Which configurations may affect ARP entry update on the device

0

In normal cases, the device dynamically learns and updates ARP entries through ARP packets. The dynamic ARP entries can be overridden by static ARP entries. Each dynamic ARP entry has the aging time. When the aging time expires, the device sends an ARP probe packet. If the device receives an ARP Reply packet within certain probe attempts, it updates the ARP entry. If the device does not receive any ARP Reply packet beyond the configured probe attempts, it deletes the entry.

Except dynamic ARP aging parameters, some configurations on the device may affect the aging and update of dynamic ARP entries. The common related configurations are described as follows:

MAC address-triggered ARP entry update function

By default, the aging time of MAC entries is five minutes and that of ARP entries is 20 minutes. In some scenarios, MAC entries may have been updated while ARP entries have not been updated, which affects user services.

After you run the mac-address update arp command to enable the MAC address-triggered ARP entry update function, the device updates outbound interfaces in ARP entries immediately when outbound interfaces in MAC address entries change. This prevents user service interruption.

Spanning Tree Protocol

By default, the device immediately replies to topology checksum (TC) BPDUs. That is, the device ages or deletes ARP entries after receiving TC BPDUs.
When the STP convergence mode is fast, the device directly deletes the mapping ARP entry after receiving TC BPDUs.

When the STP convergence mode is normal, the device immediately ages the mapping ARP entry after receiving TC BPDUs. That is, the device sets the entry's remaining life time to 0. If the number of ARP probe attempts configured is greater than 0, the device detects whether the ARP entry ages.

If STP is configured on the network, you are advised to configure the interfaces connecting the device to a user terminal (such as a host) as an edge port and configure the BPDU protection function. Otherwise, a large number of TC BPDUs will lower the convergence speed of the STP network topology, and affect ARP entry update and maintenance, and user services.

You can run the arp topology-change disable command to disable the device from aging and deleting ARP entries when receiving TC BPDUs. You are advised to use this function together with the MAC address-triggered ARP entry update function.

Strict ARP learning

After this function is enabled, the device learns ARP entries only when it receives the ARP Reply packet in response to the locally sent ARP Request packets.

ARP-CPCAR

The device can set the default CPCAR values for the packets of each protocol. The CPCAR values of some protocol packets need to be adjusted based on the actual service scale and user network. When many users are connected to the device and a smaller CPCAR value is set for ARP Request and Reply packets, ARP packets may be lost (you can run the display cpu-defend statistics all command to check whether the packets are lost) and ARP entry learning and update are affected. In this case, you can adjust the CPCAR value for ARP packets. Run the display arp statistics all command to check the statistics on ARP entries, and change the CPCAR value for ARP Request/Reply packets accordingly. Improper CPCAR settings will affect services on your network. If you need to adjust CPCAR settings, you are advised to contact Huawei technical personnel for help.

ARP attacks on the network also affect learning and update of dynamic ARP entries. You are advised to find the attack source and configure the anti-attack function.

Other related questions:
Configurations that affect ARP entry updating on S series switches
S series switches (except S1700 switches) use ARP messages to dynamically learn and update dynamic ARP entries, which can be overwritten by static ARP entries. Dynamic ARP entries have an aging mechanism. When a dynamic ARP entry expires, the device sends aging detection packets to the corresponding host. If the device receives a response from the host within the specified number of detection times, the ARP entry is updated. If not, the ARP entry is deleted. In addition to aging parameters of dynamic ARP entries, some configurations on the device may affect the aging and updating of dynamic ARP entries. The following lists some common factors. MAC address-triggered ARP update (not supported by S1720, S2720, S275x, or S5700LI fixed switches) By default, the aging time of MAC address entries is 5 minutes, and the aging time of ARP entries is 20 minutes. In certain scenarios, MAC entries are updated, but the ARP entries are not updated accordingly, affecting user services. If this occurs, run the mac-address update arp command to enable the MAC address-triggered ARP update function. After the configuration, when the outbound interfaces in MAC address entries change, the outbound interfaces in ARP entries are updated, so that user services will not be interrupted. Spanning Tree Protocol (STP) By default, when the device receives a Topology Checksum (TC) packet of STP, it ages or deletes the corresponding ARP entry. If the STP convergence mode is fast, the device deletes the corresponding ARP entry when receiving a TC packet. If the STP convergence mode is normal, the device rapidly ages the corresponding ARP entry when receiving a TC packet, that is, the device sets the remaining lifetime of the ARP entry to 0. If the number of detection times for aging out the ARP entry is greater than 0, the device carries out aging detection of the ARP entry. If STP is deployed for a network, you are advised to configure the device interface directly connected to user terminals (such as hosts) as an edge port and enable the Bridge Protocol Data Unit (BPDU) protection function. If not, when a large number of TC packets are generated, the convergence speed of the STP network topology will be reduced, and the updating and maintenance of ARP entries will be affected, which will have an impact on user services. To prevent the device from aging or deleting ARP entries when receiving TC packets, run the arp topology-change disable command to disable the TC packet response function. You are advised to enable the MAC address-triggered ARP update function at the same time. Strict ARP learning After strict ARP learning is enabled, the device learns only the ARP Reply packets in response to the ARP Request packets sent by itself. ARP-CPCAR By default, each type of protocol packets has a default CPCAR value. The CPCAR values of some types of protocol packets need to be adjusted based on service specifications and users' network environments. When a lot of users connect to the device but the CPCAR values of the ARP Request packets and ARP Reply packets are small, ARP packets can be lost. (To check whether ARP packets are lost, run the display cpu-defend statistics all command.) This will affect ARP entry learning and updating. In this case, you can adjust the CPCAR values of ARP packets to proper values. Improper CPCAR settings will affect services on your network. It is recommended that you contact Huawei engineers before adjusting the CPCAR settings. When ARP attacks occur, the learning and updating of dynamic ARP entries will also be affected. In this case, you are advised to find out the attack source and configure appropriate attack defense functions.

Failed to update ARP entries on S series switch
If the VLAN IDs, MAC addresses, and interface information in ARP entries on an S series switch cannot be updated, check whether ARP attack defense policies have been configured, for example, arp anti-attack entry-check { fixed-mac | fixed-all | send-ack } enable.

Configure ARP entry update upon MAC address change on S series switch
principals of ARP entry update upon MAC address change on S series switches (except S1700): Every device on a network has an IP address, which is used to communicate with other devices. On an Ethernet, hosts, switches, or routers send and receive Ethernet data frames based on MAC addresses. ARP provides mappings between IP addresses and MAC addresses. When devices on different network segments communicate, ARP entries must be used to map IP addresses to correct MAC addresses and outbound interfaces. If you change the location of a host to connect the host to another interface of a switch, the host's MAC address will be learned on this interface and the outbound interface corresponding to the MAC address will change. However, the outbound interface in the ARP entry will be updated only after the aging time expires. Before the aging time expires, the switch will use the incorrect ARP entry for communication. After the mac-address update arp command is configured in the system view, the outbound interface in an ARP entry can be updated based on the outbound interface in an MAC address entry. Precautions: 1. This command is valid only for dynamic ARP entries instead of static ARP entries. 2. The mac-address update arp command will not take effect after the arp anti-attack entry-check enable command is executed to configure fixed ARP. 3. After ARP entry update upon MAC address change is enabled, an ARP entry is updated only when the outbound interface in the corresponding MAC address entry changes. 4. Configuring ARP entry update upon MAC address change will cause the gratuitous ARP packet discarding function to become ineffective. 5. S series switches running versions earlier than V100R006C00 do not support ARP entry update upon MAC address change.

Do CE series switches support ARP entry update upon a MAC address change
All models of CE switches in V100R003C10 and later versions support ARP entry update upon MAC address changes.

In which situation can ARP entries be learned after strict ARP learning is enabled
If strict ARP learning is enabled, a device does not learn ARP entries matching source IP addresses after receiving ARP request packets. The device updates an ARP entry matching the source IP address in a packet only when the device receives an ARP reply packet, the destination IP address of the ARP reply packet is the device address, and there is an ARP entry, temporary ARP entry, or actual ARP entry matching the source IP address. The device must send an ARP request packet to the source end. After receiving an ARP reply packet, the device learns the ARP entry matching the source end.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top