Proxy ARP

This chapter contains the following sections:

About Proxy ARP

Proxy ARP in Cisco ACI enables endpoints within a network or subnet to communicate with other endpoints without knowing the real MAC address of the endpoints. Proxy ARP is aware of the location of the traffic destination, and offers its own MAC address as the final destination instead.

To enable Proxy ARP, intra-EPG endpoint isolation must be enabled on the EPG see the following figure for details. For more information about intra-EPG isolation and Cisco ACI, see the Cisco ACI Virtualization Guide.

Figure 1. Proxy ARP and Cisco APIC

Proxy ARP within the Cisco ACI fabric is different from the traditional proxy ARP. As an example of the communication process, when proxy ARP is enabled on an EPG, if an endpoint A sends an ARP request for endpoint B and if endpoint B is learned within the fabric, then endpoint A will receive a proxy ARP response from the bridge domain (BD) MAC. If endpoint A sends an ARP request for endpoint B, and if endpoint B is not learned within the ACI fabric already, then the fabric will send a proxy ARP request within the BD. Endpoint B will respond to this proxy ARP request back to the fabric. At this point, the fabric does not send a proxy ARP response to endpoint A, but endpoint B is learned within the fabric. If endpoint A sends another ARP request to endpoint B, then the fabric will send a proxy ARP response from the BD MAC.

The following example describes the proxy ARP resolution steps for communication between clients VM1 and VM2:

  1. VM1 to VM2 communication is desired.

    Figure 2. VM1 to VM2 Communication is Desired.
    Table 1. ARP Table State

    Device

    State

    VM1

    IP = * MAC = *

    ACI fabric

    IP = * MAC = *

    VM2

    IP = * MAC = *

  2. VM1 sends an ARP request with a broadcast MAC address to VM2.

    Figure 3. VM1 sends an ARP Request with a Broadcast MAC address to VM2
    Table 2. ARP Table State

    Device

    State

    VM1

    IP = VM2 IP; MAC = ?

    ACI fabric

    IP = VM1 IP; MAC = VM1 MAC

    VM2

    IP = * MAC = *

  3. The ACI fabric floods the proxy ARP request within the bridge domain (BD).

    Figure 4. ACI Fabric Floods the Proxy ARP Request within the BD
    Table 3. ARP Table State

    Device

    State

    VM1

    IP = VM2 IP; MAC = ?

    ACI fabric

    IP = VM1 IP; MAC = VM1 MAC

    VM2

    IP = VM1 IP; MAC = BD MAC

  4. VM2 sends an ARP response to the ACI fabric.

    Figure 5. VM2 Sends an ARP Response to the ACI Fabric
    Table 4. ARP Table State

    Device

    State

    VM1

    IP = VM2 IP; MAC = ?

    ACI fabric

    IP = VM1 IP; MAC = VM1 MAC

    VM2

    IP = VM1 IP; MAC = BD MAC

  5. VM2 is learned.

    Figure 6. VM2 is Learned
    Table 5. ARP Table State

    Device

    State

    VM1

    IP = VM2 IP; MAC = ?

    ACI fabric

    IP = VM1 IP; MAC = VM1 MAC

    IP = VM2 IP; MAC = VM2 MAC

    VM2

    IP = VM1 IP; MAC = BD MAC

  6. VM1 sends an ARP request with a broadcast MAC address to VM2.

    Figure 7. VM1 Sends an ARP Request with a Broadcast MAC Address to VM2
    Table 6. ARP Table State

    Device

    State

    VM1

    IP = VM2 IP MAC = ?

    ACI fabric

    IP = VM1 IP; MAC = VM1 MAC

    IP = VM2 IP; MAC = VM2 MAC

    VM2

    IP = VM1 IP; MAC = BD MAC

  7. The ACI fabric sends a proxy ARP response to VM1.

    Figure 8. ACI Fabric Sends a Proxy ARP Response to VM1
    Table 7. ARP Table State

    Device

    State

    VM1

    IP = VM2 IP; MAC = BD MAC

    ACI fabric

    IP = VM1 IP; MAC = VM1 MAC

    IP = VM2 IP; MAC = VM2 MAC

    VM2

    IP = VM1 IP; MAC = BD MAC

Guidelines and Limitations

Consider these guidelines and limitations when using Proxy ARP:

  • Proxy ARP is supported only on isolated EPGs. If an EPG is not isolated, a fault will be raised. For communication to happen within isolated EPGs with proxy ARP enabled, you must configure uSeg EPGs. For example, within the isolated EPG, there could be multiple VMs with different IP addresses, and you can configure a uSeg EPG with IP attributes matching the IP address range of these VMs.

  • ARP requests from isolated endpoints to regular endpoints and from regular endpoints to isolated endpoints do not use proxy ARP. In such cases, endpoints communicate using the real MAC addresses of destination VMs.

Proxy ARP Supported Combinations

The following proxy ARP table provides the supported combinations:

ARP From/To

Regular EPG

Isolated Enforced EPG with Proxy ARP

Regular EPG

ARP

ARP

Isolated Enforced EPG with Proxy ARP

ARP

Proxy ARP

Configuring Proxy ARP Using the Advanced GUI

Before you begin

  • The appropriate tenant, VRF, bridge domain, application profile and EPG must be created.

  • Intra-EPG isolation must be enabled on the EPG where proxy ARP has to be enabled.

Procedure

Step 1

On the menu bar, click Tenant > Tenant_name.

Step 2

In the Navigation pane, expand the Tenant_name > Application Profiles > Application_Profile_name > Application EPGs, right click Create Application EPG dialog box to perform the following actions in the Create Application EPG dialog box:

  1. In the Name field, add an EPG name.

Step 3

In the Intra EPG Isolation field, choose Enforced.

When Intra EPG isolation is enforced, the Forwarding Control field becomes available.

Step 4

In the Forwarding Control field, check the check box for proxy-arp.

This enables proxy-arp.

Step 5

In the Bridge Domain field, choose the appropriate bridge domain to associate from the drop-down list.

Step 6

Choose the remaining fields in the dialog box as appropriate, and click Finish.

Configuring Proxy ARP Using the Cisco NX-OS Style CLI

Before you begin

  • The appropriate tenant, VRF, bridge domain, application profile and EPG must be created.

  • Intra-EPG isolation must be enabled on the EPG where proxy ARP has to be enabled.

Procedure

  Command or Action Purpose

Step 1

configure

Example:

apic1# configure

Enters configuration mode.

Step 2

tenant tenant-name

Example:

apic1(config)# tenant Tenant1

Enters the tenant configuration mode.

Step 3

application application-profile-name

Example:


apic1(config-tenant)# application Tenant1-App

Creates an application profile and enters the application mode.

Step 4

epg application-profile-EPG-name

Example:


apic1(config-tenant-app)# epg Tenant1-epg1

Creates an EPG and enter the EPG mode.

Step 5

proxy-arp enable

Example:

apic1(config-tenant-app-epg)# proxy-arp enable

Enables proxy ARP.

Note

 

You can disable proxy-arp with the no proxy-arp command.

Step 6

exit

Example:

apic1(config-tenant-app-epg)# exit

Returns to application profile mode.

Step 7

exit

Example:

apic1(config-tenant-app)# exit

Returns to tenant configuration mode.

Step 8

exit

Example:

apic1(config-tenant)# exit

Returns to global configuration mode.

Examples

This example shows how to configure proxy ARP. 


apic1# conf t
apic1(config)# tenant Tenant1 
apic1(config-tenant)# application Tenant1-App 
apic1(config-tenant-app)# epg Tenant1-epg1                      
apic1(config-tenant-app-epg)# proxy-arp enable  
apic1(config-tenant-app-epg)# 
apic1(config-tenant)#

Configuring Proxy ARP Using the REST API

Before you begin

  • Intra-EPG isolation must be enabled on the EPG where proxy ARP has to be enabled.

Procedure

Configure proxy ARP.

Example:


<polUni>
  <fvTenant name="Tenant1" status="">
    <fvCtx name="EngNet"/>
    <!-- bridge domain -->
    <fvBD name="BD1">
        <fvRsCtx tnFvCtxName="EngNet" />
        <fvSubnet ip="1.1.1.1/24"/>
    </fvBD>   
    <fvAp name="Tenant1_app">
        <fvAEPg  name="Tenant1_epg" pcEnfPref-"enforced" fwdCtrl="proxy-arp">
            <fvRsBd tnFvBDName="BD1" />
            <fvRsDomAtt tDn="uni/vmmp-VMware/dom-dom9"/>
        </fvAEPg>
    </fvAp>
  </fvTenant>
</polUni>