Cisco Support Community
Community Member

arp entries on 3850

On my 3850 (running 3.3.1) i have 1600+ entries in the arp table for a given vlan but I'm not acting as the gateway for the devices connecting to it (i'm trunked to the core which is acting as the gateway but I do have ip routing enabled on my 3850). I've put the nmsp attachment suppress command on all physical interfaces to resolve another issue I was having.

Is having all these arp entries expected behavior? I've tried to delete 1 ip in the table which I knew wasn't valid but my switch seems to ignore it as the entry is still there.

The reason I ask was due to a small unicast flooding issue I seemed to have (since gone away). I was told it may have been due to the switch having an arp entry for a mac addresses it didn't know and hence was flooding the switch. The person was surprised to see so many arp entries given i wasn't a gateway for this vlan.


Hall of Fame Super Gold

arp entries on 3850

There is not much detail here to work with. Some information about the switch configuration would be helpful. In particular it would help if you would post the configuration of the vlan interface and the output of show ip interface vlanx.



Community Member

arp entries on 3850

sh run int vlan 50:

interface Vlan50

ip address


sh ip interface vlan 50:

show ip interface vlan 50

Vlan50 is up, line protocol is up

  Internet address is

  Broadcast address is

  Address determined by setup command

  MTU is 1500 bytes

  Helper address is not set

  Directed broadcast forwarding is disabled

  Multicast reserved groups joined:

  Outgoing access list is not set

  Inbound  access list is not set

  Proxy ARP is enabled

  Local Proxy ARP is disabled

  Security level is default

  Split horizon is enabled

  ICMP redirects are always sent

  ICMP unreachables are always sent

  ICMP mask replies are never sent

  IP fast switching is enabled

  IP Flow switching is disabled

  IP CEF switching is enabled

  IP CEF switching turbo vector

  IP Null turbo vector

  IP multicast fast switching is enabled

  IP multicast distributed fast switching is disabled

  IP route-cache flags are Fast, CEF

  Router Discovery is disabled

  IP output packet accounting is disabled

  IP access violation accounting is disabled

  TCP/IP header compression is disabled

  RTP/IP header compression is disabled

  Probe proxy name replies are disabled

  Policy routing is disabled

  Network address translation is disabled

  BGP Policy Mapping is disabled

  Input features: MCI Check

  Output features: Check hwidb

Hall of Fame Super Gold

arp entries on 3850

Thanks for the additional information. I am particularly interested in this line of output

Proxy ARP is enabled

So if some device in that VLAN is sending lots of arp requests for lots of addresses (maybe around 1600) then the 3850 will respond. If you configure that VLAN interface with no ip proxy-arp does the behavior change?



Community Member

arp entries on 3850

That's a good question since I have no idea what proxy-arp is That's the default on the switch I guess.

What happens if I disable it? Some other router/switch will answer? If I put my 3850 as the gateway on a computer, if I leave proxy-arp disabled, will my switch ignore the arp request and another device will respond?

Just trying to understand what will break before I try it


Hall of Fame Super Gold

arp entries on 3850

OK. Let us start with an explanation of proxy arp. I will begin with the observation that arp is usually a function on the local network. You would not normally arp for an address that is remote from you. But sometimes devices do arp for remote addresses (frequently this is caused by misconfiguration of the device but there can be other causes). In a router or layer 3 switch whether to respond to this arp request or not is controlled by the setting for proxy-arp. (In essence should the router or switch proxy for the remote address.) Proxy arp is one thing that can generate a higher than usual level of arp activity. So if a device on the vlan 50 does send an arp request.for remote addresses what should the switch do? If proxy arp is enabled (and in general it is enabled by default - though this is beginning to change) the switch will respond to the arp request. If proxy arp is disabled then the switch will not respond.

I want to be clear that enabling or disabling proxy arp only involves arp for remote addresses. It has no effect on arp requests for addresses in the local vlan. And I will also observe that the 3850 will respond to arp requests on the local vlan whether it is set as the gateway on the computers or not.

You also ask about other devices responding to arp requests. So let us be clear that any layer 3 routing device which is on the vlan can respond to arp requests.

You ask what will happen if you disable proxy arp on the 3850. The answer is that if you disable proxy arp on the 3850 then the 3850 will no longer respond to arp requests for remote addresses. It is difficult to know whether that will have much impact. For one thing we do not know whether the core will respond to the arp for remote address or not. If the core does respond to proxy arp then there is little impact other than a possible decrease in arp activity on the 3850. If neither the 3850 nor the core respond to arp requests for remote addresses then whatever device has been sending them will experience a problem with it no longer receives an arp response.

And I will also point out that we do not know for sure that proxy arp is the issue. It is possible that something other than proxy arp is the real cause of the large number of arp entries. I am just trying to evaluate one possibility. It is certainly possible that you could disable proxy arp and there would be no effect at all.



VIP Purple

Re: arp entries on 3850


If you issue "show running config all" command you can see all configuration lines of this switch including the default settings. Here is an example for one of the vlan interface configuration. As you can see "proxy-arp" is enabled globally & interface level by default.

3850-2#sh running-config all | in proxy            

no ip arp proxy disable

3850-2#sh running-config all | be interface Vlan1410

interface Vlan1410

ip address

ip redirects

ip unreachables

ip proxy-arp

ip mtu 1500

ip load-sharing per-destination

ip cef accounting non-recursive internal

ip pim dr-priority 1

ip pim query-interval 30

ip mfib forwarding input

ip mfib forwarding output

ip mfib cef input

ip mfib cef output

ip route-cache cef

ip route-cache

ip split-horizon

ip igmp last-member-query-interval 1000

ip igmp last-member-query-count 2

ip igmp query-max-response-time 10

ip igmp version 2

ip igmp query-interval 60

ip igmp tcn query count 2

ip igmp tcn query interval 10

load-interval 300

carrier-delay 2

no shutdown

ipv6 nd reachable-time 0

ipv6 nd ns-interval 0

ipv6 nd dad attempts 1

ipv6 nd prefix framed-ipv6-prefix

ipv6 nd nud igp

ipv6 nd ra lifetime 1800

ipv6 nd ra interval 200

  ipv6 redirects

  ipv6 unreachables

snmp trap link-status

cts role-based enforcement

arp arpa

arp timeout 14400

spanning-tree port-priority 128

spanning-tree cost 0

hold-queue 75 in

hold-queue 40 out

no bgp-policy accounting input

no bgp-policy accounting output

no bgp-policy accounting input source

no bgp-policy accounting output source

no bgp-policy source ip-prec-map

no bgp-policy source ip-qos-map

no bgp-policy destination ip-prec-map

no bgp-policy destination ip-qos-map

This post explain "proxy-arp" behaviour well.

In your case all the SVI defined & end host gets default-gateway IP correctly, there is no need for "proxy-arp" enabled on SVI. You can safely disable it (globally or interface level)  and check if that help to mitigate your arp cache issue.

3850-2(config)#ip arp proxy disable


3850-2(config)#int vlan 1410

3850-2(config-if)#no ip proxy-arp



**** Pls rate all useful responses ****

CreatePlease to create content