For S series switches, how to handle the failure to learn ARP entries caused by ARP Miss packets

1

For S series switches, the reasons for the failure to learn ARP entries caused by ARP Miss messages are as follows:
- The rate limit on ARP Miss messages is small. This causes the switch to discard normal ARP Miss messages and fail to send ARP Request packets to the destination network depending on ARP Miss messages.
- The CPCAR value of the ARP Miss packet is small. This causes the switch to discard normal ARP Miss messages and fail to send ARP Request packets to the destination network.
- The attacker sends a large number of network scanning packets to the switch. This causes the switch to trigger a large number of ARP Miss messages, consuming CPU resources and affecting the normal processing of ARP Miss messages.

Perform the following steps to locate the fault. Save the results of each troubleshooting step so that you can provide collected information for Huawei technical support engineers if the fault fails to be rectified.
1. Run the display arp all command in the user view to check statistics about ARP entries.
If the MAC address field is in Incomplete state, the device fails to learn the ARP entry. IP address and interface information can be obtained through the ARP entry.
2. Capture the packet header on the interface used to connect to a user and check the source IP address of the ARP packet.
3. Run the display cpu-defend statistics packet-type arp-miss all command in the user view to check whether the number of the dropped ARP Miss packets is increasing.
- If the number of dropped ARP Miss packets is 0, no ARP Miss packets are discarded by the switch. ARP entry learning fails because the rate limit on ARP Miss messages is too small.
Go to step 5. Increase the ARP Miss message rate limit according to the actual network environment.
- If the number of dropped ARP Miss packets is not 0, the rate of ARP Request packets exceeds the CPCAR rate limit and excessive ARP request packets are discarded. Check whether the CPCAR value of ARP Miss messages is configured correctly.
-- If not, go to step 4. Increase the CPCAR value of ARP Miss messages.
-- If so, ARP entry learning fails because the attacker sends a large number of network scanning packets to the switch. This causes the switch to trigger a large number of ARP Miss messages, consuming CPU resources and affecting the normal processing of ARP Miss messages.
Find the attacker based on the source IP address, and check whether the user is infected with viruses. Alternatively, add the source address to the blacklist or configure a blackhole MAC address entry to discard ARP Request packets sent by the attacker.
4. Run the car command in the attack defense policy view to increase the CIR value for ARP Miss messages.
Note: Improper CPCAR settings may affect services on your network. It is recommended that you contact Huawei engineers before adjusting the CPCAR settings.
After the configuration is complete, the attack defense policy takes effect only after it is applied.
After the preceding steps are performed, if the fault persists or has been rectified but the CPU usage is high, go to step 5. Decrease the rate limit on ARP Miss messages.
5. Run the display arp anti-attack configuration [ arpmiss-speed-limit | arpmiss-rate-limit ] command to view the ARP rate limit configuration.
6. If the fault persists, collect the following information and contact Huawei technical support.
Results of the preceding troubleshooting procedure
Configuration file, logs, and alarms of the switch

Other related questions:
Reason why S series switch cannot learn ARP entries
When an S series switch, except S1700, works at Layer 2, the switch does not have ARP entries and cannot learn ARP entries. When an S series switch, except S1700, works at Layer 3 and cannot learn ARP entries, rectify the fault as follows: (1) Possible cause: The link between the switch and connected device fails. Solution: Perform ping operations to check whether the link fails. If so, rectify the link failure. (2) Possible cause: ARP strict learning is enabled on the switch. (After this function is enabled, the switch learns only the ARP reply packets in response to the ARP request packets sent by itself.) Solution: Run the undo arp learning strict command in the system or interface view to disable ARP strict learning. (3) Possible cause: The switch has too many ARP entries and may suffer an ARP attack. Solution: Configure static ARP entries for key servers or users and enable attack defense policies. Note: (1) By default, ARP strict learning is enabled on some models among fixed switches and disabled on modular switches. When a fixed switch connected to a modular switch receives a gratuitous ARP packet, the fixed switch does not learn ARP entries. Therefore, some fixed switches cannot learn ARP entries. (2) After ARP strict learning is enabled on a switch, the switch actively sends ARP request packets to hosts. Some PCs with wireless network adapters installed do not respond to ARP requests, so the switch cannot learn the ARP entries of the connected PCs. The PCs respond only after the network adapters are restarted. In this situation, disable ARP strict learning.

How to configure strict ARP entry learning on S series switches
For S series switches (except S1700 switches), enabling strict ARP entry learning allows the switch to learn only ARP entries for ARP Reply packets in response to ARP Request packets sent by itself. Enabling strict ARP entry learning on the switch device affects only the ARP entry learning on the switch, not on the hosts. # Enable strict ARP entry learning on VLANIF 100. [HUAWEI] interface vlanif 100 [HUAWEI-Vlanif100] arp learning strict force-enable # Enable strict ARP entry learning globally on the switch and enable this function on GE1/0/1. [HUAWEI] arp learning strict [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] undo portswitch [HUAWEI-GigabitEthernet0/0/1] arp learning strict force-disable The physical interfaces on some switch models cannot switch between Layer 2 and Layer 3 modes through the undo portswitch command.

Strict ARP learning is enabled on S series switches, and the user has learned the switch's ARP entry. Why cannot the switch learn the user ARP entry by pinging the user
For S series switches: After strict ARP learning is enabled, the switch learns ARP entries only from the Reply packet sent in response to locally originated ARP Request packets. The firewall installed on the PC may prevent the PC from sending ARP Reply packets when receiving ARP Request packets, or the NIC on the computer cannot return ARP Reply packets. In this case, the switch cannot receive ARP Reply packets no matter whether the switch sends ping packets to the user or the user sends data packets to the switch to trigger ARP Miss messages. Therefore, the switch cannot learn the user's ARP entry. If this problem occurs on only a few users, configure static ARP entries for the users; if the problem happens on most users, disable strict ARP learning on the switch.

Handling of many ARP request or replay packets received on S series switches
When S series switches receive a large number of ARP Request or Reply messages, the following problems may occur: -Users get offline, are frequently disconnected, experience slow Internet access and service interruption, or even cannot access the network. -The switches have high CPU usage or cannot be managed by the network management system (NMS), and their connected devices go offline. -Ping delay, packet loss, or failure occurs. You can perform the following steps to troubleshoot the preceding problems: Saving the results of each step is recommended. If your troubleshooting fails to correct the fault, you can provide the record of your actions to Huawei technical support personnel. 1. Run the display cpu-defend statistics packet-type { arp-request | arp-reply } all command in the user view to check whether the count of the dropped ARP Request or ARP Reply packets is increasing. -If the count is 0, the switches do not drop any ARP Request or Reply packets. Then go to step 6. If the count is not 0, the rate of ARP Request or Reply packets exceeds the CPCAR rate limit and excess ARP packets are discarded. Then go to step 2. 2. Run the display cpu-usage command in the user view to check the CPU usage of the MPU. - If the CPU usage is in the normal range, go to step 3. - If the CPU usage is higher than 70%, go to step 5. 3. Run the car command in the attack defense policy view to properly increase the CPCAP rate limit for ARP Request or ARP Reply packets. Note: Improper CPCAR settings will affect services on your network. It is recommended that you contact Huawei engineers before adjusting the CPCAR settings. The car command takes effect after you apply the attack defense policy. If the fault persists or the fault is removed but the CPU usage is still high, go to step 4. 4. Capture packet headers on the user-side interface and find the attacker according to the source addresses of ARP Request or Reply packets. If a lot of ARP Request or Reply packets are sent from a source MAC or IP address, the switches consider the source address as an attack source. Run the arp speed-limit source-ip [ ] maximum command in the system view to reduce the ARP packet rate limit based on the source IP address or run the arp speed-limit source-mac [ ] maximum command to configure ARP packet rate limit based on the source MAC address to adapt to actual network situations. By default, the function of ARP packet rate limit based on the source IP address is enabled, and the switches allow a maximum of 30 ARP packets with the same source IP address to pass through every second. After the rate of ARP packets reaches this limit, the switches discard subsequent ARP packets. The rate limit for ARP packets with the same source MAC address is 0, that is, the switches do not limit the rate of ARP packets based on the source MAC address. After the ARP packet rate limit based on the source IP address or MAC address is set to a smaller value (such as 5 bit/s), --If the fault persists, go to step 5. -- If the fault is rectified but the CPU usage is still high, configure a blacklist or a blackhole MAC address entry to discard ARP packets sent by the attack source. After that, if the CPU usage is still high, go to step 6. 5. Capture packet headers on the user-side interface and find the attacker according to the source addresses of ARP Request or Reply packets. If a lot of ARP Request or Reply packets are sent from a source address, the switches consider the source address as an attack source. You can configure a blacklist or a blackhole MAC address entry to discard ARP packets sent by the attack source. If the fault persists, go to step 6. 6. Collect the following information and contact Huawei technical support personnel: Results of the preceding troubleshooting procedure Configuration files, logs, and alarms of the switches

View ARP entries on S series switches
If an S series switch (except the S1700 switch�? works at Layer 2, you can only view the MAC addresses of devices connected to an interface, not the IP addresses. You can run the display mac-address command. The command output is as follows: MAC address table of slot 0: MAC Address VLAN/ PEVLAN CEVLAN Port Type LSP/LSR-ID VSI/SI MAC-Tunnel 5489-980d-4ef6 1 - - GE0/0/1 dynamic 0/- 5489-98c2-19e3 20 - - GE0/0/2 dynamic 0/- Total matching items on slot 0 displayed = 2 ——————————————————————————————————————�?If an S series switch (except the S1700 switch�? works at Layer 3, you can run the display arp [ all ] command to view ARP entries including mappings between IP addresses and MAC addresses. In addition, you can find the outbound interfaces toward the devices based on the mappings. The command output is as follows: IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN/CEVLAN 10.137.217.202 00e0-0987-7890 I - Eth0/0/0 10.137.216.1 0000-5e00-0149 20 D-0 Eth0/0/0 Total:2 Dynamic:1 Static:0 Interface:1 ———————————————————————————————————————�?With known MAC addresses or IP addresses, you can obtain outbound interfaces and mappings between IP addresses and MAC addresses of specific devices based on the MAC table or ARP table on the switch. In the preceding output, if the MAC ADDRESS field is Incomplete, the ARP entry is temporary. When an IP packet triggers an ARP Miss message, the switch generates a temporary ARP entry and sends ARP Request packets to the destination network segment. The following situations may occur before the temporary ARP entry ages: Before receiving an ARP Reply packet, the switch discards IP packets matching the temporary ARP. No ARP Miss message will be triggered. After receiving the ARP Reply packet, the switch generates a correct ARP entry to replace the temporary ARP entry. When the temporary ARP entry expires, the switch deletes it.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top