cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
92327
Views
0
Helpful
12
Replies
Muhammad Rafi
Beginner

Why you should and should not clear the arp cache

Hi Guys,

I have been asked this question in one interview and I had my answer but dont know wheather was correct or not ? So can you please help me out to understand the following ?

1. Why you should keep the arp cache ?

2. Why you should not clear the arp cache ?

1 ACCEPTED SOLUTION

Accepted Solutions
Elton Babcock
Beginner

I didn't really see anyone that gave a scenario when clearing the ARP cache is needed as opposed to rebooting a router or switch.

I had a probably rare situation where a remote site needed a router upgrade while the old stayed up. Prior to my hiring, the LAN switches are setup with no default gateway and could only contact the home office through a process known as proxy ARP. This is where the router can respond to an ARP request to an address that isn't on the local subnet.

The new router was setup with the same IP as the old to keep the default gateway the same. The old router was given a different LAN IP. the switches with no default gateway assigned still had many entires in their ARP tables pointing to the old router who didn't have routes back to the home office anymore. The switches could ping and ARP the new router but still thought many addresses outside of the local subnet needed to be sent to the old router. Clearing the ARP tables fixed the issue in this case as at this point the new router could take over and respond to ARP requests from the switches using proxy ARP.

Hope this scenario helps some. In most cases you try not to clear the ARP tables unless you really have to.

Sent from Cisco Technical Support iPhone App

View solution in original post

12 REPLIES 12
Leo Laohoo
VIP Community Legend

ARP is a table or database that matches a MAC address to an IP address.

So, let say you have a critical data shooting towards your client, say a write event on a storage array or a video conference call or a voice call.

Let's say that you clear the ARP table.   What do you think will happen?  The switch will revert back to zero entry on the ARP table and re-learn.  During this process, critical data is dropped or gets delayed while the switch is trying to learn which IP address belongs to what MAC address.

If you have a write event on a storage array, you'll get errors.  If you have a video conference, you'll get freeze frames or black screen or something.  If you are on a voice call, your call either gets dropped or the call suddenly goes awfully quiet.

Gabriel Hill
Beginner

Hello Muhammad,

Seems like a strange question for an interview.

1. ARP is the process of resolving a mac address from an IP address. It is broadcasted to every host on the local subnet. The very purpose of an ARP cache, is to store the IP to MAC combination in the case that you might be sending traffic to that same host (IP/Mac address). Having the ARP cache allows you to not have to send an APR broadcast to every node on your local subnet, because you already have it in the cache!

2. Clearing the APR cache will cause all request that were in the ARP cache to go through the APR process again (if the node tries to communicate with them).

Cheers,
Gabriel

Thanks guys,

that all make sense but still more explaination required to justify our point of view,

becasue I replied the following

clearing the arp cause arp broadcast flodd into the network may ending more bandwidth utilization.

keeping the arp cache helps in real time applications.

becasue I replied the following

clearing the arp cause arp broadcast flodd into the network may ending more bandwidth utilization.

keeping the arp cache helps in real time applications.

Wow.  That's a very, very BROAD response.

If I was the interviewer, I'd reject this response.  One because it's broad/generic and two, you're not explaining really well WHY.

Explain WHY broadcast will flood the network when you clear the ARP table.

Explain HOW does RT applications help when you do NOT clear the ARP table.

I know I could have been wrong but the interviewer was very fast and I had to no time to think on anything and just answer that straight away becasue interview last for more than an hour and half, so you can imagine.

Anyways,

when you clear the arp cache, devices will have to resolve the mac address again, hence they start sending the arp request which is actually the broadcast, and here we are not talking about lab enviroment, where you have only two pcs, I am talking about real work scenario where you may have more than 40 pcs attached to the network. so you can imagine what broadcasts msgs will do.

secondly, my answer relates to your reply on the top of discussion, real time applications means VOIP or Video confrencing and you know how it helps and if you clear how it effects.

Finally, I found the best option which is DAI would be better approach to configure on your network.

if I am wrong, then prove me wrong please...I may learn some thing good from you as I am still on the learning stage...

I know I could have been wrong but the interviewer was very fast and I had to no time to think on anything and just answer that straight away becasue interview last for more than an hour and half, so you can imagine.

Sorry, I'm not trying to be condescending but if a technical interview goes for >45 minutes for a junior position, that's NOT an interview.  No interviewer wants to sit an interview for longer than 45 minutes.  It's human behaviour that if you go more than 30 minutes, you loose all "interest" as an interviewer.

Elton Babcock
Beginner

I didn't really see anyone that gave a scenario when clearing the ARP cache is needed as opposed to rebooting a router or switch.

I had a probably rare situation where a remote site needed a router upgrade while the old stayed up. Prior to my hiring, the LAN switches are setup with no default gateway and could only contact the home office through a process known as proxy ARP. This is where the router can respond to an ARP request to an address that isn't on the local subnet.

The new router was setup with the same IP as the old to keep the default gateway the same. The old router was given a different LAN IP. the switches with no default gateway assigned still had many entires in their ARP tables pointing to the old router who didn't have routes back to the home office anymore. The switches could ping and ARP the new router but still thought many addresses outside of the local subnet needed to be sent to the old router. Clearing the ARP tables fixed the issue in this case as at this point the new router could take over and respond to ARP requests from the switches using proxy ARP.

Hope this scenario helps some. In most cases you try not to clear the ARP tables unless you really have to.

Sent from Cisco Technical Support iPhone App

View solution in original post

pernoctate88
Beginner

Since the ARP cache resolves MAC address with IP address, the reason to clear the cache is if there is a duplication of an IP address in the table.   For example, if you replace one network device with another, assigning the same static IP, existing network devices may need to have ARPCACHE cleared.  On a PC or Server, the command is netsh interface ip delete arpcache.  I appreviate interface as int to save on typing.  On a server, you will require an elevated command prompt.  On a modem, you will need to run a script (generally this is done by the Internet provider) to clear the ARP table.  Modems where static IPs are used will store ARP table data.  Switches and routers may also need to be cleared.  Rebooting/power cycling may not clear the cache on these devices.  If the duplicated IP happens to belong to a domain controller, things will be worse.    Symptoms may include regular network service disconnects.  You may also see drive usage spikes on your domain controller hard disk at points in this process.  One free diagnostic to track disconnects is Wireshark.  Don't let accumulating logs fill the drive and thereby crash it.  If you can ping an IP address on the WAN without interruption matching the times when network drops occur, that could rule out physical topology.  All of these symptoms can be misleading so try to reason from analysis of your data rather than getting too sidetracked by Event logs.  Naturally, while the table is rebuilt, you will lose network connectivity so have the user save data, close files on shares, close client/server apps first.  Usually takes 2 to 6 minutes depending on the equipment.  Analysis of the data will be the principle difficulty here for most of us in discerning when this might be necessary based on symptoms but you can anticipate such troubles if you are replacing one network device with another and assigning the same static IP.

pernoctate88
Beginner

By the way, I'm not trying to answer in the form of a test but just to provide what would be useful information for me to solve the problem.  It isn't necessarily relevant to speak of a process resolving from layer 2 to 3 and reverse in this context.  I'm also assuming techs will be aware of the most basic tool  ... running arp -a on a command line.  This will show you the arp table for the computer you run it on.  You should see one IP for each MAC address with no errors.  If the error is with the router, I would not look in the router ARP table but run this command from a computer on the LAN.  Or if you suspect an IP duplication on a server, check the ARP table on another computer on that LAN.  If any of you wizards out there disagree, please correct me.

As far as interview time goes, I think it depends.  I've given interviews, particularly to part-timers that do not yet have degrees, that included a knowledge test.  Usually, by the time I get that far with the interviewee, I'm interested and I don't want to waste time calling him/her back to get to the next step.  Of course I'm not in human resources but they wouldn't be asking about clearing the ARP cache.

Joseph W. Doherty
Hall of Fame Expert

Disclaimer

The  Author of this posting offers the information contained within this  posting without consideration and with the reader's understanding that  there's no implied or expressed suitability or fitness for any purpose.  Information provided is for informational purposes only and should not  be construed as rendering professional advice of any kind. Usage of this  posting's information is solely at reader's own risk.

Liability Disclaimer

In  no event shall Author be liable for any damages whatsoever (including,  without limitation, damages for loss of use, data or profit) arising out  of the use or inability to use the posting's information even if Author  has been advised of the possibility of such damage.

Posting

#1 You should keep the ARP cache to avoid the need to ARP for every packet being sent to an IP address.  It speeds such transmissions (much) up considerably.  (The impact can often be seen when pinging an IP the first time, the reply time for the first ping request vs. the follow on ping requests.)

#2 This is just a variation of #1.  Flushing the ARP cache, for the next transmission to a flushed cached IP effectively eliminates having an ARP cache.

PS:

A more interesting question, is contained in your posting's subject, why you should clear the ARP cache.  Well a primary reason would be if you believe there are incorrect ARP cache entries.  If for some reason an IP's MAC has changed, an incorrect ARP entry would cause frames to be incorrectly MAC addressed, and they would not reach the destination IP.  (An example of this, a host connected to a 3750 stack, running L3, whose stack master just changed, by default the gateway MAC just changed too.  [NB: to help avoid this, the stack's new master will send out an gratuitous ARP, so all connected clients might flush/replace their stale gateway ARP entry.  Not all hosts might process the gratuitous ARP, though.])

Another reason for flushing an ARP cache is to remove "stale" information.  Any ARP cache will use system resources, which is finite, and as cache entries grow, processing (MAC lookup) usually slows.  (In fact, for such reason is why there's a timer kept per ARP entry to flush entries which have not had any packets sent to them for some time.)

Real examples of too large ARP caches issues can be found in these forums when someone has an Internet connected router, and the router directs Internet traffic to its outbound interface rather than an outbound next-hop IP.

David.William
Beginner

There are two types of ARP entries- static and dynamic. Most of the time, you will use dynamic ARP entries. What this means is that the ARP entry (the Ethernet MAC to IP address link) is kept on a device for some period of time, as long as it is being used. The opposite of a dynamic ARP entry is static ARP entry. With a static ARP entry, you are manually entering the link between the Ethernet MAC address and the IP address. Because of management headaches and the lack of significant negatives to using dynamic ARP entries, dynamic ARP entries are used most of the time.

So how is the dynamic ARP entry created? The answer is that the ARP protocol is used. Let’s say that a PC wants to communicate with host Myserver.Bluecrabfood.com. Before it can do that, it has to first resolve the hostname with the DNS server. Let’s say that it is successfully resolved to 10.10.10.10. Before the PC can communicate with that IP address, it must first resolve the IP address to the MAC address. To do this, it does an ARP request. This is a broadcast to the local LAN that says who has IP address 10.10.10.10 and what is your Ethernet MAC address? Say that server responds and says I have IP address 10.10.10.10 and my MAC address is 1234.4567.890A.

The PC will put that entry into its local ARP cache and it will stay there until the entry has not been used and the ARP cache timeout has expired. Here is an ARP cache looks like on a Windows PC: Pass4sure 400-101

nobugs
Beginner

Nitpicking: I'd say (not on the interview, of course ;-)) that asking "why" is not really correct, and would rather try to answer "when" question (explaining "why" for specific scenarios in the process).

1. Flushing ARP is a standard practice when hot-swapping a whole server box without changing its IP (which happens all the time in fault tolerant environments). A standard procedure is changing IP of the standby server to the IP of the failed one, and to flush ARP (on other devices(!)) right afterwards (I won't argue whether this is a best practice or not - but everybody and their dog are doing it (that is, if we're speaking about fault tolerant environments)). Why ARP flush in necessary - because at the moment of IP change our ARP entries become invalid, which will prevent replaced server to receive packets for a while. 

2. Unless there are Really Good reasons, such as the one mentioned in #1. Why - for all the reasons why ARP cache exists in the first place (basically - to speed things up).