cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
616
Views
0
Helpful
9
Replies

Large ARP table on 3500XL?

kevin.hu
Level 3
Level 3

This site has only about 20 hosts yet its ARP table has thousands of entries. We normally don't generate traffic from the switch. Can anyone think of a reason why I have such large ARP table? Thanks,

9 Replies 9

Harold Ritter
Cisco Employee
Cisco Employee

do a "sh cam dynamic" and look at what is the port all these mac addresses are known from.

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

hritter,

That command is from 5500. I have 3500XL. Is there another similar command from 3500XL? Thanks,

The command on 3500 XL is

show mac-address-table

or the full format is

show mac-address-table [static | dynamic | secure | self | aging-time | count]

[address hw-addr] [interface interface] [atm slot/port] [vlan vlan-id]

Ok, I see it now. All these ARP entries are learned from the router. But why is the switch getting all these ARP entries from the router?

robho
Level 3
Level 3

Possible that the management vlan interface is on the same vlan as the hosts. The switch will not purge the ARP entries as long as the hosts in the ARP table responds (gratuitous ARP sent 60 seconds prior to aging). Long term solution would be to move that mgmt intf to a non-user vlan.

Robho,

Yeah, the ARP table says it learns all that from the router, and yes it is on the same vlan as the management vlan. However, I compare with several other sites, I don't see any large ARP entries. So the issue is probably laying somewhere else.

Proxy-Arp? How are your subnets setup? Have you 'chunked' up your address space (possibly network 10.0.0.0/8?) but put the incorrect mask on the VLAN management interface?, hence proxy-arp responses by the router? (still not sure why you would have thousands of hosts wanting to talk to the switch though? maybe a virus and a ping-sweep from lots of infected hosts???).

Andy

The switch should only install the local ARP entry only if it had some type of conversation with all the hosts. Most likely, the router is sourcing these ARP's to the switch with the host's IP address OR, each of those hosts "spoke" to the switch. I'd suggest sniffing the mgmt intf, clearing the ARP table, and see what happens.

If the switch has its mask and gateway correctly defined it should not have arp entries for any hosts outside of its network. It uses the gateway to reach hosts outside.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: