ARP Table – Troubleshooting Force10 ARP Table Filling Issue

I have 2 force10 s25 switches that are used for a dark fiber link between two school buildings. One of my switches is filling its ARP table to the brim and then failing. This can happen as often as every 1.5 hours. I noticed that one of the addresses in the cache is an address from our previous web filter that has not been online in 6 months. We can't think of anything that would be holding an ARP cache but something seems to be feeding our force10 with addresses, but by running show arp summary, sometimes up to 50 new addresses per second are being added. What should I be looking for to figure out where this is coming from?

Here is my show ip route connected

MiddleSchool#show ip route connected
   Destination        Gateway                      Dist/Metric Last Change
   -----------        -------                      ----------- -----------
  C    10.4.0.0/16        Direct, Vl 400                       0/0    03:39:18
  C    192.168.1.0/30     Direct, Te 0/28                      0/0    03:39:20

The only static route is the default route (0.0.0.0 /0 over the tengig 0/28 port) over the fiber link since all traffic must leave this switch and go to the other building to reach the internet.

Best Answer

I looked at the configs in your stack overflow question.

By way of review, this is your topology...

      Ten0/28  Ten0/28
Bldg_L----------------Bldg_S
F10 S25               F10 S25
  |                     |
  Vlan200               Vlan400
  10.2.0.101            10.4.0.101/16

The problem is that building L's switch proxy-ARPs to resolve 10.4.0.0/16 and building S's switch proxy-ARPs for 10.2.0.0/16... interface TenGig0/28 (your transit link between the buildings) is answering proxy-ARPs requests. Remove those 10-net statics and use...

Building L: ip route 10.4.0.0 255.255.0.0 192.168.1.2
Building S: ip route 10.2.0.0 255.255.0.0 192.168.1.1

The reason that a route like ip route 10.4.0.0 255.255.0.0 TenGigabit0/28 proxy-ARPs is because you are essentially telling the switch that the entire /16 subnet is directly connected to TenGigabit0/28 when you static route out an interface like this. Using an IP next-hop only requires an ARP entry for that specific next-hop.

You probably need to move the default gateway to a new interface on the Building L switch, so the whole subnet can default through 10.2.0.101 and either reach 10.4.0.0/16 or the internet.

Sorry to say it, but you are leaving yourself wide open to ARP resource exhaustion problems when you assign a /16 as a connected subnet... ARP is an unauthenticated protocol, and anyone on the LAN can flood the switch with ARPs and it has no choice but to cache / answer them... even for phantom addresses.

Proactively, you might consider DHCP snooping and dynamic ARP inspection, if your version of FTOS supports it. These feature normally require some thought and testing before deployment; however they are well worth using if you have 100s of kids with nothing more exciting than showing off their "hacking" skills. I did a quick search to see if Force10 supports what Cisco calls port security, but I couldnt find it; port security can be used to limit the number of macs learned on a switch port.

Best Answer

Related Solutions

Routing – Sonicwall NSA 2600 routing issues with multiple LAN interfaces configured

Switch – Trying to pass VLAN between Force10 S25 switches

Related Topic