ARP Issues in EVPN Centralized Routing Design

In modern data‑center fabrics, EVPN with integrated routing and bridging (IRB) offers a clean way to stretch VLANs across a spine‑leaf topology. The design places a router on the spine, each with its own MAC‑VRF, while leaf switches act as pure bridges. This separation simplifies traffic engineering but introduces a subtle dependency: the spine’s VLAN MAC and IP must appear as EVPN type‑2 routes. If the spine does not broadcast this information, leaf switches cannot resolve next‑hop MACs, leading to unnecessary broadcast flooding that scales poorly.

A second pain point arises when the underlying routers do not process ARP requests that travel over VXLAN tunnels. Some vendors assume that the L2 switches will answer on their behalf, a behavior known as ARP proxy (distinct from proxy ARP). Enabling this feature on the leaf switches allows them to reply to ARP queries using the MAC‑IP data learned from EVPN routes, preventing traffic stalls. When the spine also refuses to generate its own ARP requests, administrators must turn on ARP snooping or an equivalent mechanism so that MAC‑to‑IP bindings observed in regular traffic are advertised back into the EVPN control plane.

For operators deploying multi‑vendor EVPN fabrics, the practical takeaway is to verify three settings before going live: the spine advertises its VLAN MAC/IP as a type‑2 route, ARP proxy is enabled on all L2 EVPN devices, and ARP snooping is active where routers block VXLAN ARP. These steps eliminate silent failures that would otherwise surface as intermittent connectivity or massive broadcast storms, ensuring the network scales reliably from a lab environment to production‑grade data centers. Future designs may lean on type‑5 routes or symmetric IRB, but the fundamentals of proper ARP handling remain unchanged.