ARP Gleaning

ARP Gleaning

Cisco ACI has several mechanisms to detect silent hosts, where an ACI leaf has not learned a local endpoint. ACI has some mechanisms to detect those silent hosts. For Layer 2 switched traffic to an unknown MAC, you can set the Layer 2 Unknown Unicast option under the BD to flood, while for the ARP requests with a broadcast destination MAC, you can use ARP flooding option under the bridge domain to control the flooding behavior. In addition, Cisco ACI uses ARP gleaning to send ARP requests to resolve the IP address of an endpoint that is yet to be learned (silent host detection).

With ARP gleaning, if the spine does not have information on where the destination of the ARP request is connected (the target IP is not in the COOP database), the fabric generates an ARP request that is originated from the bridge domain SVI (pervasive gateway) IP address. This ARP request is sent out all the leaf nodes edge interfaces part of the bridge domain. Also, ARP gleaning is triggered for (Layer 3) routed traffic regardless of configuration, such as ARP flooding, as long as the traffic is routed to an unknown IP.

ARP gleaning has the following requirements:

• IP address is used for forwarding (ARP requests with ARP flooding disabled, or traffic across subnets with ACI BD SVI as the gateway).
• Unicast routing enabled
• Subnet created under the bridge domain

ARP Gleaning: Same EPG, Bridge Domain, and Encapsulation

The ARP gleaning feature can be used when two endpoints are part of the same EPG, the same bridge domain, and use the same VLAN access encapsulation while connected to the same leaf switch, and one of the endpoints is not known to the leaf switch (silent host), while ARP flooding is disabled.

ARP traffic from H1 to H2 is the following, when H2 is unknown:

• H1 sends ARP request for H2 using a broadcast destination MAC.
• The ACI attempts to use unicast forwarding to send the ARP request. The local leaf switch does not know the IP address of the endpoint H2 (the ARP target IP is unknown to the ingress leaf), so it sends the ARP request to the spine switch for spine-proxy.
• The H2 information is missing from the COOP database on the spine switch, while Unicast Routing is enabled on the bridge domain. Hence, ARP gleaning will be triggered by the spine using the pervasive gateway IP address as source. This ARP request will flood the bridge domain.
• H2 receives the ARP request and replies, while it is learned in the fabric.

When the endpoints are on different leaf switches, while part of the same EPG and bridge domain, and using the same VLAN access mapping, the ARP request (for example, from H1 to H3) has to be forwarded across the fabric. If H3 information is missing from the COOP database on the spine switch (silent host) and ARP flooding is disabled, ARP gleaning can be also utilized as depicted in this figure

ARP traffic from H1 to H3 is the following:

• H1 sends ARP request for H3 using a broadcast destination MAC.
• The ACI attempts to use unicast forwarding to send the ARP request, so the local leaf switch checks the ARP target IP address (H3 IP). Since, the local leaf switch does not know the IP address of the endpoint H3, it sends the ARP request to the spine switch for spine-proxy.
• The H3 information is missing from the COOP database on the spine switch, and triggers ARP gleaning using the pervasive gateway IP address as source. This ARP request will flood the domain.
• H3 receives the ARP request and replies, while it is learned in the fabric.