How does an MFF-enabled switch process ARP requests from the network side

7

When receiving an ARP Request packet, an MFF-enabled switch checks the destination IP address in the packet against the DHCP snooping binding table. If the destination IP address in the packet matches an entry in the DHCP snooping binding table, the switch functions as a DHCP client to response to the request; otherwise, the ARP Request packet is sent to other network-side interfaces.

A DHCP client may not send a DHCP Release message when going offline; therefore, association between ARP and DHCP snooping may be enabled on the upstream gateway device. In this case, if MFF is enabled on the switch, the probe packet sent by the gateway cannot reach the destination because ARP proxy is enabled on the switch. On switches of V100R006 and later version, run the mac-forced-forwarding user-detect transparent command in the VLAN view to solve this problem.

Other related questions:
How does an MFF-enabled switch process gateway MAC address changes
If MFF gateway detection is enabled on a switch, the switch detects gateway MAC address changes and updates the gateway MAC address entries. In this way, user services are not interrupted. However, if MFF gateway detection is disabled, the switch does not update the gateway MAC address entries and user traffic may be interrupted. To detect gateway MAC address changes, enable MFF gateway detection on the switch.

When ARP rate suppression is configured and MFF is enabled in the VLAN on S series switches, can the rate of ARP packets processed by the MFF module be suppressed
For S series switches: In versions earlier than V200R001, the switch limits only the rate of ARP packets destined to the switch. Therefore, the switch does not limit the rate of ARP packets processed by the MFF module (ARP packets destined to other devices). In V200R001 and later versions, the switch checks the VLAN ID in an ARP packet to determine whether MFF is enabled in the VLAN. If MFF is enabled in the VLAN, the switch limits the rate of the ARP packet and then the MFF module processes the ARP packet.

Handling of many ARP request or replay packets received on S series switches
When S series switches receive a large number of ARP Request or Reply messages, the following problems may occur: -Users get offline, are frequently disconnected, experience slow Internet access and service interruption, or even cannot access the network. -The switches have high CPU usage or cannot be managed by the network management system (NMS), and their connected devices go offline. -Ping delay, packet loss, or failure occurs. You can perform the following steps to troubleshoot the preceding problems: Saving the results of each step is recommended. If your troubleshooting fails to correct the fault, you can provide the record of your actions to Huawei technical support personnel. 1. Run the display cpu-defend statistics packet-type { arp-request | arp-reply } all command in the user view to check whether the count of the dropped ARP Request or ARP Reply packets is increasing. -If the count is 0, the switches do not drop any ARP Request or Reply packets. Then go to step 6. If the count is not 0, the rate of ARP Request or Reply packets exceeds the CPCAR rate limit and excess ARP packets are discarded. Then go to step 2. 2. Run the display cpu-usage command in the user view to check the CPU usage of the MPU. - If the CPU usage is in the normal range, go to step 3. - If the CPU usage is higher than 70%, go to step 5. 3. Run the car command in the attack defense policy view to properly increase the CPCAP rate limit for ARP Request or ARP Reply packets. Note: Improper CPCAR settings will affect services on your network. It is recommended that you contact Huawei engineers before adjusting the CPCAR settings. The car command takes effect after you apply the attack defense policy. If the fault persists or the fault is removed but the CPU usage is still high, go to step 4. 4. Capture packet headers on the user-side interface and find the attacker according to the source addresses of ARP Request or Reply packets. If a lot of ARP Request or Reply packets are sent from a source MAC or IP address, the switches consider the source address as an attack source. Run the arp speed-limit source-ip [ ] maximum command in the system view to reduce the ARP packet rate limit based on the source IP address or run the arp speed-limit source-mac [ ] maximum command to configure ARP packet rate limit based on the source MAC address to adapt to actual network situations. By default, the function of ARP packet rate limit based on the source IP address is enabled, and the switches allow a maximum of 30 ARP packets with the same source IP address to pass through every second. After the rate of ARP packets reaches this limit, the switches discard subsequent ARP packets. The rate limit for ARP packets with the same source MAC address is 0, that is, the switches do not limit the rate of ARP packets based on the source MAC address. After the ARP packet rate limit based on the source IP address or MAC address is set to a smaller value (such as 5 bit/s), --If the fault persists, go to step 5. -- If the fault is rectified but the CPU usage is still high, configure a blacklist or a blackhole MAC address entry to discard ARP packets sent by the attack source. After that, if the CPU usage is still high, go to step 6. 5. Capture packet headers on the user-side interface and find the attacker according to the source addresses of ARP Request or Reply packets. If a lot of ARP Request or Reply packets are sent from a source address, the switches consider the source address as an attack source. You can configure a blacklist or a blackhole MAC address entry to discard ARP packets sent by the attack source. If the fault persists, go to step 6. 6. Collect the following information and contact Huawei technical support personnel: Results of the preceding troubleshooting procedure Configuration files, logs, and alarms of the switches

How does STP process MAC and ARP entries after the network topology changes
If the network topology changes, the Spanning Tree Protocol (STP) clears media access control (MAC) addresses, and ages Address Resolution Protocol (ARP) entries by default.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top