Possible that the management vlan interface is on the same vlan as the hosts. The switch will not purge the ARP entries as long as the hosts in the ARP table responds (gratuitous ARP sent 60 seconds prior to aging). Long term solution would be to move that mgmt intf to a non-user vlan.
Yeah, the ARP table says it learns all that from the router, and yes it is on the same vlan as the management vlan. However, I compare with several other sites, I don't see any large ARP entries. So the issue is probably laying somewhere else.
Proxy-Arp? How are your subnets setup? Have you 'chunked' up your address space (possibly network 10.0.0.0/8?) but put the incorrect mask on the VLAN management interface?, hence proxy-arp responses by the router? (still not sure why you would have thousands of hosts wanting to talk to the switch though? maybe a virus and a ping-sweep from lots of infected hosts???).
The switch should only install the local ARP entry only if it had some type of conversation with all the hosts. Most likely, the router is sourcing these ARP's to the switch with the host's IP address OR, each of those hosts "spoke" to the switch. I'd suggest sniffing the mgmt intf, clearing the ARP table, and see what happens.
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...