13 Replies Latest reply: Sep 5, 2019 4:26 AM by Dmytro RSS

    ARP and CAM tables

    farroar

      Hello folks!

       

      Been a while but I'm back at it! ... again!

       

      Found this paragraph in the ARCH FLG that confuses me a bit:

       

      "If you must implement a topology in which VLANs must span more than one access layer switch, the recommended workaround is to tune the ARP timer to be equal to the CAM aging timer. A shorter ARP cache timer causes the standby HSRP peer to ARP for the target IP address before the CAM entry timer expires and the MAC entry is removed"

       

      This is a section about VLAN best practices. In the diagram, it represents a frame needing to traverse the distribution switches in order to get to another switchport on another switch but within the same VLAN. Why would the distribution switch ( in this case it is the standby peer in an HSRP pair ) perform an ARP since it is just forwarding the frame. There should be no need for it to strip out the L2 info in order to glean the destination IP address UNLESS it is routing the packet.

       

      The diagram shows the frame leaving the source, going up to the active HSRP member, but then returning to the standby HSRP member which, in this scenario, no longer has the CAM entry for the destination. In my mind, if it doesn't have it and it isn't routing it, the switch isn't going to ARP for it. It'll just flood the frame.

       

      What say you?

        • 1. Re: ARP and CAM tables
          Jeffrey

          Yes, switches flood unknown unicast. Unicast becomes known on a switch when a frame enters a given port, at this point the switch uses the source address and adds it to the CAM. When the packet comes in from the core and the distribution switch can route it because it has an SVI in the VLAN and it has an ARP mapping so it knows the layer 2 to 3 mapping it will flood this traffic if CAM has timed out, but if you use the ARP timeout the switch loses this mapping and must send a broadcast ARP on the VLAN. The return traffic causes the distribution switch to once again learn it's destination port on the VLAN.

          • 3. Re: ARP and CAM tables
            farroar

            But, "Standby HSRP peer to ARP for the target IP....." shouldn't happen. The example in the book is describing an issue with spanning L2 across multiple access layer switches. Saying that if the CAM times out and the MAC isn't there, that the switch, which is also doing routing, will ARP for the address. I don't believe that to be true.

             

            I understand UU flooding and when/why it would happen. My argument is that UU flooding will happen in this case, not ARP. ARP would only come into play from the switch perspective if it was routing betwixt VLANs via it's SVI.

             

            Here's the diagram it's using:

             

            Screen Shot 2018-08-01 at 6.16.50 PM.png

             

            I think it's a typo. No ARP, UU flooding only.

            • 4. Re: ARP and CAM tables
              Jeffrey

              It's true when you change the ARP timeout. That is the solution. But really just stack your switches.  By the way, it is between SVIs in a sense but typically a routed port instead. So between SVIs it would ARP right? What about a routed port to the core and then to SVI? Same thing! You get the logic, just not putting it together correctly. Think of routed port to the core as an SVI. 

              • 5. Re: ARP and CAM tables
                Dmcneil

                It sounds like you properly understand the unknown unicast flooding and where ARP plays a role, I just think you've misinterpreted the diagram.

                 

                The switch block consists of the three L2 access-layer switches and the two L3 distribution-layer switches directly above them. The two L3 switches above that are most likely core switches that connect additional switch blocks.

                 

                Untitled.png

                 

                 

                In a properly designed switch block, the Distribution switches serve as the default gateway for all VLANs contained in the switch block and divide the L3 and L2 boundary.

                With this understanding, the solid black line pointing up is traffic leaving the switch block towards the Core through the Primary HSRP router.

                 

                The arrows represent return traffic coming from the Core back into the switch block. Here there are equal-cost paths from the Core to the switch block. Some packets go to the active HSRP Distribution switch, some packets go to the standby HSRP Distribution switch. Both switches will have to make a routing decision to forward the return traffic to the originator.

                 

                The problem here is that the HSRP standby Distribution switch does not have a CAM table entry for the host. Since it is routing the packet, it has to ARP for the MAC address of the host. This causes unknown unicast flooding across all three access-layer switches.

                 

                HTH

                • 6. Re: ARP and CAM tables
                  Steven Davidson

                  farroar wrote:

                   

                  Saying that if the CAM times out and the MAC isn't there, that the switch, which is also doing routing, will ARP for the address. I don't believe that to be true.

                   

                  I understand UU flooding and when/why it would happen. My argument is that UU flooding will happen in this case, not ARP. ARP would only come into play from the switch perspective if it was routing betwixt VLANs via it's SVI.

                   

                  Here's the diagram it's using:

                   

                  Screen Shot 2018-08-01 at 6.16.50 PM.png

                   

                  I think it's a typo. No ARP, UU flooding only.

                  I think you are correct.  The reason unknown unicast flooding occurs when the traffic returns via the standby HSRP node is because the ARP cache entry on the standby HSRP node out-lived the MAC table entry.  Thus, the standby HSRP node still knows how to craft the frame WITHOUT needing to enlist ARP but doesn't have the ability to constrain the unicast frame to just a single outbound port because it lacks the L2 info in its table.

                  • 7. Re: ARP and CAM tables
                    Dmcneil

                    I need to apologize. The last paragraph in my first response wasn't exact.

                     

                    The book begins by stating exactly what you have noted Farroar, the ARP cache entry will not time out before the CAM table entry times out causing unknown unicast flooding throughout the access switches in the same VLAN. This happens until the ARP entry does time out and the switch must ARP again for the host's IP-to-MAC mapping.

                     

                    However, the part you have quoted is not saying what is depicted in the diagram above, it is explaining how setting the ARP timer lower than the CAM timer helps mitigate this, or at least is the recommended way of implementing the design.

                     

                    The whole paragraph in context reads like this:

                     

                    If you must implement a topology in which VLANs span more than one access layer

                    switch, the recommended workaround is to tune the ARP timer to be equal to or less

                    than the CAM aging timer. A shorter ARP cache timer causes the standby HSRP peer to

                    ARP for the target IP address before the CAM entry timer expires and the MAC entry

                    is removed. The subsequent ARP response repopulates the CAM table before the CAM

                    entry is aged out and removed. This removes the possibility of flooding asymmetrically

                    routed return path traffic to all ports.

                     

                    This paragraph is the remedy to the above three paragraphs where unknown unicast flooding occurs across the access-layer switches. With the ARP cache equal to or lower than the CAM aging period, the ARP cache will expire at the same time as the CAM table. This is why the standby HSRP switch will ARP for the host and repopulate MAC tables instead of flooding the traffic.


                    This extra ARP prevents excess flooding of traffic each time the standby HSRP switch needs to route return traffic to the host.

                     

                    Sorry for the lack of clarity in my first post.

                     

                    HTH

                    • 8. Re: ARP and CAM tables
                      farroar

                      I understand it now. I was thinking of a situation where the host was attempting to communicate with another host on the same VLAN that resided on a different access layer switch. In that case, it would be L2 the entire way and no need for ARP.

                       

                      But now reading it again with fresh eyes and some helpful folks, I can see that is an assumption I made. What is really happening is traffic returning to a host on the VLAN which is spanned across multiple access switches. Now it's obvious since the arrows are coming from the core, which would indicate that the traffic is returning from outside of the local block.

                       

                      Thanks dmcneil330

                      • 9. Re: ARP and CAM tables
                        waninae39

                        for access switches ensure you stack  them so that seem as one


                        its also a best practice to not let your VLAn leave the DC or exist on  offsite locations.

                        arp timers may time out before a valid response comes back

                         

                        best to take a holistic design approach for new  or regularly on existing deployments

                        • 10. Re: ARP and CAM tables
                          waninae39

                          two of my most used CLI commands for access layer debugging are:

                           

                          SH ARP

                          SH MAC ADDR

                           

                          i make alias for these to and other commands

                          if you learn TCL, you can automate many commands

                          • 11. Re: ARP and CAM tables
                            Steven Williams

                            Don't you limit the issue by putting a layer 2 port channel or layer 2 link between the HSRP peers? Then the macs would be learned through that link to the standby?

                            • 12. Re: ARP and CAM tables
                              Jonathan

                              Just for clarity for those that don't know:

                               

                                   -by default arp cache table timeout is 4 hours

                                   -by default cam table timeout is 300 seconds or 5 mins

                               

                                   - the cam table resolves which physical port on that switch it is exiting to reach the mac address on the other side and what vlan it is using. The cam table will essentially resolve local port to other side mac address.

                                   - the arp table resolves what physical port/vlan on your local device traffic is exiting to reach the attached mac address and IP address of the desired device.

                               

                              typical commands:

                               

                              show arp

                              show mac address-table

                              • 13. Re: ARP and CAM tables
                                Dmytro

                                Helpful