Configuring ND Suppression

This chapter contains the following sections:

ND suppression mechanisms

ND suppression mechanisms are network optimization techniques that

  • intercept and analyze IPv6 Neighbor Solicitation (NS) packets exchanged between hosts behind different VXLAN peers,

  • populate a suppression cache with source IP and MAC bindings learned from NS requests and BGP EVPN MAC route advertisements, and

  • proxy NS requests locally when possible to prevent unnecessary flooding of multicast traffic across the VXLAN core.

Additional reference information

With ND suppression mechanisms, when a host behind one VXLAN peer tries to communicate with a host behind another VXLAN peer, if the remote host is not yet present in the suppression cache, the NS packet is initially flooded over the BGP/EVPN VXLAN core. Once the suppression cache is populated with the remote host’s entry, the switch proxies subsequent neighbor solicitation requests locally. This prevents the repeated flooding of NS packets across the core, optimizing bandwidth and improving network efficiency.

For ND suppression cache scalability limits and performance details, see Cisco Nexus 9000 Series NX-OS Verified Scalability Guide.

Best practices for ND suppression

Follow these best practices and requirements when configuring ND suppression:

  • Enable ND suppression only on plain BGP EVPN with Cisco Nexus 9300-X Cloud Scale switches, beginning with Cisco NX-OS Release 10.3(1)F.

  • Do not use ND suppression with BGP-EVPN feature variants like Multisite, Virtual MCT, IRB, Centralized Gateway, Firewall Clustering, or vPC.

  • Do not rely on ND suppression for link-local host addresses. Multicast Neighbor Solicitation (NS) messages for these addresses are flooded over the core BGP EVPN VXLAN network.

  • ND suppression is automatically enabled on all VNIs with suppress-arp.

  • Enable the ND suppression CLI knob only if suppress-arp is enabled on a VNI, there is an associated SVI, and the SVI is up with both IPv4 and IPv6 addresses enabled.

  • Do not enable ND suppression if

    • there is no SVI for the VLAN/VNI with suppress-arp/suppress nd enabled,

    • the associated SVI is down, and

    • the associated SVI has only IPv4 or only IPv6 enabled.

    In these scenarios, host-to-host traffic may be dropped.

  • To enable ND suppression VACL, increase SUP TCAM size to 768 or greater using the hardware access-list tcam region sup-tcam 768 command.

  • If ND suppression is not supported on the installed Cisco NX-OS switch, ensure Anycast Gateway MAC addresses are identical across sites.

Configure ND suppression

Enable or disable ND suppression on VXLAN NVE interfaces to optimize network performance and reduce unnecessary ND traffic.

Follow these steps to enable or disable ND suppression:

Before you begin

Ensure that ARP suppression is enabled.

Procedure

Step 1

Enter global configuration mode.

Example:

switch# configure terminal

Step 2

If required, adjust the TCAM region for ND suppression support:hardware access-list tcam region ing-sup 768

Example:

switch# hardware access-list tcam region ing-sup 768
switch# copy running-config startup-config
switch# reload

Sets the Ingress SUP TCAM size to 768, saves the configuration, and reloads the switch if prompted.

Step 3

Enter NVE interface configuration mode.

Example:

switch(config)# interface nve 1
switch(config-if-nve)#

Step 4

Enable ND suppression for all ARP enabled VNIs.

Example:

switch(config-if-nve)# suppress nd

Step 5

(Optional) If required, disable the ND Suppression for all ARP enabled VNIs.

Example:

switch(config-if-nve)# no suppress nd

  • When the global suppress arp command is configured, ND Suppression is enabled on all VNIs.

  • When the global suppress arp command is not configured, but the per VNI suppress arp command is configured, then ND Suppression is enabled on all VNIs where ARP suppression is configured.

  • When you enable the suppress arp command on a vPC pair, ensure steps 1 and 2 are completed before enabling the feature.

ND suppression configuration outputs

Several CLI commands provide information about the current ND suppression configuration and operational status on the device.

You can use these commands to verify ND suppression settings and behavior:

  • show run nv overlay 
    switch(config-if-nve)# sh run nv overlay
!Command: show running-config nv overlay
!Running configuration last done at: Sat Mar 19 01:07:49 2022
!Time: Sat Mar 19 01:10:00 2022

version 10.2(3) Bios:version 07.68
feature nv overlay

vlan 101-110,200-203,500-501

interface nve1
  no shutdown
  host-reachability protocol bgp
  suppress nd
  global suppress-arp
  • show nve vni 
    switch(config-if-nve-vni)# sh nve vni
Codes: CP - Control Plane        DP - Data Plane
       UC - Unconfigured         SA - Suppress ARP
       S-ND Suppress ND
       SU - Suppress Unknown Unicast
       Xconn - Crossconnect
       MS-IR - Multisite Ingress Replication
       HYB - Hybrid IRB mode

Interface VNI      Multicast-group   State Mode Type [BD/VRF]      Flags
--------- -------- ----------------- ----- ---- ------------------ -----
nve1      5000     239.2.0.2         Up    CP   L2 [500]           SA S-ND
  • show ipv6 nd suppression-cache detail 
    switch(config)# show ipv6 nd suppression-cache detail 

Flags: + - Adjacencies synced via CFSoE
       L - Local Adjacency
       R - Remote Adjacency
       L2 - Learnt over L2 interface
       PS - Added via L2RIB, Peer Sync
       RO - Dervied from L2RIB Peer Sync Entry

IPv6 Address      Age      Mac Address    Vlan Physical-ifindex    Flags    Remote Vtep Addrs

172:11:1:1::51  00:00:18 acf2.c5f6.7641   11 Ethernet1/51        L
172:11:1:1::201 00:06:14 0000.0011.1111   11 (null)              R        192.0.2.1
172:11:1:1::101 00:06:14 74a0.2f1d.d481   11 (null)              R        198.51.100.5
  • show ipv6 nd suppression-cache local 
    switch(config)# show ipv6 nd suppression-cache local

Flags: + - Adjacencies synced via CFSoE
       L - Local Adjacency
       R - Remote Adjacency
       L2 - Learnt over L2 interface

Ip Address      Age      Mac Address    Vlan Physical-ifindex    Flags

172:11:1:1::51  00:00:23 acf2.c5f6.7641   11 Ethernet1/51        L
  • show ipv6 nd suppression-cache remote 
    switch(config)# show ipv6 nd suppression-cache remote

Flags: + - Adjacencies synced via CFSoE
       L - Local Adjacency
       R - Remote Adjacency
       L2 - Learnt over L2 interface
       PS - Added via L2RIB, Peer Sync
       RO - Dervied from L2RIB Peer Sync Entry

IPv6 Address      Age      Mac Address    Vlan Physical-ifindex    Flags    Remote Vtep Addrs

172:11:1:1::201 00:06:24 0000.0011.1111   11 (null)              R        192.0.2.1
172:11:1:1::101 00:06:24 74a0.2f1d.d481   11 (null)              R        198.51.100.5
  • show ipv6 nd suppression-cache statistics 
    switch(config)# show ipv6 nd suppression-cache statistics

ND packet statistics for suppression-cache

Suppressed:

Total: 1
L3 mode :       Requests 1, Replies 1
                Flood ND Probe 0

Received:
Total: 1
 L3 mode:       NS 1, Non-local NA 0
                Non-local NS 0

Mobility Requests:
Total: 0
 L3 mode:       Remote-to-local 0, Local-to-remote 0
                Remote-to-remote 0

RARP Signal Refresh: 0

ND suppression-cache Local entry statistics
Adds 3, Deletes 0
  • show ipv6 nd suppression-cache summary 
    switch(config)# show ipv6 nd suppression-cache summary

IPV6 ND suppression-cache Summary
Remote              :2
Local               :1
Total               :3
  • show ipv6 nd suppression-cache vlan "vlan_id" 
    switch(config)# show ipv6 nd suppression-cache vlan 11

Flags: + - Adjacencies synced via CFSoE
       L - Local Adjacency
       R - Remote Adjacency
       L2 - Learnt over L2 interface
       PS - Added via L2RIB, Peer Sync
       RO - Dervied from L2RIB Peer Sync Entry

IPv6 Address      Age      Mac Address    Vlan Physical-ifindex    Flags    Remote Vtep Addrs

172:11:1:1::51  00:00:40 acf2.c5f6.7641   11 Ethernet1/51        L
172:11:1:1::201 00:06:36 0000.0011.1111   11 (null)              R        192.0.2.1
172:11:1:1::101 00:06:36 74a0.2f1d.d481   11 (null)              R        198.51.100.5