Switch ARP broadcast exception problem

EVPN distributed gateway networking, our S6805 do leaf, version is R6635H07

Core SW

      |

  Border —— Leaf 1

      |

   Leaf 2

      |

10.177.49.x

The site evpn distributed gateway networking, our device to do leaf, terminal 10.177.49.x connected to the bottom of the leaf2, at the beginning of the terminal and the outside of no message interaction, leaf2 also has no terminal arp, but there is a terminal arp answer table entries, at this time the border and the leaf1 are only above the segment routing, no host routing, at this time from the outside core to ping 10.177.49.x is not available, check 10.177.49.x this terminal does not have the gateway arp. At this time, there is only segment routing on border and leaf1, and there is no host routing. At this time, ping 10.177.49.x from the core of the external network does not work, and there is no arp of the gateway on 10.177.49.x.

1. According to the analysis of the problem phenomenon, from the core of the external network to ping 10.177.49.x, the message arrives at the border after checking the segment routing the next hop to point to the leaf1, the message arrives at the leaf1 after checking the routing table there is a direct connection to the network segment, then the leaf01 sends an arp broadcast request to request the arp of the 10.177.49.x, the arp request should be broadcast to the downlink terminal after leaf15, and it will be broadcasted to the downlink terminal. The arp request should be broadcast to the downlink terminal after reaching leaf2. 

2. However, in the debug arp above leaf1, it is found that leaf1 has sent an arp request and received an arp reply at the same time, but the terminal below leaf2 has not received this arp request and has not answered it. Therefore, it is suspected that the arp request message arrives at leaf2 because there is an arp reply table entry of the terminal above leaf2, which has been used directly instead of the terminal for the arp request. The role of arp reply is to reduce arp request flooding. We need to configure the command vxlan tunnel arp-learning disable in our evpn scenario. 

3. If the vxlan tunnel arp-learning disable or vxlan tunnel nd-learning disable command is configured. the device receives an ARP/ND request message from the VXLAN tunnel and does not use the matching ARP/ND flood suppression table entries to reply to it.

Configure the command: vxlan tunnel arp-learning disable