05-02-2017 11:40 PM - edited 03-12-2019 02:18 AM
I'm trying to look for an answer to what's the max ARP table size on a Cisco ASA 5555-X.
Does anyone know how to find the answer? Is there a show command I can run or a spec sheet that shows the max ARP table size?
Solved! Go to Solution.
05-03-2017 03:59 AM
I've done an arp cache clear on ASAs without any noticable impact on performance or active connections.
You could certainly reduce the global timeout to something less than 30 minutes and, given the modest size of your arp table, I would not expect any adverse consequences.
You could also create a custom privilege level and give a larger pool of technicans and operators the right to clear the table but not make any other configuration changes. You could even build a little script with stored credentials (or ssh key for greater security) and just have them run that as part of the standard procedure when replacing a sensor.
05-03-2017 03:24 AM
I've never seen it publsihed and frankly never had a customer ask about it.
Since arp table entries are only needed for directly attached subnets, even a modest size table would be more than enough for almost all use cases.
Is there some particular corner case that has you worried?
05-03-2017 03:52 AM
We're having an issue with a sensor device that is not sending any traffic when it's first attached to the network.
The problem is on our production line when a sensor breaks down it is replaced within 30 minutes, but the ARP entry will stay for the next 4 hours unless we have a technician to login to the firewall and clear it manually. This can happen on any time of the day since the production is running 24/7.
For a Cisco ASA we can't decrease the ARP timeout on a per-interface basis but only on a global basis, so we are trying to assess how much of an impact it would have to reduce the ARP timeout from the default of 4 hours to 15-30 minutes. At the moment we have ~300 entries in the ARP table, but knowing how many entries it would be able to handle at any given time would be useful in determining the additional load we'll put on it.
05-03-2017 03:59 AM
I've done an arp cache clear on ASAs without any noticable impact on performance or active connections.
You could certainly reduce the global timeout to something less than 30 minutes and, given the modest size of your arp table, I would not expect any adverse consequences.
You could also create a custom privilege level and give a larger pool of technicans and operators the right to clear the table but not make any other configuration changes. You could even build a little script with stored credentials (or ssh key for greater security) and just have them run that as part of the standard procedure when replacing a sensor.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: