11 00:37:33 2017 Updating output state (change flags 0x4000 <IP-Peer-Added>) Sep 11 00:37:33 2017 Creating MAC+IP advertisement route for proxy Sep 11 00:37:33 2017 IP host route cannot be created (No remote host route for non-MPLS instance) Sep 11 00:37:33 2017 Clearing change flags <IP-Peer-Added> - Send an ARP Request and verify that the ARP reply is generated.
user@leaf-10> monitor traffic interface irb no-resolveverbose output suppressed, use <detail> or <extensive> for full protocol decode Address resolution is OFF. Listening on irb, capture size 96 bytes 00:43:01.881508 In arp who-has 10.1.4.201 tell 10.1.4.202 00:43:01.881569 Out arp reply 10.1.4.201 is-at 02:0c:10:04:02:01 00:43:02.081404 In arp who-has 10.1.4.201 tell 10.1.4.202 ## The next entry is the MAC address from the operational mode command issued in Step 2. 00:43:02.081466 Out arp reply 10.1.4.201 is-at 02:0c:10:04:02:01
- Verify that ARP is suppressed in the remote leaf device.
Note: There is no ARP request connecting Leaf 4 to any other leaf
in the segment.
user@leaf-4> monitor traffic interface irb no-resolveverbose output suppressed, use <detail> or <extensive> for full protocol decode Address resolution is OFF. Listening on irb, capture size 96 bytes ^C 0 packets received by filter 0 packets dropped by kernel
Disabling Proxy ARP and ARP Suppression for the Edge-Routed Bridging Overlay
To override the default settings for the QFX10000 line of switches and disable proxy ARP and ARP suppression, you must configure the leaf device.
When disabling ARP suppression, be aware of the following implications
Even though it finds the MAC-IP address binding in its database, the device floods an ARP request through the Ethernet bridging domain. Therefore, we recommend that ARP suppression remains enabled.
Disabling the suppression of ARP packets on a PE device essentially disables the proxy ARP functionality. Therefore, we recommend that ARP suppression remains enabled.
To disable proxy ARP and ARP suppression, and verify this change, perform the following:
- Configure the local leaf device (Leaf 10 in this example)
to disable proxy ARP and ARP suppression.
Leaf 10:
set vlans VNI_50000 no-arp-suppressioncommit - Send an ARP Request and verify that ARP is not being suppressed.
user@leaf-10> show arp no-resolve expiration-time | match 10.1.4.201## Leaf 10 shows there is an ARP request for 10.1.4.201, which is connected to Leaf 4. 02:0c:10:04:02:01 10.1.4.201 irb.500 [.local..9] none 1066
user@leaf-10> monitor traffic interface irb no-resolveverbose output suppressed, use <detail> or <extensive> for full protocol decode Address resolution is OFF. Listening on irb, capture size 96 bytes ## The ARP request from 10.1.4.202 intended for 10.1.4.201 is ingress replicated and sent to all leaf devices. 00:51:42.455797 In arp who-has 10.1.4.201 tell 10.1.4.202 00:51:42.697881 In arp who-has 10.1.4.201 tell 10.1.4.202 00:51:42.855720 In arp who-has 10.1.4.201 tell 10.1.4.202 00:51:43.055561 In arp who-has 10.1.4.201 tell 10.1.4.202
Note Notice that no ARP replies are being received by Leaf 10.
- Verify that the ARP Request is flooded to all leaf devices.
user@leaf-4> monitor traffic interface irb no-resolveverbose output suppressed, use <detail> or <extensive> for full protocol decode Address resolution is OFF. Listening on irb, capture size 96 bytes ## This next request is coming from Leaf 10. 00:50:58.867745 In arp who-has 10.1.4.201 tell 10.1.4.202 00:50:59.067914 In arp who-has 10.1.4.201 tell 10.1.4.202 00:50:59.268015 In arp who-has 10.1.4.201 tell 10.1.4.202 00:50:59.467997 In arp who-has 10.1.4.201 tell 10.1.4.202 00:50:59.668098 In arp who-has 10.1.4.201 tell 10.1.4.202 00:50:59.868231 In arp who-has 10.1.4.201 tell 10.1.4.202