EMAIL SUPPORT
dclessons@dclessons.comLOCATION
AFEndpoint Learning Optimizations
Endpoint Learning Optimizations
Some of the endpoint learning optimization options are as follows:
- Limit IP learning to subnet (bridge domain-level option)
- IP data plane learning (VRF-level option)
- Endpoint loop protection (global configuration option)
- Enforce subnet check (global configuration option)
- Rogue endpoint control (global configuration option)
Limit IP Learning to Subnet (Bridge Domain-Level)
If limit IP learning to subnet option is enabled, the local endpoint IP learning will be limited to only IP addresses for subnets configured on the bridge domain. This option does not limit remote endpoint IP learning. This option is enabled by default.
If this option is enabled on a bridge domain that had the option that is disabled, endpoint IP addresses that do not belong to the bridge domain subnet are flushed
if a bridge domain is configured with a subnet address of 192.168.1.254/24, the fabric does not learn a local endpoint IP address, such as 192.168.2.1/24, that is outside this range. This behavior prevents unnecessary IP learning, as shown in the following figure.
Although this feature prevents local IP learning, the local leaf still learns the MAC address, and the remote leaf still learns the IP and MAC addresses (although the local leaf does not learn the IP address, it does not drop the packet). For example, leaf 1 does not learn 192.168.2.1, but it learns MAC B, and leaf 2 learns 192.168.2.1 and MAC B.
Enforce Subnet Check
Cisco ACI offers two similar configurations that are related to limiting the data plane learning of endpoints’ IP addresses:
- Per-bridge domain limit IP address learning to subnet
- Global enforce subnet check knob
Enforce subnet check feature ensures that Cisco ACI learns endpoints whose IP addresses belong to the bridge domain subnet. This feature also ensures that leaf switches learn remote entries whose IP addresses belong to the VRF that they are associated with, preventing the learning of IP addresses that are not configured as subnets on the bridge domains of the VRF.
This feature can be enabled and disabled only globally under fabric wide setting policy. You cannot enable this option only in one VRF instance. This feature is disabled by default.
Enforce subnet check works as follows:
-
On the ingress leaf (local endpoint learning): The option enforces bridge domain–level subnet checks for local endpoint learning. When this feature is enabled, the Cisco ACI leaf learns an IP address and MAC address as a new local endpoint only when the source IP address of the incoming packet belongs to one of the ingress bridge domain subnets. This behavior is almost the same as limit IP learning to subnet option under the bridge domain. The difference is that limit IP learning to subnet limits only IP learning if the source IP address of a packet does not belong to an ingress bridge domain subnet, whereas this feature limits learning of both the MAC address and IP address when IP learning is triggered but yet prevented because the source IP address does not belong to an ingress bridge domain subnet. This check will be enabled on all bridge domains, and you cannot turn the checks on and off per bridge domain. Therefore, limit IP learning to subnet is not required when this feature is enabled.
-
On the egress leaf (remote endpoint learning): This option enforces VRF-level subnet checks for remote endpoint learning. When this feature is enabled, the Cisco ACI leaf will learn an IP address as a remote endpoint only when the source IP address of the incoming packet belongs to any bridge domain subnet in the same VRF instance on the egress leaf. This behavior prevents IP spoofing scenarios, in which an endpoint sends a packet with an unexpected source IP address that does not belong to any of the bridge domains on the VRF instance, such as an IP address that exists behind the Layer 3 Outside connection.
Enforce Subnet Check Use Case
The following figure shows a use case example that provides details about the behavior of the enforce subnet check option.
When enforce subnet check is enabled leaf 1 does not learn either MAC S2 or IP 172.16.0.1 as a local endpoint, because 172.16.0.1 does not belong to ingress BD1. Leaf 2 does not learn IP 172.16.0.1 as a remote endpoint, because 172.16.0.1 does not belong to any of the bridge domain subnets on leaf 2 in the same VRF instance. If 172.16.0.1 is learned as a local endpoint on leaf 1 and the remote endpoint on leaf 2 before this feature is enabled, those two endpoints are cleared after this feature is enabled.
IP Data-Plane Learning (VRF-Level)
The IP Data-plane Learning option is located at Tenant > Networking > VRFs. This option is enabled by default. This option enables and disables endpoint data plane IP learning on the VRF.
When the IP Data-plane learning option under VRF is disabled, endpoint learning behavior on an ACI leaf changes as follows:
- Local MACs and remote MACs are learned via the data plane (no change with this option).
- Local IPs are not learned via the data plane.
- Local IPs are learned from ARP/GARP/Neighbor Discovery (ND) via the control plane.
- Remote IPs are not learned from unicast packets via the data plane.
- Remote IPs are learned from multicast packets via the data plane.
When the IP Data-plane Learning option is disabled, existing remote IP endpoints are flushed immediately while bounce entries are retained and aged out normally. Existing local IP endpoints are not flushed either, but they will age out eventually unless control plane packets such as ARP keep them alive.
The IP Data-plane Learning option, under the VRF, must be disabled if you have a possibility that the ACI fabric receives traffics with the same-source IP address from different locations, which causes endpoint IP and MAC binding updates that occur due to data plane traffic.
Another use case is when multiple devices share the same IP such as virtual IP (VIP) and ARP/GARP/ND is used to claim the ownership of the VIP among the devices. In that situation, those external devices may source data traffic from the same VIP at the same time, for example, when a failover is taking place. It could result in the ACI fabric learning the VIP from multiple places via the data plane. This issue can be avoided by disabling IP Data-plane Learning.
The example below shows active/standby servers that share the same active IP address that is primarily owned by the active server. When server 1 is active and server 2 is standby, server 1 takes care of 192.168.2.100 that is learned on leaf 2 E1/1.
If it is routed traffic , remote MAC is not Learnt.
When server 2 takes over the active role, server 2 sends GARP and 192.168.2.100 is now learned on leaf 2 E1/2.
Comment
TABLE OF CONTENTS
RECENT POSTS
- Cisco UCS Solutions — Unified Computing Knowledge
- Navigating the SD-WAN Revolution: Insights for Modern Network Architects
- Cisco Data Center Career: Getting Started with Nexus Training
- Lock Down Your Networks in a Digital World: The Ultimate Guide to Learning Mastering Cisco Identity Services Engine (ISE)
- How to Become an AWS Solution Architect — Your Ultimate Guide to Cloud Mastery
- The Docker Training Course Outline - Your Guide to Becoming a Docker Expert
- Develop Next-Level Azure Networking Skills with AZ-700 Training
- Reasons to Choose DClessons for Your SD-WAN Velocloud Training Needs
- Learn to Network: Get More Out Of Cisco ACI and DCACIA with DClessons
- Learn Cisco CCIE Data Center, Certified data center professional with DClessons in Data Center Technologies
LEAVE A COMMENT
Please login here to comment.