Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Router : Arp request unicast

Hello

I don't understand why the ARP request is a unicast instead of broadcast.

Normaly, when I clear the ARP cache on my Cisco routeur 7206  then  an ARP request is sent from routeur to Web http  , identifiable by the destination Ethernet address  with all bits set (ff:ff:ff:ff:ff:ff).

Host Web ----->  INTERNET ----------> Router (91.213.T.V) ---------> Switch ------------> (91.213.X.Y) hw: 0026.643a.f463  WEB HTTP


r01#show ip arp
Protocol  Address          Age (min)  Hardware Addr   Type    Interface
Internet  91.213.X.Y            0         0026.643a.f463  ARPA   FastEthernet4/0.11

I clean the entry of arp table on my router :

r01#clear arp-cache 91.213.X.Y

and

r01#clear ip arp 91.213.X.Y

r01#debug arp

5w4d: IP ARP: arp_process_request: 91.213.X.Y, hw: 0026.643a.f463; rc: 3
5w4d: IP ARP: rcvd rep src 91.213.X.Y 0026.643a.f463, dst 91.213.T.V FastEthernet4/0.11

Wireshark trace on my http server :

tshark :

27112.184599 Cisco_41:98:70 -> 00:26:64:3a:f4:63 ARP Who has 91.213.X.Y?  Tell 91.213.T.V
27112.184608 00:26:64:3a:f4:63 -> Cisco_41:98:70 ARP 91.213.X.Y is at 00:26:64:3a:f4:63

Why have we got this MAC hw: 0026.643a.f463  in ARP request ? It is unicast

Normaly, we must have hw : ffff.ffff.ffff.ffff in ARP request.

Thanks

3 REPLIES
Cisco Employee

Re: Router : Arp request unicast

Hi,

Actually, this is an expected behavior. ARP process will first try to refresh the current entry which will avoid an update of the adjacency table which is part of CEF. The gain is significant in term of processing when the ARP table is huge.

HTH

Laurent.

New Member

Router : Arp request unicast

Hi Laurent,

thank you for this information.

On 6500,

they will generate every 90 sec thousands of (unicast) arp-request and a cpu-load of nearly 100%.

The "sh ip arp (..vrf..)" are never older than 1 sec.

For my understanding, the timer of 90 sec is not normal?

Do you mean, this is a cef-triggerd timer?

Can i influence this behavior?

Thanks.

Hall of Fame Super Silver

Router : Arp request unicast

There is a default timer for arp entries. It sounds like someone has specified a 90 second time. If you do not like the effects of this timer you should be able to set it to a value that you do like.

In working with switches like the 6500 the default timer for arp is pretty long while the timer for entries in the mac address table is much shorter. The mismatch in timers can cause various symptoms including unexpected unicasat flooding. People frequently configure a shorter arp timer to avoid symptoms like that.

HTH

Rick

4759
Views
5
Helpful
3
Replies