Address Resolution Protocol (ARP) suppression is a technique used to reduce the amount of ARP broadcast flooding within individual VXLAN segments, that is between VMs connected to the same logical switch.

When VM1 wants to know the MAC address for VM2, it sends an ARP request. This ARP request is intercepted by the logical switch and if logical switch already has an ARP entry for the target, it sends the ARP response to the VM.

If not, it sends an ARP query to the NSX Controller. If controller knows VM IP to MAC binding, controller replies with the binding and the logical switch sends the ARP response. If controller does not have the ARP entry, then the ARP request is re-broadcasted on the logical switch. NSX Controller learns the MAC address via Switch Security module which snoops on ARP requests/DHCP packets.

ARP suppression has been extended to include the Distributed logical router (DLR) as well.

  • ARP requests from distributed logical router are treated the same way as ARP requests from other VMs and are subjected to suppression. When distributed logical router has to resolve ARP request of a destination IP, the ARP request is suppressed by the logical switch, preventing flooding when the IP to MAC binding is already known to the controller.
  • When a LIF is created, distributed logical router adds the ARP entry for the LIF IP in the logical switch, so ARP requests for the LIF IP are also suppressed by the logical switch.