05-16-2010 11:26 AM - edited 03-06-2019 11:07 AM
Hello
I don't understand why the ARP request is a unicast instead of broadcast.
Normaly, when I clear the ARP cache on my Cisco routeur 7206 then an ARP request is sent from routeur to Web http , identifiable by the destination Ethernet address with all bits set (ff:ff:ff:ff:ff:ff).
Host Web -----> INTERNET ----------> Router (91.213.T.V) ---------> Switch ------------> (91.213.X.Y) hw: 0026.643a.f463 WEB HTTP
r01#show ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 91.213.X.Y 0 0026.643a.f463 ARPA FastEthernet4/0.11
I clean the entry of arp table on my router :
r01#clear arp-cache 91.213.X.Y
and
r01#clear ip arp 91.213.X.Y
r01#debug arp
5w4d: IP ARP: arp_process_request: 91.213.X.Y, hw: 0026.643a.f463; rc: 3
5w4d: IP ARP: rcvd rep src 91.213.X.Y 0026.643a.f463, dst 91.213.T.V FastEthernet4/0.11
Wireshark trace on my http server :
tshark :
27112.184599 Cisco_41:98:70 -> 00:26:64:3a:f4:63 ARP Who has 91.213.X.Y? Tell 91.213.T.V
27112.184608 00:26:64:3a:f4:63 -> Cisco_41:98:70 ARP 91.213.X.Y is at 00:26:64:3a:f4:63
Why have we got this MAC hw: 0026.643a.f463 in ARP request ? It is unicast
Normaly, we must have hw : ffff.ffff.ffff.ffff in ARP request.
Thanks
05-17-2010 06:52 AM
Hi,
Actually, this is an expected behavior. ARP process will first try to refresh the current entry which will avoid an update of the adjacency table which is part of CEF. The gain is significant in term of processing when the ARP table is huge.
HTH
Laurent.
07-27-2012 08:06 AM
Hi Laurent,
thank you for this information.
On 6500,
they will generate every 90 sec thousands of (unicast) arp-request and a cpu-load of nearly 100%.
The "sh ip arp (..vrf..)" are never older than 1 sec.
For my understanding, the timer of 90 sec is not normal?
Do you mean, this is a cef-triggerd timer?
Can i influence this behavior?
Thanks.
07-27-2012 12:12 PM
There is a default timer for arp entries. It sounds like someone has specified a 90 second time. If you do not like the effects of this timer you should be able to set it to a value that you do like.
In working with switches like the 6500 the default timer for arp is pretty long while the timer for entries in the mac address table is much shorter. The mismatch in timers can cause various symptoms including unexpected unicasat flooding. People frequently configure a shorter arp timer to avoid symptoms like that.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide