Cisco APIC and Proxy ARP

Available Languages

Download Options

  • PDF     (2.8 MB)
    View with Adobe Reader on a variety of devices
  • ePub     (1.6 MB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (2.0 MB)
    View on Kindle device or Kindle app on multiple devices
Updated:January 19, 2017

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

New and Changed Information

New and Changed Information

The following table provides an overview of the significant changes up to this current release. The table does not provide an exhaustive list of all changes or of the new features up to this release.

Table 1 New Features and Changed Behavior in Cisco APIC

Cisco APIC Release Version

Feature

Description

Release 2.0(2f)

-

This feature is introduced.

About Proxy ARP

Proxy ARP in Cisco ACI enables endpoints within a network or subnet to communicate with other endpoints without knowing the real MAC address of the endpoints. Proxy ARP is aware of the location of the traffic destination, and offers its own MAC address as the final destination instead.

To enable Proxy ARP, intra-EPG endpoint isolation must be enabled on the EPG see the following figure for details. For more information about intra-EPG isolation and Cisco ACI, see the Cisco ACI Virtualization Guide.

Figure 1. Proxy ARP and Cisco APIC

Proxy ARP within the Cisco ACI fabric is different from the traditional proxy ARP. As an example of the communication process, when proxy ARP is enabled on an EPG, if an endpoint A sends an ARP request for endpoint B and if endpoint B is learned within the fabric, then endpoint A will receive a proxy ARP response from the bridge domain (BD) MAC. If endpoint A sends an ARP request for endpoint B, and if endpoint B is not learned within the ACI fabric already, then the fabric will send a proxy ARP request within the BD. Endpoint B will respond to this proxy ARP request back to the fabric. At this point, the fabric does not send a proxy ARP response to endpoint A, but endpoint B is learned within the fabric. If endpoint A sends another ARP request to endpoint B, then the fabric will send a proxy ARP response from the BD MAC.

The following example describes the proxy ARP resolution steps for communication between clients VM1 and VM2:

  1. VM1 to VM2 communication is desired.

    Figure 2. VM1 to VM2 Communication is Desired.

    Table 2 ARP Table State

    Device

    State

    VM1

    IP = * MAC = *

    ACI fabric

    IP = * MAC = *

    VM2

    IP = * MAC = *

  2. VM1 sends an ARP request with a broadcast MAC address to VM2.

    Figure 3. VM1 sends an ARP Request with a Broadcast MAC address to VM2

    Table 3 ARP Table State

    Device

    State

    VM1

    IP = VM2 IP; MAC = ?

    ACI fabric

    IP = VM1 IP; MAC = VM1 MAC

    VM2

    IP = * MAC = *

  3. The ACI fabric floods the proxy ARP request within the bridge domain (BD).

    Figure 4. ACI Fabric Floods the Proxy ARP Request within the BD

    Table 4 ARP Table State

    Device

    State

    VM1

    IP = VM2 IP; MAC = ?

    ACI fabric

    IP = VM1 IP; MAC = VM1 MAC

    VM2

    IP = VM1 IP; MAC = BD MAC

  4. VM2 sends an ARP response to the ACI fabric.

    Figure 5. VM2 Sends an ARP Response to the ACI Fabric

    Table 5 ARP Table State

    Device

    State

    VM1

    IP = VM2 IP; MAC = ?

    ACI fabric

    IP = VM1 IP; MAC = VM1 MAC

    VM2

    IP = VM1 IP; MAC = BD MAC

  5. VM2 is learned.

    Figure 6. VM2 is Learned

    Table 6 ARP Table State

    Device

    State

    VM1

    IP = VM2 IP; MAC = ?

    ACI fabric

    IP = VM1 IP; MAC = VM1 MAC

    IP = VM2 IP; MAC = VM2 MAC

    VM2

    IP = VM1 IP; MAC = BD MAC

  6. VM1 sends an ARP request with a broadcast MAC address to VM2.

    Figure 7. VM1 Sends an ARP Request with a Broadcast MAC Address to VM2

    Table 7 ARP Table State

    Device

    State

    VM1

    IP = VM2 IP MAC = ?

    ACI fabric

    IP = VM1 IP; MAC = VM1 MAC

    IP = VM2 IP; MAC = VM2 MAC

    VM2

    IP = VM1 IP; MAC = BD MAC

  7. The ACI fabric sends a proxy ARP response to VM1.

    Figure 8. ACI Fabric Sends a Proxy ARP Response to VM1

    Table 8 ARP Table State

    Device

    State

    VM1

    IP = VM2 IP; MAC = BD MAC

    ACI fabric

    IP = VM1 IP; MAC = VM1 MAC

    IP = VM2 IP; MAC = VM2 MAC

    VM2

    IP = VM1 IP; MAC = BD MAC

Guidelines and Limitations

Consider these guidelines and limitations when using Proxy ARP:

  • Proxy ARP is supported only on isolated EPGs. If an EPG is not isolated, a fault will be raised. For communication to happen within isolated EPGs with proxy ARP enabled, you must configure uSeg EPGs. For example, within the isolated EPG, there could be multiple VMs with different IP addresses, and you can configure a uSeg EPG with IP attributes matching the IP address range of these VMs.

  • ARP requests from isolated endpoints to regular endpoints and from regular endpoints to isolated endpoints do not use proxy ARP. In such cases, endpoints communicate using the real MAC addresses of destination VMs.

Proxy ARP Supported Combinations

The following proxy ARP table provides the supported combinations:

ARP From/To

Regular EPG

Isolated Enforced EPG with Proxy ARP

Regular EPG

ARP

ARP

Isolated Enforced EPG with Proxy ARP

ARP

Proxy ARP

Configuring Proxy ARP Using the Advanced GUI

Intra-EPG isolation must be enabled on the EPG where proxy ARP has to be enabled.

Before You Begin

  • The appropriate tenant, VRF, bridge domain, application profile and EPG must be created.

Procedure
    Step 1   On the menu bar, click Tenant > Tenant_name.
    Step 2   In the Navigation pane, expand the Tenant_name > Application Profiles > Application_Profile_name > Application EPGs, right click Create Application EPG dialog box to perform the following actions in the Create Application EPG dialog box:
    1. In the Name field, add an EPG name.
    Step 3   In the Intra EPG Isolation field, choose Enforced. When Intra EPG isolation is enforced, the Forwarding Control field becomes available.
    Step 4   In the Forwarding Control field, check the check box for proxy-arp. This enables proxy-arp.
    Step 5   In the Bridge Domain field, choose the appropriate bridge domain to associate from the drop-down list.
    Step 6   Choose the remaining fields in the dialog box as appropriate, and click Finish.

    Configuring Proxy ARP Using the Cisco NX-OS Style CLI

    Before You Begin

    • The appropriate tenant, VRF, bridge domain, application profile and EPG must be created.

    • Intra-EPG isolation must be enabled on the EPG where proxy ARP has to be enabled.

    Procedure
       Command or ActionPurpose
      Step 1configure


      Example: 
      apic1# configure
       

      Enters configuration mode.

       
      Step 2tenant tenant-name


      Example: 
      apic1(config)# tenant Tenant1
       

      Enters the tenant configuration mode.

       
      Step 3application application-profile-name


      Example: 
      apic1(config-tenant)# application Tenant1-App
       

      Creates an application profile and enters the application mode.

       
      Step 4epg application-profile-EPG-name


      Example: 
      apic1(config-tenant-app)# epg Tenant1-epg1
       

      Creates an EPG and enter the EPG mode.

       
      Step 5proxy-arp enable


      Example: 
      apic1(config-tenant-app-epg)# proxy-arp enable
       

      Enables proxy ARP.

      Note   

      You can disable proxy-arp with the no proxy-arp command.

       
      Step 6exit


      Example: 
      apic1(config-tenant-app-epg)# exit
       

      Returns to application profile mode.

       
      Step 7exit


      Example: 
      apic1(config-tenant-app)# exit
       

      Returns to tenant configuration mode.

       
      Step 8exit


      Example: 
      apic1(config-tenant)# exit
       

      Returns to global configuration mode.

       

      Examples

      This example shows how to configure proxy ARP. 

      apic1# conf t
apic1(config)# tenant Tenant1 
apic1(config-tenant)# application Tenant1-App 
apic1(config-tenant-app)# epg Tenant1-epg1                      
apic1(config-tenant-app-epg)# proxy-arp enable  
apic1(config-tenant-app-epg)# 
apic1(config-tenant)#

      Configuring Proxy ARP Using the REST API

      Before You Begin

      • Intra-EPG isolation must be enabled on the EPG where proxy ARP has to be enabled.

      Procedure
      Configure proxy ARP.

      Example: 
      <polUni>
  <fvTenant name="Tenant1" status="">
    <fvCtx name="EngNet"/>
    <!-- bridge domain -->
    <fvBD name="BD1">
        <fvRsCtx tnFvCtxName="EngNet" />
        <fvSubnet ip="1.1.1.1/24"/>
    </fvBD>   
    <fvAp name="Tenant1_app">
        <fvAEPg  name="Tenant1_epg" pcEnfPref-"enforced" fwdCtrl="proxy-arp">
            <fvRsBd tnFvBDName="BD1" />
            <fvRsDomAtt tDn="uni/vmmp-VMware/dom-dom9"/>
        </fvAEPg>
    </fvAp>
  </fvTenant>
</polUni>

      Copyright © 2016, Cisco Systems, Inc. All rights reserved.

      Was this Document Helpful?

      FeedbackFeedback

      Contact Cisco

      This Document Applies to These Products