I've recently read in Ciso documents that the arp timeout should be confugured less than the mac-ding timer. I've tried to apply some thought to it and this is what I could muster up.
Consider a connection like this
Router --- L2 Switch ---- PC's
Scenario 1 : Arp timeout < Mac-aging timer
Routers/PC's have the arp entry for all other connected PC's on the L2 switch. ARP timeout on the L3 device is set to 900 secs ( 15 mins) and that on the L2 switch is 1200 secs (20 mins).
Suppose the router has learnt the mac of a connected PC via the arp process and at 900 secs when the arp timer expires and a new packet arrives for the IP of the PC the Router once again initiates arp with the destination mac address as broadcast address for that subnet.
Although the switch knows whre the actual mac is but, seeing the broadcast mac forwards the frame out all interfaces in that vlan and the PC whose IP it is responds to the arp request.
Scenario 2 : Arp timeout > Mac-aging timer
Consider a situation where the ARP timeout on the L3 device is set to 1200 secs ( 20 mins) and that on the L2 switch is 900 secs (15 mins).
900 secs after learning a MAC the L2 switch looses its mac entry becasue of the mac-aging timer. The L3 device( router) however still has the arp entry for the IP and forwards a frame to the Destination mac of the PC.
The switch since it does not have any entry for the destination mac has to broadcast the packet out of all ports (unicast flooding).
In both these scenarios the Switch has to broadcast the frame out all ports when one of the two timers expire. The only difference that I feel could be the reason behind having the arp timer configured less than the mac-aging timer is that In Scenario 1 the switch has to just forward the frame out all ports becasue of the broadcast address in the frame without having to take a decision of its own.
In scenario 2 it has to first search for the destination unicast mac in its own table and then because its not available it has to broadcast it (the actual data packets forwarded by the router not the arp requests) out of all ports. The switch needs to work twice rather than just forward a frame.
I would need suggestions from anyone who could help me here to understand if my understanding here is correct and if there's anything that could be added.
If I've understood this correctly the arp timeout should be lesser than the mac-aging timer in cases where the to and fro traffic is via separate first hop routers. So in this situation when a packet from User1 to User2 arrives at S1 and S1 has entry in the arp cache for User1 it sends the frame to User2;s destination mac, but since S1 does not have any entry in the cam it needs to broadcast it out all interfaces in that Vlan.
Also if I am not wrong in this situation since User2's Default Gateway is S2 all traffic from User2 will be sent to S2 via S1's uplink to S2, S1 never learns the Mac address of User2 (since it never does and arp request and hence User2 never replies explicitly to S2) and hence all packets from S1 will be sent to User2's mac address but will be broadcast as earlier.
By loop free U design u mean the 3 tier architecture with HSRP on L3 interface on the Core rather than SVI's in your example.
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...