Contents
New and Changed Information
About Proxy ARP
Proxy ARP in Cisco ACI enables endpoints within a network or subnet to communicate with other endpoints without knowing the real MAC address of the endpoints. Proxy ARP is aware of the location of the traffic destination, and offers its own MAC address as the final destination instead.
To enable Proxy ARP, intra-EPG endpoint isolation must be enabled on the EPG see the following figure for details. For more information about intra-EPG isolation and Cisco ACI, see the Cisco ACI Virtualization Guide.
Proxy ARP within the Cisco ACI fabric is different from the traditional proxy ARP. As an example of the communication process, when proxy ARP is enabled on an EPG, if an endpoint A sends an ARP request for endpoint B and if endpoint B is learned within the fabric, then endpoint A will receive a proxy ARP response from the bridge domain (BD) MAC. If endpoint A sends an ARP request for endpoint B, and if endpoint B is not learned within the ACI fabric already, then the fabric will send a proxy ARP request within the BD. Endpoint B will respond to this proxy ARP request back to the fabric. At this point, the fabric does not send a proxy ARP response to endpoint A, but endpoint B is learned within the fabric. If endpoint A sends another ARP request to endpoint B, then the fabric will send a proxy ARP response from the BD MAC.
The following example describes the proxy ARP resolution steps for communication between clients VM1 and VM2:
VM1 to VM2 communication is desired.
VM1 sends an ARP request with a broadcast MAC address to VM2.
The ACI fabric floods the proxy ARP request within the bridge domain (BD).
VM2 sends an ARP response to the ACI fabric.
VM2 is learned.
VM1 sends an ARP request with a broadcast MAC address to VM2.
The ACI fabric sends a proxy ARP response to VM1.
Guidelines and Limitations
Consider these guidelines and limitations when using Proxy ARP:
Proxy ARP is supported only on isolated EPGs. If an EPG is not isolated, a fault will be raised. For communication to happen within isolated EPGs with proxy ARP enabled, you must configure uSeg EPGs. For example, within the isolated EPG, there could be multiple VMs with different IP addresses, and you can configure a uSeg EPG with IP attributes matching the IP address range of these VMs.
ARP requests from isolated endpoints to regular endpoints and from regular endpoints to isolated endpoints do not use proxy ARP. In such cases, endpoints communicate using the real MAC addresses of destination VMs.
Configuring Proxy ARP Using the Advanced GUI
Intra-EPG isolation must be enabled on the EPG where proxy ARP has to be enabled.
Before You BeginProcedure
The appropriate tenant, VRF, bridge domain, application profile and EPG must be created.
Step 1 On the menu bar, click . Step 2 In the Navigation pane, expand the , right click Create Application EPG dialog box to perform the following actions in the Create Application EPG dialog box:
- In the Name field, add an EPG name.
Step 3 In the Intra EPG Isolation field, choose Enforced. When Intra EPG isolation is enforced, the Forwarding Control field becomes available. Step 4 In the Forwarding Control field, check the check box for proxy-arp. This enables proxy-arp. Step 5 In the Bridge Domain field, choose the appropriate bridge domain to associate from the drop-down list. Step 6 Choose the remaining fields in the dialog box as appropriate, and click Finish.
Configuring Proxy ARP Using the Cisco NX-OS Style CLI
Before You BeginProcedure
The appropriate tenant, VRF, bridge domain, application profile and EPG must be created.
Intra-EPG isolation must be enabled on the EPG where proxy ARP has to be enabled.
Configuring Proxy ARP Using the REST API
Procedure
Configure proxy ARP.
Example:<polUni> <fvTenant name="Tenant1" status=""> <fvCtx name="EngNet"/> <!-- bridge domain --> <fvBD name="BD1"> <fvRsCtx tnFvCtxName="EngNet" /> <fvSubnet ip="1.1.1.1/24"/> </fvBD> <fvAp name="Tenant1_app"> <fvAEPg name="Tenant1_epg" pcEnfPref-"enforced" fwdCtrl="proxy-arp"> <fvRsBd tnFvBDName="BD1" /> <fvRsDomAtt tDn="uni/vmmp-VMware/dom-dom9"/> </fvAEPg> </fvAp> </fvTenant> </polUni>Copyright © 2016, Cisco Systems, Inc. All rights reserved.