3Com 7757 Configuration Manual page 574
3com switch 7750 family
Hide thumbs
Also See for 7757:
- Quick reference manual (94 pages) ,
- Installation manual (80 pages) ,
- Product manual (15 pages)
Table of Contents
Advertisement
574
C
54: ARP C
HAPTER
ONFIGURATION
With gratuitous ARP learning enabled on a device, each time the device receives a
gratuitous ARP packet, the device updates the ARP entry matching the packet in
the cache (if exists) by using the hardware address of the sender carried in the
gratuitous ARP packet.
Overview of gratuitous ARP update interval
When ARP aging timer expires, some hosts in the network directly delete the ARP
entries learned dynamically, incapable of updating ARP entries actively. These hosts
have to trigger a new ARP request packet with a new IP packet received to request
for the gateway address. As a host can buffer only one packet, when a ping is sent
with a long packet, multiple fragments will be lost, which interrupts the ping.
When network load or the CPU occupancy of the receiving host is high, ARP
packets may be lost or the host may be unable to process the ARP received timely.
In such a case, after the dynamic ARP entries on the host age out, the traffic
between the host and the sending device will remain interrupted before the host
learns the ARP entries on the sending device again.
To address this issue, you can configure the gratuitous ARP update interval on the
Switch 7750 Ethernet switches. With gratuitous ARP packets sent periodically, the
receiving host can update the ARP entry for the gateway in its ARP table timely. In
this way, the ARP entry for the gateway has been updated before the host ages
out the entry; therefore, this entry will not be deleted. This prevents traffic
interruption as mentioned above.
How gratuitous ARP update interval works
A switch periodically sends gratuitous ARP packets that carry the master IP address
and secondary IP address of VLAN interfaces and the IP addresses of all the VRRP
virtual routers to update the ARP entries on the device that is connected to the
switch and incapable of updating ARP entries actively.
If a small number of VLAN interfaces and VRRP backup groups are configured, it
takes a very time for the device to traverse all the VLAN interfaces and their IP
addresses. If the traffic loops without being limited, gratuitous ARP packets are
sent to the same IP address at an interval too short. This increases switch work
load and network traffic. To solve this problem, the device allows you to configure
the gratuitous ARP update interval.
Introduction to ARP
If an attacker sends an ARP message with a fake source IP address to a gateway,
Attack Detection
the gateway adds the IP-to-MAC mapping into its ARP mapping table. The
attacker may send ARP messages with all the IP addresses of the network segment
as the source IP addresses to the gateway, causing other devices unable to access
the network.
To guard against such attacks, Switch 7750 Ethernet switches support the ARP
attack detection feature. With this feature, you can limit the number of IP
addresses to be bound to a MAC address in a VLAN. If a MAC address is bound to
more than the specified number of IP addresses, it is considered an attacking MAC
address. Consequently, all the ARP messages containing the attacking MAC
address as the source MAC address will be discarded unless the ARP request is
sent from the local device.
Advertisement
Table of Contents
Troubleshooting
