question on arp 1

[Mitelpassion]

Hi all,

I've posted this question on a couple of forums but have not yet had the answer I was looking for. Hope you can help.

I have a network device that has around 2000 other network devices that connect to it continuely. The device needs to obviously have arp tables for all the hosts connecting to it. the problem is that the arp tables are getting full and I can't change this.

what's the easiest way to still have this device be able to communicate with the other 2000 devices but have a smaller arp table?

right now the device has a class b subnet IP. would changing it's IP subnet help? If so would the arp tables then reside on the routing device - router or L3 switch - for the 2000 odd devices that connect to it.

thanks in advance

 

[burtsbees]

First off, the ARP tables would reside on the next L3 device. Second off, what is this network device? Third, why are you concerned?
I was just looking at my own ARP tables, and now I'M a bit confused...I have a printer, a Windows computer, and they are both connected to a Cisco Catalyst 2924XL, and the switch is connected to a Cisco 2620XM (router). I did arp -a in the pc, and none were found until I pinged the router and printer (switch does not have an IP address on VLAN 1). I did a sh arp and sh mac-add-table in the router, and they did not show up (the printer, anyway) until I pinged. But then I did it in the switch, and they all showed up (which is what I expected), but I could only ping my printer! Weird...
What kind of switch is attached to the device? If there were a L3 device between it and the clients, then I would assume the arp table would reside on that L3 device, and you could clear the entries in the device when they built up.

Burt

 

[LawnBoy]

the problem is that the arp tables are getting full and I can't change this.

What an ARP table does is reduce the number of ARP requests broadcast on that network segment. If a device A needs the MAC of device B, and it's not in device A's ARP table, device A has to request the MAC of device B with a broadcast packet. So if a device's ARP table fills up, it generates more broadcast traffic. Which is usually not a problem, unless the ARP table is overwhelmed and is constantly broadcasting to repopulate itself.

The point of my rambling is that you don't HAVE to have an ARP table at all. Your devices will all work without them, but less efficiently.

would changing it's IP subnet help?

Yes, reducing the number of devices you're able to connect to will reduce the active size of an ARP table. But now you can't talk to those devices... This is not a solution to your problem.

I echo Burt's 3rd question, why are you concerned?


--
The stagehand's axiom: "Never lift what you can drag, never drag what you can roll, never roll what you can leave.

 

[stduc]

1 device, whatever it is, with 2000 other devices connected to it seems a bit excessive to me!

ARP table entries have a limited life. So if you reduce network traffic, number of devices and primarily reduce the number of arp requests then the arp table will not be so full.

The limited life is why if on an XP PX - say - you do arp -a and then ping another network device it is normally at that point you see the arp entry. Wait from a few to 30 mins and the entry will have been deleted!

You can delete the arp table! The command is normally arp -d *
It will then re-build. So if you have a rogue device on the network flooding arp requests you may be able to spot it.

Personally I would start by using a network probe to see what is going on and work from there.


[navy]When I married "Miss Right" I didn't realise her first name was 'always'. LOL[/navy]

 

[stduc]

I forgot to add this - possibly helpful - ? link.

http://www.duke.edu/~jyw2/arp.html

[navy]When I married "Miss Right" I didn't realise her first name was 'always'. LOL[/navy]

 

[Mitelpassion]

ok guys thanks for the reponses. should have said this in the beginning but let me put things into context.

one device needing to talk to roughly 2000 other devices constantly. This is a PBX system (not Astrix). there are about 2000 phones that send call control messages and probe the PBX to see if it's alive. Hence the arp tables being big.

why am I concerned about the arp tables? well for some reason if a specific device maybe could be a PC or a phone, can't connect to the PBX, it never appears to have an arp entry for that specific device. what bothers me is the fact that the absence of an arp entry does not necessarily mean inability to communicate. or does it? a portion of the OS that's running on the system is Linux Redhat. Even trying to ping from the OS is impossible if arp tables are full.

all in all I'm trying to confirm if putting the PBX in a smaller subnet will fix the issue.

once again thanks for the input.

 

[stduc]

all in all I'm trying to confirm if putting the PBX in a smaller subnet will fix the issue.

That is definately one potential fix.

Another one would be to see if there is a simple way to reduce the rate that the device (phones) "chatter".

I think I would reduce the subnet size. Possibly considerably to 255? Giving a maximum of 254 hosts and 253 'phones'.

[navy]When I married "Miss Right" I didn't realise her first name was 'always'. LOL[/navy]

 

[LawnBoy]

In my experience, ARP tables are not persistent. Each entry in a table only lasts some seconds, and then is flushed. Otherwise you could never move an IP address to a different device.

Your devices will still communicate even if their ARP tables are full, it just causes more broadcast traffic.

I think you've got the cart before the horse. Your lack of comms is not caused by the absence of an ARP table entry; rather, your absence of an ARP table entry is caused by a lack of comms.

Changing your subnet in such a way as to reduce the size of your ARP table will cause you to lose comms to some of your devices.

What has caused you to focus on the ARP tables as the source of your problem?


--
The stagehand's axiom: "Never lift what you can drag, never drag what you can roll, never roll what you can leave.

 

[VoiceOverMan]

First, I would put all phones in a separate subnet (for a number of reasons – QoS is a big one) Some IP Phones update an Ethernet-to-IP address mapping when they accept an ARP response. By default, each of these phones uses the Gratuitous ARP feature, which means that the phone accepts an ARP response only after the phone sends an ARP request. The phone ignores ARP responses that are not the result of prior requests.

However, in some/many cases you can disable the Gratuitous ARP feature, which would allow the IP Phone to accept all ARP responses. Next, shut down your Phone hello timer. This will allow only live calls to populate your table.

 

[maczen]

This may also be useful..
ArpWatch

http://www.securityfocus.com/tools/142

Here is a How to Setup.. (Debian but can run on most *Nix distros)

http://24h.atspace.com/it/security/arpwatch.htm

Same for Mac OSX

http://arpwatch.darwinports.com/

Windows port download (winarp-sk)

http://sid.rstack.org/arp-sk/

This can help you pinpoint any arp based attacks like the arp flooding that is mentioned in the Duke article... Even if it is a rogue device this can help pinpoint the issue..





B Haines
CCNA R&S, ETA FOI