Applies To:

Show Versions Show Versions

Manual Chapter: BIG-IP® Network and System Management Guide: 9 - Configuring Address Resolution Protocol
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>


9

Configuring Address Resolution Protocol


Introducing Address Resolution Protocol

The BIG-IP system is a multilayer network device, and as such, needs to perform routing functions. To do this, the BIG-IP system must be able to find destination MAC addresses on the network, based on known IP addresses. The way that the BIG-IP system does this is by supporting Address Resolution Protocol (ARP), an industry-standard layer 3 protocol.

What is ARP?

ARP is a protocol that sends a broadcast request to other devices on the network, asking for a destination layer 2 address. Such a request consists of special packets commonly known as who-has packets. Who-has packets are packets that the BIG-IP system broadcasts to all devices on a network (or VLAN), to determine the owner of a specific IP address. The device owning that IP address typically responds with an ARP packet that contains both its IP address and its MAC address. After receiving an ARP response, the BIG-IP system then stores that device's MAC address in its ARP cache for later use. The ARP cache is a repository of IP address/MAC address pairs for hosts on a network.

Note

Except when referring to the BIG-IP system, the terms device, host, destination, or destination address refer to either a destination server or a next-hop router.

The ARP cache can consist of two types of entries:

  • Static
    A static entry is an IP address/MAC address pair that you explicitly add to the ARP cache because you already know the MAC address of a given IP address.
  • Dynamic
    A dynamic entry is an IP address/MAC address pair that the BIG-IP system adds to the ARP cache automatically after receiving a response from an ARP broadcast request.

You can use the Configuration utility to manage static and dynamic entries in the ARP cache of the BIG-IP system. When you manage the entries in the ARP cache, you maximize the chance that the BIG-IP system can forward packets to destination hosts successfully and efficiently.

Managing static entries refers to adding IP address/MAC address pairs to the ARP cache, as well as viewing, modifying, or deleting them.

Managing dynamic entries primarily refers to configuring a set of global options that affect the way that the BIG-IP system treats dynamic entries. For example, with the Dynamic Timeout option, you can specify the length of time that dynamic entries remain in the ARP cache. With the Request Retries option, you can specify the maximum number of times that the BIG-IP system can send the same ARP request before declaring a destination host to be unreachable. You can view or delete dynamic entries, but you cannot add or modify them.

How does the BIG-IP system use ARP?

When the BIG-IP system needs to forward packets to a destination host or next-hop router, the system starts by searching its ARP cache for the destination IP address and its corresponding MAC address.

If an entry for the IP address/MAC address pair exists in the ARP cache, the system determines the correct BIG-IP system interface to use, and then forwards the packets to that MAC address. If no entry for the IP address/MAC address pair exists in its ARP cache, the system broadcasts an ARP request to hosts on the network and then behaves in the following way:

  • If a host sends an ARP response (its MAC address) within two seconds of the ARP request, the BIG-IP system stores that MAC address pair in its ARP cache for subsequent use, and sets the state of the entry to RESOLVED. The system then determines the correct interface and sends the data packets to that MAC address. For more information on the RESOLVED state, see Understanding ARP entry states on this page.
  • If no host sends an ARP response after two seconds have passed, the BIG-IP system repeatedly broadcasts the ARP request until a host sends a response, or until the maximum number of allowed requests is reached. (The maximum number of requests to the same host that the BIG-IP system can make is a setting that you configure.) If the system sends the maximum number of ARP requests and does not receive a response, the host is declared to be unreachable, and the system sets the state of the entry to DOWN. For more information on the DOWN state, see Understanding ARP entry states on this page.
  • If the BIG-IP system receives a second packet targeted for the same destination within two seconds of making an ARP request, the system discards the original packet and replaces it with the second packet, and then sends another ARP request.

    If the BIG-IP system needs to send more packets to that same host later, and the ARP cache entry pertaining to that host has not timed out yet, the BIG-IP system can send the packets to the host without sending another ARP request first.

Understanding ARP entry states

Each entry in the ARP cache has a state associated with it. When you use the Configuration utility to view the entries in the ARP cache, you can view the state of each entry. The possible states for an entry are RESOLVED, INCOMPLETE, and DOWN.

The BIG-IP system marks an ARP cache entry as RESOLVED when the system has successfully received an ARP response (a MAC address) for the requested IP address within two seconds of initiating the request. An entry in a RESOLVED state remains in the ARP cache until the timeout period has expired.

The BIG-IP system marks an ARP cache entry as INCOMPLETE when the system has made one or more ARP requests within the maximum number of requests allowed, but has not yet received a response.

The BIG-IP system marks an ARP cache entry as DOWN when the system has made the maximum number of requests allowed, and still receives no response. In this case, the system discards the packet, and sends an ICMP host unreachable message to the sender. An entry with a DOWN state remains in the ARP cache until the first of these events occurs:

  • Twenty seconds elapse.
  • The BIG-IP system receives either a resolution response or a gratuitous ARP from the destination host. (A gratuitous ARP is an ARP message that a host sends without having been prompted by an ARP request.)
  • You explicitly delete the entry from the ARP cache.

Responding to ARP requests

By default, the BIG-IP system does not respond to a certain types of ARP requests. More specifically, the system does not respond to ARP requests sent from any firewall that uses a multicast IP address as its source address.

You can change this behavior to allow the BIG-IP system to respond to this type of ARP request, by configuring the bigdbTM key TM.AllowEthernetSourceType as follows:

bigpipe db TM.AllowEthernetSourceType unicast-multicast

Configuring static entries in the ARP cache

Static entries in the ARP cache do not have a timeout value, and therefore remain in the ARP cache until you explicitly delete them. By adding static entries to the ARP cache, you reduce the number of ARP requests that the BIG-IP system must make to determine destination MAC addresses.

Using the Configuration utility, you can add entries to the ARP cache of the BIG-IP system. You can also view, modify, and delete any existing static entries.

Adding static entries

Adding a static entry for a destination server to the ARP cache saves the BIG-IP system from having to send an ARP broadcast request for that destination server. This can be useful, for example, for specifying a multicast or other special MAC address for servers or gateways.

You can explicitly add entries to the ARP cache on the BIG-IP system. Because static entries do not have a timeout value, they remain in the ARP cache until you explicitly delete them. When you add static entries to the ARP cache, the BIG-IP system can determine the MAC address for an IP address without having to broadcast an ARP request. This can be useful when you want the system to forward packets to a special MAC address, such as a shared MAC address, or you want to ensure that the MAC address never changes for a given IP address.

Adding static entries to the ARP cache is simple. You merely specify an IP address and its corresponding MAC address. Then, when the BIG-IP system must forward packets to that IP address, the system checks the ARP cache to find the MAC address. The system can then check the VLAN's layer 2 forwarding table to determine the appropriate outgoing interface. (For more information on the layer 2 forwarding table, see Chapter 5, Configuring VLANs and VLAN Groups ).

To add a static entry to the ARP cache

  1. On the Main tab of the navigation pane, expand Network and click ARP.
    This displays a list of any existing static entries in the ARP cache.
  2. In the upper-right corner, click Create.
    The ARP screen opens.
  3. In the IP Address box, type the IP address for a destination host.
  4. In the MAC Address box, type the MAC address for the destination host specified in the IP Address box.
  5. Click Finished.

Viewing static entries

Using the Configuration utility, you can view a list of the static entries that you have added to the ARP cache. When you display the list of static entries in the ARP cache, each entry includes an IP address and its corresponding MAC address.

To view static entries

On the Main tab of the navigation pane, expand Network, and click ARP.

By default, this displays a list of existing static entries in the ARP cache. If you have not yet added any static entries to the ARP cache, the list displays the message No records to display.

Modifying static entries

Sometimes, the MAC address of a destination host changes, while the IP address stays the same. This requires you to modify any static entry that you might have previously added to the ARP cache for that host. When you modify a static ARP cache entry, you change the MAC address associated with the IP address.

To modify a static entry

  1. On the Main tab of the navigation pane, expand Network and click ARP.
    This displays a list of existing static entries in the ARP cache.
  2. Note: If no entries exist, the screen displays the message No records to display.
  3. In the IP address column, click an IP address.
    This displays the MAC address that you associated with this IP address when you added the static entry.
  4. In the MAC Address box, delete the current MAC address and type a new MAC address.
  5. Click Update.

Deleting static entries

At any time, you can remove a static entry from the ARP cache. A common reason for deleting an ARP cache entry is when you remove the corresponding destination host from the network. In this case, the BIG-IP system no longer needs to store MAC address information for that host.

To delete a static entry

  1. On the Main tab of the navigation pane, expand Network and click ARP.
    This displays a list of existing static entries in the ARP cache.
  2. In the IP Address column, locate the entry you want to delete.
  3. Check the Select box to the left of the IP address.
  4. Click Delete.
    A confirmation message appears.
  5. Click Delete again.
    This removes the entry from the ARP cache.

Configuring dynamic entries in the ARP cache

If you do not want to add a static entry into the ARP cache for every destination host on the network, you can use ARP to add these entries dynamically. The primary functions of ARP are to automatically broadcast requests for MAC addresses, and to dynamically store those responses in the ARP cache.

Configuring dynamic entries is slightly different from configuring static entries:

  • You specify a set of values that applies globally to all dynamic entries. Configuring these global options affects the way that ARP treats dynamic entries in the ARP cache. For more information, see Configuring global options on this page.
  • You do not explicitly add dynamic entries to the ARP cache, because ARP adds those entries for you. Also, you do not modify dynamic entries. You can, however, view and delete dynamic entries from the ARP cache. For more information, see Viewing dynamic entries and Deleting dynamic entries .

Configuring global options

You can configure a number of options that affect the way that ARP behaves. While all of these options have default values, you can change these values to suit your needs. Table 9.1 lists and describes these options. Following the table are more detailed descriptions of each option.

Table 9.1 Global configuration options for ARP
Option
Description
Default Value
Dynamic Timeout
Specifies the maximum number of seconds that a dynamic entry can remain in the ARP cache before the BIG-IP system automatically removes it.
300
Maximum Dynamic
Entries
Specifies the maximum number of dynamic entries that the ARP cache can hold at any given time.
2048
Request Retries
Specifies the number of times that the BIG-IP system sends ARP requests for an unresolved address, before determining that the remote address is in a down state or not on the network.
6
Reciprocal Update
Specifies whether the BIG-IP system should add an entry to the ARP cache as a result of receiving an ARP broadcast request from another host on the network.
Enabled (checked)

Specifying a dynamic timeout value

With the Dynamic Timeout option, you can specify the maximum number of seconds that a dynamic entry can remain in the ARP cache before the BIG-IP system automatically removes it. The default value is 300.

Once you have configured this value and the system dynamically adds an entry to the ARP cache, the seconds begin to count down toward 0 for that entry. When the value reaches 0, the BIG-IP system automatically deletes the entry from the cache. If the entry is actively being used as the time approaches 0, ARP attempts to refresh the entry by sending an ARP request.

At any given time, you can view the seconds that remain for a dynamic entry. You do this by viewing the entry in the ARP cache. For more information, see Viewing dynamic entries .

Specifying a dynamic entry limit

You can configure the Maximum Dynamic Entries option to limit the number of dynamic entries that the BIG-IP system can hold in the ARP cache at any given time. The default value is 2048.

This setting relates to dynamic entries only and has no effect on the number of static entries that the ARP cache can hold. Therefore, if the number of dynamic entries in the cache reaches the limit that you specified, you can still add static entries to the cache. This is possible because the system can remove an older dynamic entry prematurely to make space for a new static entry that you add.

Note

The value of the Maximum Dynamic Entries option should be large enough to maintain entries for all directly-connected hosts with which the BIG-IP system must communicate. If you have more than 2000 hosts that are directly connected to the BIG-IP system, you should specify a value that exceeds the default value of 2048.

Specifying an ARP request limit

When the BIG-IP system needs a MAC address for a given IP address and does not have the information in its ARP cache, the system must broadcast an ARP request to the hosts on the network (or VLAN). Sometimes, the BIG-IP system receives no response to this request and so resends the request. The Request Retries option specifies the number of times that the BIG-IP system can resend an ARP request before finally marking the host as unreachable. The default value is 6.

Specifying reciprocal update

The information stored in the ARP cache is typically the IP addresses and MAC addresses that the BIG-IP system receives in response to its own ARP requests. However, when you enable the Reciprocal Update option, the BIG-IP system can also store information that it learns as a result of other hosts on the network sending ARP broadcast requests (that is, who-has packets) to the BIG-IP system. By default, the Reciprocal Update option is enabled.

Depending on how you set this option, ARP behaves in these ways:

  • Enabled
    When you enable the Reciprocal Update option, the BIG-IP system creates an entry in the ARP cache whenever the system receives who-has packets from another host on the network. Enabling this option slightly enhances performance by eliminating the need for the BIG-IP system to perform an additional ARP exchange later.
  • Disabled
    When you disable the Reciprocal Update option, the BIG-IP system does not add an entry to the ARP cache in response to receiving who-has packets from a host. Instead, the system creates an ARP cache entry for a host only when the system needs to send non-ARP traffic to that host. If the BIG-IP system never needs to send non-ARP traffic to the host, then the system never dynamically adds an entry for that host.

    Disabling this option provides a security benefit, by preventing a malicious action known as ARP poisoning. ARP poisoning occurs when a host is intentionally altered to send an ARP response containing a false MAC address. By disabling the Reciprocal Update option, the BIG-IP system cannot add that false information to its ARP cache.

Viewing dynamic entries

Using the Configuration utility, you can view a list of the dynamic entries that ARP has added to the ARP cache. When you display the list of dynamic entries in the ARP cache, each entry shows this information:

  • IP address of the destination host
  • MAC address of the destination host
  • The VLAN of the destination host
  • The number of seconds remaining before the entry times out
  • The state of the entry. Valid states are: RESOLVED, INCOMPLETE, and DOWN. For detailed information on these states, see Understanding ARP entry states .

To view dynamic entries

  1. On the Main tab of the navigation pane, expand Network, and click ARP.
  2. On the menu bar, click Dynamic List.
    This displays a list of dynamic entries in the ARP cache. If no dynamic entries exist, the screen displays the message No records to display.

Deleting dynamic entries

At any time, you can remove a dynamic entry from the ARP cache. A common reason for deleting an ARP cache entry is when you move a host from one VLAN to another, or you change the MAC address associated with that host. By removing a dynamic entry, you ensure that ARP learns the new information before the timeout value for the entry expires.

To delete a dynamic entry

  1. On the Main tab of the navigation pane, expand Network and click ARP.
    This displays a list of existing static entries in the ARP cache.
  2. On the menu bar, click Dynamic List.
    This displays a list of dynamic entries in the ARP cache.
  3. Note: If no entries exist, the screen displays the message No records to display.
  4. In the IP Address column, locate the entry you want to delete.
  5. Check the Select box to the left of the IP address.
  6. Click Delete.
    A confirmation message appears.
  7. Click Delete again.
    This removes the entry from the ARP cache.



Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)