I have 2 force10 s25 switches that are used for a dark fiber link between two school buildings. One of my switches is filling its ARP table to the brim and then failing. This can happen as often as every 1.5 hours. I noticed that one of the addresses in the cache is an address from our previous web filter that has not been online in 6 months. We can't think of anything that would be holding an ARP cache but something seems to be feeding our force10 with addresses, but by running show arp summary, sometimes up to 50 new addresses per second are being added. What should I be looking for to figure out where this is coming from?
Here is my show ip route connected
MiddleSchool#show ip route connected
Destination Gateway Dist/Metric Last Change
----------- ------- ----------- -----------
C 10.4.0.0/16 Direct, Vl 400 0/0 03:39:18
C 192.168.1.0/30 Direct, Te 0/28 0/0 03:39:20
The only static route is the default route (0.0.0.0 /0 over the tengig 0/28 port) over the fiber link since all traffic must leave this switch and go to the other building to reach the internet.
Best Answer
I looked at the configs in your stack overflow question.
By way of review, this is your topology...
The problem is that building L's switch proxy-ARPs to resolve
10.4.0.0/16
and building S's switch proxy-ARPs for10.2.0.0/16
... interface TenGig0/28 (your transit link between the buildings) is answering proxy-ARPs requests. Remove those 10-net statics and use...ip route 10.4.0.0 255.255.0.0 192.168.1.2
ip route 10.2.0.0 255.255.0.0 192.168.1.1
The reason that a route like
ip route 10.4.0.0 255.255.0.0 TenGigabit0/28
proxy-ARPs is because you are essentially telling the switch that the entire /16 subnet is directly connected to TenGigabit0/28 when you static route out an interface like this. Using an IP next-hop only requires an ARP entry for that specific next-hop.You probably need to move the default gateway to a new interface on the Building L switch, so the whole subnet can default through 10.2.0.101 and either reach 10.4.0.0/16 or the internet.
Sorry to say it, but you are leaving yourself wide open to ARP resource exhaustion problems when you assign a /16 as a connected subnet... ARP is an unauthenticated protocol, and anyone on the LAN can flood the switch with ARPs and it has no choice but to cache / answer them... even for phantom addresses.
Proactively, you might consider DHCP snooping and dynamic ARP inspection, if your version of FTOS supports it. These feature normally require some thought and testing before deployment; however they are well worth using if you have 100s of kids with nothing more exciting than showing off their "hacking" skills. I did a quick search to see if Force10 supports what Cisco calls port security, but I couldnt find it; port security can be used to limit the number of macs learned on a switch port.