cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7133
Views
5
Helpful
3
Replies

Router : Arp request unicast

choylee
Level 1
Level 1

Hello

I don't understand why the ARP request is a unicast instead of broadcast.

Normaly, when I clear the ARP cache on my Cisco routeur 7206  then  an ARP request is sent from routeur to Web http  , identifiable by the destination Ethernet address  with all bits set (ff:ff:ff:ff:ff:ff).

Host Web ----->  INTERNET ----------> Router (91.213.T.V) ---------> Switch ------------> (91.213.X.Y) hw: 0026.643a.f463  WEB HTTP


r01#show ip arp
Protocol  Address          Age (min)  Hardware Addr   Type    Interface
Internet  91.213.X.Y            0         0026.643a.f463  ARPA   FastEthernet4/0.11

I clean the entry of arp table on my router :

r01#clear arp-cache 91.213.X.Y

and

r01#clear ip arp 91.213.X.Y

r01#debug arp

5w4d: IP ARP: arp_process_request: 91.213.X.Y, hw: 0026.643a.f463; rc: 3
5w4d: IP ARP: rcvd rep src 91.213.X.Y 0026.643a.f463, dst 91.213.T.V FastEthernet4/0.11

Wireshark trace on my http server :

tshark :

27112.184599 Cisco_41:98:70 -> 00:26:64:3a:f4:63 ARP Who has 91.213.X.Y?  Tell 91.213.T.V
27112.184608 00:26:64:3a:f4:63 -> Cisco_41:98:70 ARP 91.213.X.Y is at 00:26:64:3a:f4:63

Why have we got this MAC hw: 0026.643a.f463  in ARP request ? It is unicast

Normaly, we must have hw : ffff.ffff.ffff.ffff in ARP request.

Thanks

3 Replies 3

Laurent Aubert
Cisco Employee
Cisco Employee

Hi,

Actually, this is an expected behavior. ARP process will first try to refresh the current entry which will avoid an update of the adjacency table which is part of CEF. The gain is significant in term of processing when the ARP table is huge.

HTH

Laurent.

Hi Laurent,

thank you for this information.

On 6500,

they will generate every 90 sec thousands of (unicast) arp-request and a cpu-load of nearly 100%.

The "sh ip arp (..vrf..)" are never older than 1 sec.

For my understanding, the timer of 90 sec is not normal?

Do you mean, this is a cef-triggerd timer?

Can i influence this behavior?

Thanks.

There is a default timer for arp entries. It sounds like someone has specified a 90 second time. If you do not like the effects of this timer you should be able to set it to a value that you do like.

In working with switches like the 6500 the default timer for arp is pretty long while the timer for entries in the mac address table is much shorter. The mismatch in timers can cause various symptoms including unexpected unicasat flooding. People frequently configure a shorter arp timer to avoid symptoms like that.

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco