Watch out for DOCKER hosts

Cisco ACI, DOCKER,

Had an issue with endpoint learning that was perplexing.  I traced the MAC address to a VM that was running DOCKER.

Interestingly enough the IP address that I did the show endpoint for does not exist in the fabric.  I masked the IP addresses so they are not the actual IPs but you’ll see the results.

Leaf_105# show endpoint ip 10.299.66.16
Legend:
O – peer-attached H – vtep a – locally-aged S – static
V – vpc-attached p – peer-aged L – local M – span
s – static-arp B – bounce
+———————————–+—————+—————–+————–+————-+
VLAN/ Encap MAC Address MAC Info/ Interface
Domain VLAN IP Address IP Info
+———————————–+—————+—————–+————–+————-+
105 vlan-1615 0050.56bf.30d7 LV po7
common:CM_Primary_PN vlan-1615 10.299.38.20 LV po7
common:CM_Primary_PN vlan-1615 172.299.221.37 LV po7
common:CM_Primary_PN vlan-1615 172.299.221.38 LV po7
common:CM_Primary_PN vlan-1615 172.299.49.19 LV po7
common:CM_Primary_PN vlan-1615 10.300.112.19 LV po7
common:CM_Primary_PN vlan-1615 10.300.88.40 LV po7
common:CM_Primary_PN vlan-1615 10.300.88.33 LV po7
common:CM_Primary_PN vlan-1615 10.299.38.24 LV po7
common:CM_Primary_PN vlan-1615 10.299.66.110 LV po7
common:CM_Primary_PN vlan-1615 172.299.213.70 LV po7
common:CM_Primary_PN vlan-1615 172.299.223.71 LV po7
common:CM_Primary_PN vlan-1615 172.299.213.96 LV po7
common:CM_Primary_PN vlan-1615 10.300.156.71 LV po7
common:CM_Primary_PN vlan-1615 10.300.88.20 LV po7
common:CM_Primary_PN vlan-1615 10.300.88.35 LV po7
common:CM_Primary_PN vlan-1615 172.299.222.116 LV po7
common:CM_Primary_PN vlan-1615 10.400.120.116 LV po7
common:CM_Primary_PN vlan-1615 10.300.112.32 LV po7
common:CM_Primary_PN vlan-1615 10.400.120.42 LV po7
common:CM_Primary_PN vlan-1615 10.300.9.163.106

<80 more lines of the same stuff>

Solution was to check the “enforce subnet check for IP learning” check box in the bridge domain L3 configuration tab.

BD-Setting

You can read up on DOCKER fun-ness https://docs.docker.com/v1.6/articles/networking/

This does not occur in “traditional” networks because the endpoint learning is in the hardware now and it learns IP’s many different ways.

2 thoughts on “Watch out for DOCKER hosts

    1. Yes. It’s fixed in the Bridge Domain settings under the L3 configuration tab.

      Check the box for “Enforce subnet check for IP learning”

      And

      Check the for “EP Move Detection Mode” GARP based detection

      Reply

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.