The following guidelines and limitations apply to dataplane IP address learning per VRF instance, bridge domain subnet, and EPG subnet:

• When dataplane IP address learning is disabled, all the remote IP address entries in the tenant VRF instance are removed. The local IP entries are aged out and, subsequently, will not be re-learned through the dataplane, but can still be learned from the control plane.

• When dataplane IP address learning is disabled, already learned local IP endpoints are retained and require control plane refreshes (ARP) to be kept alive (assuming IP aging is also enabled). Dataplane Layer 3 traffic will not keep IP endpoints alive.

• For EPG-to-EPG intra-VRF instance Layer 3 traffic, the policy is always applied on the egress leaf switch because the ingress leaf switch cannot resolve the destination class. The remote IP address is not learned.

• For EPG-to-EPG intra-VRF instance Layer 2 traffic, the policy can be applied on the ingress leaf switch because the switch can still learn the remote MAC address, but not the remote IP address.

• When dataplane IP address learning is enabled for an endpoint or subnet, a dataplane IP address is not learned using an endpoint-to-endpoint ARP request that does not reach a CPU. However, an ARP request to a bridge domain SVI gateway is still learned.

• When dataplane IP address learning is enabled for a VRF instance, local and remote MAC addresses are learned using an endpoint-to-endpoint ARP request.

The following guidelines and limitations apply to disabling dataplane IP address learning per endpoint or subnet:

• If there is communication between endpoints in the same bridge domain, the L2 unknown Unicast property must be set to Flood on the bridge domain. ARP flooding must also be enabled. Otherwise, ARP between endpoints in the same bridge domain does not work because the local MAC address and remote MAC address are not learned through an endpoint-to-endpoint ARP request.

• Instead of flushing, the local IP address is converted to the dp-lrn-dis (dataplane learn disabled) state.

• You cannot have endpoint dataplane IP address learning enabled when the subnet for an endpoint is configured with dataplane IP address learning disabled. For example, you cannot have a bridge domain with subnet 100.10.0.1/24 with learning disabled and an EPG with 100.10.0.100/32 with learning enabled.

• When dataplane IP address learning is disabled for an endpoint or subnet, the switch will not learn/refresh Layer 2 MAC addresses from routed Layer 3 data traffic. Layer 2 MAC addresses will only be learned from Layer 2 data traffic or ARP packets.

• When dataplane IP address learning is disabled for an endpoint or subnet, an IP address learn or move triggered from a GARP packet is only possible with the ARP flood mode along with GARP-based endpoint move detection enabled.

This section provides information about the interaction of disabling dataplane IP address learning with other features.

• Anycast

  • Enabled: Local anycast IP addresses can be learned from both the data and control planes.

  • Disabled: Local anycast IP addresses are aged out, but can be learned through the control plane and host tracking.

  • Remote IP addresses are not learned in anycast regardless of how dataplane IP address learning per VRF instance is configured.

• Rogue Endpoint Detection

  • Enabled: A rogue IP address is generated and moves are detected as expected.

  • Disabled: Remote IP addresses are flushed and rogue IP addresses are aged out. Rogue IP address are not detected on local moves. The only moves that are detected are from control traffic. Bounce is learned from COOP, but these are dropped once the bounce timer expires.

• Layer 4 to Layer 7 services virtual IP (VIP) address

  • Enabled: A Layer 4 to Layer 7 services VIP address functions as expected (endpoint IP address learning for a VIP address is only through the control plane). Consider the following functional stream:

    1. From client to load balancer (Layer 3 traffic)

    2. Load balancer to server (Layer 2 traffic)

    3. Server to client (Layer 3)

    Clients (IP endpoints) behind the EPG are learned through the data/control plane. The VIP address is learned only through the control plane on the load balancer EPG. Even though it is through the control plane, the VIP address is not learned on other EPGs.

  • Disabled:

    • Client to load balancer: No remote IP address learned for VIP address. The remote IP address is cleared. It will use the spine-proxy. If the IP address of the VIP address is learned, spine-proxy look-up will be successful, otherwise it will generate glean for the VIP address and learn it through the control plane.

    • Load balancer to server: No effect. Only bridging between the load balancer/server is supported for the DSR use case.

    • Server to client: The remote IP address for the client is cleared and the spine-proxy will be used. If the remote IP address for the client entry is deleted in the spine switch, it is re-learned through glean. For clients behind an L3Out, there is no Layer 3 remote IP address.