Why VLANIF interface on S series switch has too many ARP entries

3

If ARP strict learning is not enabled on an S series switch, except S1700, and a VLANIF interface on the switch is in a large broadcast domain, the switch learns ARP packets from any devices and generates ARP entries. The switch may need to maintain a large number of ARP entries. To address this problem, run the arp learning strict command to enable ARP strict learning.

Other related questions:
Reason why S series switch cannot learn ARP entries
When an S series switch, except S1700, works at Layer 2, the switch does not have ARP entries and cannot learn ARP entries. When an S series switch, except S1700, works at Layer 3 and cannot learn ARP entries, rectify the fault as follows: (1) Possible cause: The link between the switch and connected device fails. Solution: Perform ping operations to check whether the link fails. If so, rectify the link failure. (2) Possible cause: ARP strict learning is enabled on the switch. (After this function is enabled, the switch learns only the ARP reply packets in response to the ARP request packets sent by itself.) Solution: Run the undo arp learning strict command in the system or interface view to disable ARP strict learning. (3) Possible cause: The switch has too many ARP entries and may suffer an ARP attack. Solution: Configure static ARP entries for key servers or users and enable attack defense policies. Note: (1) By default, ARP strict learning is enabled on some models among fixed switches and disabled on modular switches. When a fixed switch connected to a modular switch receives a gratuitous ARP packet, the fixed switch does not learn ARP entries. Therefore, some fixed switches cannot learn ARP entries. (2) After ARP strict learning is enabled on a switch, the switch actively sends ARP request packets to hosts. Some PCs with wireless network adapters installed do not respond to ARP requests, so the switch cannot learn the ARP entries of the connected PCs. The PCs respond only after the network adapters are restarted. In this situation, disable ARP strict learning.

Strict ARP learning is enabled on S series switches, and the user has learned the switch's ARP entry. Why cannot the switch learn the user ARP entry by pinging the user
For S series switches: After strict ARP learning is enabled, the switch learns ARP entries only from the Reply packet sent in response to locally originated ARP Request packets. The firewall installed on the PC may prevent the PC from sending ARP Reply packets when receiving ARP Request packets, or the NIC on the computer cannot return ARP Reply packets. In this case, the switch cannot receive ARP Reply packets no matter whether the switch sends ping packets to the user or the user sends data packets to the switch to trigger ARP Miss messages. Therefore, the switch cannot learn the user's ARP entry. If this problem occurs on only a few users, configure static ARP entries for the users; if the problem happens on most users, disable strict ARP learning on the switch.

View ARP entries on S series switches
If an S series switch (except the S1700 switch�? works at Layer 2, you can only view the MAC addresses of devices connected to an interface, not the IP addresses. You can run the display mac-address command. The command output is as follows: MAC address table of slot 0: MAC Address VLAN/ PEVLAN CEVLAN Port Type LSP/LSR-ID VSI/SI MAC-Tunnel 5489-980d-4ef6 1 - - GE0/0/1 dynamic 0/- 5489-98c2-19e3 20 - - GE0/0/2 dynamic 0/- Total matching items on slot 0 displayed = 2 ——————————————————————————————————————�?If an S series switch (except the S1700 switch�? works at Layer 3, you can run the display arp [ all ] command to view ARP entries including mappings between IP addresses and MAC addresses. In addition, you can find the outbound interfaces toward the devices based on the mappings. The command output is as follows: IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN/CEVLAN 10.137.217.202 00e0-0987-7890 I - Eth0/0/0 10.137.216.1 0000-5e00-0149 20 D-0 Eth0/0/0 Total:2 Dynamic:1 Static:0 Interface:1 ———————————————————————————————————————�?With known MAC addresses or IP addresses, you can obtain outbound interfaces and mappings between IP addresses and MAC addresses of specific devices based on the MAC table or ARP table on the switch. In the preceding output, if the MAC ADDRESS field is Incomplete, the ARP entry is temporary. When an IP packet triggers an ARP Miss message, the switch generates a temporary ARP entry and sends ARP Request packets to the destination network segment. The following situations may occur before the temporary ARP entry ages: Before receiving an ARP Reply packet, the switch discards IP packets matching the temporary ARP. No ARP Miss message will be triggered. After receiving the ARP Reply packet, the switch generates a correct ARP entry to replace the temporary ARP entry. When the temporary ARP entry expires, the switch deletes it.

Aged ARP entry display on S series switches
On S series switches (except S1700 switches), aged ARP entries cannot be displayed. You can only view the current ARP table.

Aging time of ARP entries on S series switches
For S series switches (except S1700 switches),
the default aging time of dynamic ARP entries is 1200s (20 minutes). You can run the arp expire-time  expire-time command in the system view or an interface view to configure the aging time of dynamic ARP entries. Configure the second expire-time variable as the target aging time of dynamic ARP entries.
Static ARP entries do not age.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top