1

we have few 100s of access switches connecting to a core 10k in IRF. Here all our access is pretty much dumb does only L2 job. So what happens now is unicast flooding, technically MAC ages out, atleast it what I beleive. I agree one thing reducing the fault domain size, but incidentally, I would like to know is there gratuitous arp learning in 10K can help us reduce or eliminate this flooding. Because as and when you enable it, the switch can do a unicast GARP to keep the macs in table by preventing age out so that it will help us to stop flooding?

At a given time my core arp table table size is 14k and mac table size is ~10k.

Ron Maupin
  • 98,218
  • 26
  • 115
  • 191
user88975
  • 517
  • 1
  • 5
  • 13
  • Please elaborate on what model of switches and edge router you have. – Mike Pennington May 21 '18 at 17:46
  • L2 learns MACs by them transmitting. As long as they're sending traffic, they should never age out. (the default on my cisco switches is 300s, max is 1mil - 11.5days) – Ricky May 21 '18 at 17:54
  • ARP tables and layer-2 switch MAC address tables are two very different things. – Ron Maupin May 21 '18 at 18:00
  • *unicast flooding* is a layer-2 thing. People conflate arp and mac all the time. arp table:14k vs mac table: 10k indicates a mismatch in l3 vs l2 timers (or you're overflowing the mac table) – Ricky May 22 '18 at 01:50
  • Sorry it is HP 10500 core switch with Aruba access switches. – user88975 May 22 '18 at 09:09
  • Ricky, IMO, arp timeout renews the mac entries. so keeping it lower than MAC is ideal is my understanding. But still, I see packets being flooded. Can you explain what is wrong here? @MikePennington we are using HP 10500 core switch and Aruba access switches. – user88975 May 22 '18 at 09:15
  • Fundamentally, can we explain, enabling gratuitous arp will help this. I heard in Cisco it is enabled by default, when the arp age out mac entries renewed thru unicast Garp? – user88975 May 22 '18 at 09:18
  • All my access switches get ARP only from core switch...so setting any timers or GARP enabling at core may be helpful is my understanding – user88975 May 22 '18 at 09:33
  • Having a switch send a gratuitous ARP will only renew the MAC address for the switch in the host ARP tables, not renew the host MAC address in the switch MAC address tables. You are confusing ARP tables and MAC address tables, which are two very different things. ARP also broadcasts to every switch interface, so it exacerbates the problem of flooding. You have two answers and some comments that are explaining this to you. – Ron Maupin May 22 '18 at 10:36
  • Ron, thanks. true, i was confusing it. Is there any relation between arp aging and mac aging? when a arp timeout happen arp entry is just removed or does the switch does something so that the arp entry is retained and then it renews the mac aging for that corresponding mac? Or in what cases arp entry is retained and thus results in mac entry is also retained? – user88975 May 22 '18 at 11:52
  • In my case, i am not seeing the mac in access switch because of flushing or whatever due aging but the same mac is seen in core when the unicast flood happen in that access – user88975 May 22 '18 at 11:59
  • "_Is there any relation between arp aging and mac aging?_" No. ARP is completely different, and it is used by hosts to resolve the layer-2 address from the layer-3 address in order to send layer-3 packets to a host on a layer-2 network. Pure layer-2 switches have no use for ARP. Managed switches will use ARP as a regular host for their management interfaces, but it has nothing to do with the layer-2 MAC address switching. The tables are completely separate, and they can have separate aging. You need to increase the MAC address table aging time in your switches. – Ron Maupin May 22 '18 at 12:36
  • user88975, Ron: Just as Ron says, ARP and MAC table aging are completely independent things. Unfortunately, Cisco helps the confusion about them being related by docs like https://www.cisco.com/c/en/us/support/docs/switches/catalyst-6000-series-switches/23563-143.html . CEF enabled L3-switches, often used route between campus VLANs/subnets, will actively maintain their ARP cache by unicast-arp-querying the known entries, ~60s before the L3-engine's configured ARP timeout occurs. By keeping APR timeout lower than MAC table timeout, CEF helps to cut out unknown unicast flooding almost entirely. – Marc 'netztier' Luethi May 22 '18 at 13:26
  • Marc, great, this is what I am checking whether it is available in HP 10500 at least as a configurable option. So wt Cisco does is, the moment ARP timer expires, it sends a who has arp as a unicast to that target ip in the arp table and renews the arp entry and renews mac aging as well? Is my understanding correct?@Marc'netztier'Luethi – user88975 May 22 '18 at 13:37
  • @user88975, since ARP broadcasts to every switch interface, it is just as bad as unicast flooding. The simple thing to do is to simply increase the MAC address table aging time on your access switches. We use 14500 seconds (about four hours), and that seems to work well to control unicast flooding. – Ron Maupin May 22 '18 at 14:09
  • 1
    @user88975: Yes, that's what I've observed CEF do: unicast-query for the already known ARP entries. It seems that such behavior is even covered by the given RFC: https://networkengineering.stackexchange.com/questions/28803/arp-request-unicast-mac?rq=1 I cannot tell if HP L3-Switches have a similar feature to maintain their ARP caches, and as per Ron's hint, if this happens per ARP broadcast, things might turn for the worse. And of course, fiddling with one system's L3 behaviour to "fix" another systems L2 behavior is bound to fall short: ARP is IPv4-only. What about IPv6 and non-IP-Traffic? – Marc 'netztier' Luethi May 22 '18 at 16:26
  • Did any answer help you? If so, you should accept the answer so that the question doesn't keep popping up forever, looking for an answer. Alternatively, you can provide and accept your own answer. – Ron Maupin Dec 25 '18 at 08:32

2 Answers2

1

Unicast flooding shouldn't happen when traffic is flowing in a somewhat predictable pattern.

Switches learn MAC-port associations by the source addresses of frames running through them. When there's been no traffic from a certain MAC address for the MAC-aging period the table entry is dropped. The next frame to that MAC is flooded to all ports, emulating a repeater hub.

To avoid active MACs being aged out you need to either raise the MAC-age period so that there's traffic from each source address within that period or you make sure that each active source MAC does send traffic within the period by e.g. sending a broadcast that will update all switches in the broadcast domain.

Unless you run some delicate L2 load-balancing, a very high edge fluctuation or similar it usually doesn't hurt raising the MAC-aging to one or more hours.

Zac67
  • 81,287
  • 3
  • 67
  • 131
0

Layer-2 switches use MAC address tables, not ARP tables, to determine which MAC addresses were last seen on which switch interfaces. ARP resolves a layer-3 address to a layer-2 address, and a layer-2 switch only cares about that on its management interface, not for switching.

A layer-2 switch will update its MAC address table with the interface on which a MAC address was seen every time a frame enters the switch. The switch looks at the source MAC address and updates its MAC address table with the interface for that source MAC address (the table gets built quickly because it only takes one frame from a MAC address to add/edit a MAC address table entry).

The switch will then look at the destination address, and look that up in the table to determine on which interface the MAC address was last seen as a source address. The switch will then switch the frame to that interface. If the destination MAC address is not in the MAC address table, the switch will flood the frame to all interfaces except the interface where the frame entered the switch.

For example, Cisco Catalyst switches have the:

mac address-table aging-time <seconds>   ! old

-or-

mac-address-table aging-time <seconds>   ! new

depending on the IOS version used on the switch. The default is 300 seconds (5 minutes), and the maximum is 1,000,000 seconds (over 11.5 days).

This must be configured in every switch so that the switch MAC address table doesn't time out.

ARP is broadcast by the hosts in order to resolve the layer-2 destination MAC address from the layer-3 destination IPv4 address. The hosts maintain ARP tables, and ARP requests are broadcast to all other hosts, so ARP requests (and gratuitous ARP) will be broadcast to all switch interfaces on the broadcast domain (VLAN). Depending on the host OS, you can probably configure the ARP table timeout, but host configurations are off-topic here.

Some switches can reduce unknown unicast flooding, or send unknown unicasts to a particular interface. This can cause problems if not used correctly, so be careful if your switches support this.

Ron Maupin
  • 98,218
  • 26
  • 115
  • 191
  • when ARP request is generated then ARP layer3 packet is issued, after then when it move down to network stack it becomes layer2 ARP frame. My question is ARP frame is both broadcasting and flooding? For example ARP frame is broadcasting to one switch then switch flooding all its ports. Am I correct? – S. M. Feb 09 '22 at 19:43