4.2. The ARP Cache

Home Prev	cOS Stream 4.00.03 Administration Guide	Next

The ARP Cache in network equipment, such as switches and firewalls, is an important component in the implementation of ARP. It consists of a dynamic table that stores the mappings between IPv4 addresses and Ethernet MAC addresses.

cOS Stream uses an ARP cache in exactly the same way as other network equipment. Initially, the cache is empty at startup and becomes populated with entries as traffic flows.

The typical contents of a minimal ARP Cache table might look similar to the following:

Type	IPv4 Address	MAC Address	Expires
Dynamic	192.168.0.10	08:00:10:0f:bc:a5	45
Dynamic	193.13.66.77	0a:46:42:4f:ac:65	136
Static	10.5.16.3	4a:32:12:6c:89:a4	-

The explanation for the table contents are as follows:

The first entry in this ARP Cache is a dynamic ARP entry which tells us that IPv4 address 192.168.0.10 is mapped to the MAC address 08:00:10:0f:bc:a5.
The second entry in the table dynamically maps the IPv4 address 193.13.66.77 to the MAC address 0a:46:42:4f:ac:65.
The third entry is a static ARP entry binding the IPv4 address 10.5.16.3 to the MAC address 4a:32:12:6c:89:a4.

The arp Command

The CLI provides the arp command to view entries in the ARP cache. The simplest form is used to view all entries:

System:/> arp -show

Using the arp command with no parameters is equivalent to this. A specific interface name can be included to show just entries for that interface. For example, the following command would show cache entries just for the if1 interface:

System:/> arp -show if1

All options for this command are described in the separate Clavister NetShield Firewall CLI Reference Guide.

Example 4.1. Displaying the ARP Cache

This example displays all current ARP cache entries for all interfaces.

Command-Line Interface

System:/> arp -show
				
                            ARP Cache

Iface  Type     Address           HWaddress          Expiration  
-----  -------  ----------------  -----------------   ----------  
if1    Dynamic  192.168.10.200    00:50:56:2c:5f:5b         389  
if2    Dynamic  192.168.20.1      00:50:56:d0:0f:01         580 
if3    Dynamic  192.168.30.1      00:50:56:d0:00:03         487

The Expiration Value

The last column in the example table and CLI output, Expiration, is used to indicate how much longer, in seconds, the ARP entry will be valid for.

For example, the first entry in the above CLI output has an expiry value of 389 which means that this entry will be rendered invalid and removed from the ARP Cache in 389 seconds from the current time. If traffic needs to be sent to the IPv4 address 192.168.10.200 after expiration, cOS Stream will issue a new ARP request and update the cache with a new entry.

The default expiration time for dynamic ARP entries is 900 seconds (15 minutes). This can be changed by modifying the advanced setting ARPExpire.

Example 4.2. Changing the ARPExpire Setting

This example shows how to change the number of seconds for the ARPExpire setting.

Command-Line Interface

System:/> set Settings ARPTableSettings ARPExpire=1800
					
Modified ARPTableSettings.

The advanced setting ARP Expire Unknown specifies how long cOS Stream will remember addresses that cannot be reached. This limit is needed to ensure that cOS Stream does not continuously request such addresses. The default value for this setting is 3 seconds.

Example 4.3. Changing the ARPExpireUnknown Setting

This example shows how to change the number of seconds for the ARPExpireUnknown setting.

Command-Line Interface

System:/> set Settings ARPTableSettings ARPExpireUnknown=6
					
Modified ARPTableSettings.

Flushing the ARP Cache

If a host in a network is replaced with new hardware and retains the same IP address then it will probably have a new MAC address. If cOS Stream has an old ARP entry for the host in its ARP cache then that entry will become invalid because of the changed MAC address and this will cause data to be sent to the host over Ethernet which will never reach its destination.

After the ARP entry expiration time, cOS Stream will learn the new MAC address of the host but sometimes it may be necessary to manually force the update. The easiest way to achieve this is by flushing the ARP cache. This deletes all dynamic ARP entries from the cache and forces cOS Stream to issue new ARP queries to discover the MAC/IP address mappings for connected hosts.

Flushing can be done with the CLI command arp -flush.

Example 4.4. Flushing the ARP Cache

This example shows how to flush the ARP Cache from within the CLI.

Command-Line Interface

System:/> arp -flush
					
ARP cache of all interfaces flushed.

The Size of the ARP Cache

By default, the ARP Cache is able to hold 4096 ARP entries at the same time. This is adequate for most situations but on rare occasions, such as when there are several very large LANs directly connected to the firewall, it may be necessary to adjust this value upwards. This can be done by modifying the setting ARPCacheSize property in the ARPTableSettings object.

Example 4.5. Changing the ARP Cache Size

This example shows how to change the size of the ARP cache to hold 8192 entries.

Command-Line Interface

System:/> set Settings ARPTableSettings ARPCacheSize=8192
					
Modified ARPTableSettings.

Hash tables are used to rapidly look up entries in the ARP Cache. For maximum efficiency, a hash table should be twice as large as the entries it is indexing, so if the largest directly connected network contains 500 IP addresses, the size of the ARP entry hash table should be at least 1000. The administrator can modify the setting ARPHashSize to reflect specific network requirements. The default value of this setting is 512.

Example 4.6. Changing the ARP Hash Size

This example shows how to change the ARP hash size.

Command-Line Interface

System:/> set Settings ARPTableSettings ARPHashSize=1024
					
Modified ARPTableSettings.