North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: ARP Table Timeout and Mac-Address-Table Timeout

  • From: Steven King
  • Date: Mon Sep 15 04:53:02 2008

I saw that one before. Thats what we based our current fix on.

Frank Bulk wrote:
> Steven:
>
> This was recently discussed on cisco-nsp:
> http://marc.info/?l=cisco-nsp&m=121316151010190&w=2
>
> Frank
>
> -----Original Message-----
> From: Steven King [mailto:sking@xxxxxxxxxxx] 
> Sent: Sunday, September 14, 2008 7:27 PM
> To: nanog@xxxxxxxxx
> Subject: ARP Table Timeout and Mac-Address-Table Timeout
>
> I am a network engineer for a large web hosting company. We are having
> an issue with our distribution routers flooding traffic in one of our VLANs.
>
> We have a customer with a routed mode ASA 5550. They have their own
> private VLAN that is a /23 This VLAN is 145. The outside interface of
> the firewall is in VLAN 132. We are routing all traffic for VLAN 145 to
> the IP of the outside interface of the firewall in VLAN 132.
>
> VLAN 132 is Layer3 routable and VLAN 145 is only Layer2 switchable.
>
> We have two distribution switches which are redundant with HSRP. Dist1
> is the active forwarder in this case. Traffic coming into these two
> routers are load balanced between Dist1 and Dist2 with EIGRP routes with
> equal cost.
>
> We have found that traffic coming into Dist2 (the standby) is flooding
> traffic destined for the firewall outside interface. But Dist1 is not.
>
> We have tracked down the cause of this to the MAC-Address-Table timing
> out before the ARP table times out. We leave these values at the Cisco
> default. ARP = 4hr MAC = 5 minutes. Since Dist2 is not receiving any
> traffic from the firewall going out to the internet, it is not updating
> the MAC-Address-Table after it expires. Instead, it waits 4 hours for
> the ARP cache to expire for that IP, and then updates everything. But
> Dist2 ends up flooding traffic for that 4 hours causing latency.
>
> We have done some research on this problem and have found so far the
> best solution to be to make the ARP timeout less than the
> MAC-Address-Table aging-timer.We have set the ARP = 1hr and MAC = 2hrs
> in this case to correct the problem. So when the ARP entry times out
> before the MAC entry, the forced update of the ARP entry before the MAC
> timeout causes the MAC entry age to reset. Indeed this does correct the
> problem.
>
> Is this the best solution to the problem, or is there another preferred
> solution? Has anyone ran into this in their own Enterprise Networks?
>
> Please let me know if I didn't explain anything well enough.
>
> --
> Steve King
>
> Network Engineer - Liquid Web, Inc.
> Cisco Certified Network Associate
> CompTIA Linux+ Certified Professional
> CompTIA Network+ Certified Professional
> CompTIA A+ Certified Professional
>
>
>
>   

-- 
Steve King

Network Engineer - Liquid Web, Inc.
Cisco Certified Network Associate
CompTIA Linux+ Certified Professional
CompTIA Network+ Certified Professional
CompTIA A+ Certified Professional