Configurations that affect ARP entry updating on S series switches

0

S series switches (except S1700 switches) use ARP messages to dynamically learn and update dynamic ARP entries, which can be overwritten by static ARP entries. Dynamic ARP entries have an aging mechanism. When a dynamic ARP entry expires, the device sends aging detection packets to the corresponding host. If the device receives a response from the host within the specified number of detection times, the ARP entry is updated. If not, the ARP entry is deleted.

In addition to aging parameters of dynamic ARP entries, some configurations on the device may affect the aging and updating of dynamic ARP entries. The following lists some common factors.

MAC address-triggered ARP update (not supported by S1720, S2720, S275x, or S5700LI fixed switches)
By default, the aging time of MAC address entries is 5 minutes, and the aging time of ARP entries is 20 minutes. In certain scenarios, MAC entries are updated, but the ARP entries are not updated accordingly, affecting user services. If this occurs, run the mac-address update arp command to enable the MAC address-triggered ARP update function. After the configuration, when the outbound interfaces in MAC address entries change, the outbound interfaces in ARP entries are updated, so that user services will not be interrupted.

Spanning Tree Protocol (STP)
By default, when the device receives a Topology Checksum (TC) packet of STP, it ages or deletes the corresponding ARP entry. If the STP convergence mode is fast, the device deletes the corresponding ARP entry when receiving a TC packet. If the STP convergence mode is normal, the device rapidly ages the corresponding ARP entry when receiving a TC packet, that is, the device sets the remaining lifetime of the ARP entry to 0. If the number of detection times for aging out the ARP entry is greater than 0, the device carries out aging detection of the ARP entry. If STP is deployed for a network, you are advised to configure the device interface directly connected to user terminals (such as hosts) as an edge port and enable the Bridge Protocol Data Unit (BPDU) protection function. If not, when a large number of TC packets are generated, the convergence speed of the STP network topology will be reduced, and the updating and maintenance of ARP entries will be affected, which will have an impact on user services.
To prevent the device from aging or deleting ARP entries when receiving TC packets, run the arp topology-change disable command to disable the TC packet response function. You are advised to enable the MAC address-triggered ARP update function at the same time.

Strict ARP learning
After strict ARP learning is enabled, the device learns only the ARP Reply packets in response to the ARP Request packets sent by itself.

ARP-CPCAR
By default, each type of protocol packets has a default CPCAR value. The CPCAR values of some types of protocol packets need to be adjusted based on service specifications and users' network environments. When a lot of users connect to the device but the CPCAR values of the ARP Request packets and ARP Reply packets are small, ARP packets can be lost. (To check whether ARP packets are lost, run the display cpu-defend statistics all command.) This will affect ARP entry learning and updating. In this case, you can adjust the CPCAR values of ARP packets to proper values. Improper CPCAR settings will affect services on your network. It is recommended that you contact Huawei engineers before adjusting the CPCAR settings.
When ARP attacks occur, the learning and updating of dynamic ARP entries will also be affected. In this case, you are advised to find out the attack source and configure appropriate attack defense functions.

Other related questions:
Failed to update ARP entries on S series switch
If the VLAN IDs, MAC addresses, and interface information in ARP entries on an S series switch cannot be updated, check whether ARP attack defense policies have been configured, for example, arp anti-attack entry-check { fixed-mac | fixed-all | send-ack } enable.

Which configurations may affect ARP entry update on the device
In normal cases, the device dynamically learns and updates ARP entries through ARP packets. The dynamic ARP entries can be overridden by static ARP entries. Each dynamic ARP entry has the aging time. When the aging time expires, the device sends an ARP probe packet. If the device receives an ARP Reply packet within certain probe attempts, it updates the ARP entry. If the device does not receive any ARP Reply packet beyond the configured probe attempts, it deletes the entry. Except dynamic ARP aging parameters, some configurations on the device may affect the aging and update of dynamic ARP entries. The common related configurations are described as follows: MAC address-triggered ARP entry update function By default, the aging time of MAC entries is five minutes and that of ARP entries is 20 minutes. In some scenarios, MAC entries may have been updated while ARP entries have not been updated, which affects user services. After you run the mac-address update arp command to enable the MAC address-triggered ARP entry update function, the device updates outbound interfaces in ARP entries immediately when outbound interfaces in MAC address entries change. This prevents user service interruption. Spanning Tree Protocol By default, the device immediately replies to topology checksum (TC) BPDUs. That is, the device ages or deletes ARP entries after receiving TC BPDUs. When the STP convergence mode is fast, the device directly deletes the mapping ARP entry after receiving TC BPDUs. When the STP convergence mode is normal, the device immediately ages the mapping ARP entry after receiving TC BPDUs. That is, the device sets the entry's remaining life time to 0. If the number of ARP probe attempts configured is greater than 0, the device detects whether the ARP entry ages. If STP is configured on the network, you are advised to configure the interfaces connecting the device to a user terminal (such as a host) as an edge port and configure the BPDU protection function. Otherwise, a large number of TC BPDUs will lower the convergence speed of the STP network topology, and affect ARP entry update and maintenance, and user services. You can run the arp topology-change disable command to disable the device from aging and deleting ARP entries when receiving TC BPDUs. You are advised to use this function together with the MAC address-triggered ARP entry update function. Strict ARP learning After this function is enabled, the device learns ARP entries only when it receives the ARP Reply packet in response to the locally sent ARP Request packets. ARP-CPCAR The device can set the default CPCAR values for the packets of each protocol. The CPCAR values of some protocol packets need to be adjusted based on the actual service scale and user network. When many users are connected to the device and a smaller CPCAR value is set for ARP Request and Reply packets, ARP packets may be lost (you can run the display cpu-defend statistics all command to check whether the packets are lost) and ARP entry learning and update are affected. In this case, you can adjust the CPCAR value for ARP packets. Run the display arp statistics all command to check the statistics on ARP entries, and change the CPCAR value for ARP Request/Reply packets accordingly. Improper CPCAR settings will affect services on your network. If you need to adjust CPCAR settings, you are advised to contact Huawei technical personnel for help. ARP attacks on the network also affect learning and update of dynamic ARP entries. You are advised to find the attack source and configure the anti-attack function.

Configure ARP entry update upon MAC address change on S series switch
principals of ARP entry update upon MAC address change on S series switches (except S1700): Every device on a network has an IP address, which is used to communicate with other devices. On an Ethernet, hosts, switches, or routers send and receive Ethernet data frames based on MAC addresses. ARP provides mappings between IP addresses and MAC addresses. When devices on different network segments communicate, ARP entries must be used to map IP addresses to correct MAC addresses and outbound interfaces. If you change the location of a host to connect the host to another interface of a switch, the host's MAC address will be learned on this interface and the outbound interface corresponding to the MAC address will change. However, the outbound interface in the ARP entry will be updated only after the aging time expires. Before the aging time expires, the switch will use the incorrect ARP entry for communication. After the mac-address update arp command is configured in the system view, the outbound interface in an ARP entry can be updated based on the outbound interface in an MAC address entry. Precautions: 1. This command is valid only for dynamic ARP entries instead of static ARP entries. 2. The mac-address update arp command will not take effect after the arp anti-attack entry-check enable command is executed to configure fixed ARP. 3. After ARP entry update upon MAC address change is enabled, an ARP entry is updated only when the outbound interface in the corresponding MAC address entry changes. 4. Configuring ARP entry update upon MAC address change will cause the gratuitous ARP packet discarding function to become ineffective. 5. S series switches running versions earlier than V100R006C00 do not support ARP entry update upon MAC address change.

View ARP entries on S series switches
If an S series switch (except the S1700 switch�? works at Layer 2, you can only view the MAC addresses of devices connected to an interface, not the IP addresses. You can run the display mac-address command. The command output is as follows: MAC address table of slot 0: MAC Address VLAN/ PEVLAN CEVLAN Port Type LSP/LSR-ID VSI/SI MAC-Tunnel 5489-980d-4ef6 1 - - GE0/0/1 dynamic 0/- 5489-98c2-19e3 20 - - GE0/0/2 dynamic 0/- Total matching items on slot 0 displayed = 2 ——————————————————————————————————————�?If an S series switch (except the S1700 switch�? works at Layer 3, you can run the display arp [ all ] command to view ARP entries including mappings between IP addresses and MAC addresses. In addition, you can find the outbound interfaces toward the devices based on the mappings. The command output is as follows: IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN/CEVLAN 10.137.217.202 00e0-0987-7890 I - Eth0/0/0 10.137.216.1 0000-5e00-0149 20 D-0 Eth0/0/0 Total:2 Dynamic:1 Static:0 Interface:1 ———————————————————————————————————————�?With known MAC addresses or IP addresses, you can obtain outbound interfaces and mappings between IP addresses and MAC addresses of specific devices based on the MAC table or ARP table on the switch. In the preceding output, if the MAC ADDRESS field is Incomplete, the ARP entry is temporary. When an IP packet triggers an ARP Miss message, the switch generates a temporary ARP entry and sends ARP Request packets to the destination network segment. The following situations may occur before the temporary ARP entry ages: Before receiving an ARP Reply packet, the switch discards IP packets matching the temporary ARP. No ARP Miss message will be triggered. After receiving the ARP Reply packet, the switch generates a correct ARP entry to replace the temporary ARP entry. When the temporary ARP entry expires, the switch deletes it.

How to configure ARP entry restriction on S and E series switches
For S and E series switches (except S1700 switches): To prevent ARP entries from being exhausted by ARP attacks from a host connecting to an interface on the device, set the maximum number of ARP entries that the interface can dynamically learn. When the number of the ARP entries learned by a specified interface reaches the maximum number, no dynamic ARP entry can be added. # Configure that VLANIF 10 can dynamically learn a maximum of 20 ARP entries. [HUAWEI] vlan batch 10 [HUAWEI] interface vlanif 10 [HUAWEI-Vlanif10] arp-limit maximum 20 # Configure that Layer 2 interface GE0/0/1 can dynamically learn a maximum of 20 ARP entries from VLAN 10. [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] arp-limit vlan 10 maximum 20 # Configure that Layer 3 interface GE0/0/1 can dynamically learn a maximum of 20 ARP entries. [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] undo portswitch [HUAWEI-GigabitEthernet0/0/1] arp-limit maximum 20 The interfaces on some switch models cannot switch between Layer 2 and Layer 3 modes through the undo portswitch command.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top