Manual Chapter : Address Resolution Protocol

Applies To:

Show Versions Show Versions

BIG-IP DNS

  • 15.0.1, 15.0.0, 14.1.2, 14.1.0

BIG-IP PEM

  • 15.0.1, 15.0.0, 14.1.2, 14.1.0

BIG-IP Analytics

  • 15.0.1, 15.0.0, 14.1.2, 14.1.0

BIG-IP AFM

  • 15.0.1, 15.0.0, 14.1.2, 14.1.0

BIG-IP ASM

  • 15.0.1, 15.0.0, 14.1.2, 14.1.0

BIG-IP AAM

  • 15.0.1, 15.0.0, 14.1.2, 14.1.0

BIG-IP APM

  • 15.0.1, 15.0.0, 14.1.2, 14.1.0

BIG-IP LTM

  • 15.0.1, 15.0.0, 14.1.2, 14.1.0
Manual Chapter

Address Resolution Protocol

Address Resolution Protocol on the BIG-IP system

The BIG-IP® system is a multi-layer network device, and as such, needs to perform routing functions. To do this, the BIG-IP system must be able to find destination MAC addresses on the network, based on known IP addresses. The way that the BIG-IP system does this is by supporting
Address Resolution Protocol (ARP)
, an industry-standard Layer 3 protocol.

What are the states of ARP entries?

When you use the BIG-IP Configuration utility to view the entries in the ARP cache, you can view the state of each entry:
RESOLVED
Indicates that the system has successfully received an ARP response (a MAC address) for the requested IP address within two seconds of initiating the request. An entry in a RESOLVED state remains in the ARP cache until the timeout period has expired.
INCOMPLETE
Indicates that the system has made one or more ARP requests within the maximum number of requests allowed, but has not yet received a response.
DOWN
Indicates that the system has made the maximum number of requests allowed, and still receives no response. In this case, the system discards the packet, and sends an ICMP host unreachable message to the sender. An entry with a DOWN state remains in the ARP cache until the first of these events occurs:
  • Twenty seconds elapse.
  • The BIG-IP system receives either a resolution response or a gratuitous ARP from the destination host. (A
    gratuitous ARP
    is an ARP message that a host sends without having been prompted by an ARP request.)
  • You explicitly delete the entry from the ARP cache.

About BIG-IP responses to ARP requests from firewall devices

The system does not respond to ARP requests sent from any firewall that uses a multicast IP address as its source address.

About gratuitous ARP messages

When dynamically updating the ARP cache, the BIG-IP system includes not only entries resulting from responses to ARP requests, but also entries resulting from gratuitous ARP messages.
For security reasons, the system does not fully trust gratuitous ARP entries. Consequently, if there is no existing entry in the cache for the IP address/MAC pair, and the BIG-IP system cannot verify the validity of the gratuitous ARP entry within a short period of time, the BIG-IP system deletes the entry.

Management of static ARP entries

You can manage static entries in the ARP cache in various ways.

Task summary

Adding a static ARP entry

Perform this task to add entries to the ARP cache on the BIG-IP system. Adding a static entry for a destination server to the ARP cache saves the BIG-IP system from having to send an ARP broadcast request for that destination server. This can be useful when you want the system to forward packets to a special MAC address, such as a shared MAC address, or you want to ensure that the MAC address never changes for a given IP address.
  1. On the Main tab, click
    Network
    ARP
    Static List
    .
  2. Click
    Create
    .
  3. In the
    Name
    field, type a name for the ARP entry.
  4. In the
    IP Address
    field, type the IP address with which you want to associate a MAC address.
  5. In the
    MAC Address
    field, type the MAC address that you want to associate with the specified IP address.
  6. Click
    Finished
    .
When the BIG-IP system must forward packets to the specified IP address, the system checks the ARP cache to find the MAC address. The system then checks the VLAN’s Layer 2 forwarding table to determine the appropriate outgoing interface.

Viewing static ARP entries

Perform this task to view static entries in the ARP cache.
  1. On the Main tab, click
    Network
    ARP
    Static List
    .
  2. View the list of static ARP entries.
You can now see all static entries in the ARP cache.

Deleting static ARP entries

Perform this task to delete a static entry from the ARP cache.
  1. On the Main tab, click
    Network
    ARP
    Static List
    .
  2. Locate the entry you want to delete, and to the left of the entry, select the check box.
  3. Click
    Delete
    .
    A confirmation message appears.
  4. Click
    Delete
    .
The deleted entry is no longer in the BIG-IP system ARP cache.

Management of dynamic ARP entries

You can manage dynamic entries in the ARP cache in various ways.

Task summary

Viewing dynamic ARP entries

Perform this task to view dynamic entries in the ARP cache.
  1. On the Main tab, click
    Network
    ARP
    Dynamic List
    .
  2. View the list of dynamic ARP entries.
You can now see the list of dynamic ARP entries.

Deleting dynamic ARP entries

Perform this task to delete a dynamic entry from the ARP cache.
  1. On the Main tab, click
    Network
    ARP
    Dynamic List
    .
  2. Locate the entry you want to delete and, to the left of the entry, select the check box.
  3. Click
    Delete
    .
    A confirmation message appears.
  4. Click
    Delete
    .
The deleted entry is no longer in the BIG-IP system ARP cache.

Configuring global options for dynamic ARP entries

Perform this task to apply global options to all dynamic ARP entries.
  1. On the Main tab, click
    Network
    ARP
    Options
    .
  2. In the
    Dynamic Timeout
    field, specify a value, in seconds.
    The seconds begin to count down toward
    0
    for any dynamically-added entry. When the value reaches
    0
    , the BIG-IP system automatically deletes the entry from the cache. If the entry is actively being used as the time approaches
    0
    , ARP attempts to refresh the entry by sending an ARP request.
  3. In the
    Maximum Dynamic Entries
    field, specify a maximum number of entries.
    Configure a value large enough to maintain entries for all directly-connected hosts with which the BIG-IP system must communicate. If you have more than 2000 hosts that are directly connected to the BIG-IP system, you should specify a value that exceeds the default value of
    2048
    .
    If the number of dynamic entries in the cache reaches the limit that you specified, you can still add static entries to the cache. This is possible because the system can remove an older dynamic entry prematurely to make space for a new static entry that you add.
  4. In the
    Request Retries
    field, specify the number of times that the system can resend an ARP request before marking the host as unreachable.
  5. For the
    Reciprocal Update
    setting, select or clear the check box to enable or disable the setting.
    Enabled
    Creates an entry in the ARP cache whenever the system receives who-has packets from another host on the network. When you enable this option, you slightly enhance system performance by eliminating the need for the BIG-IP system to perform an additional ARP exchange later.
    Disabled
    Prevents a malicious action known as ARP poisoning.
    ARP poisoning
    occurs when a host is intentionally altered to send an ARP response containing a false MAC address.
  6. Click
    Update
    .
The BIG-IP system now applies these values to all dynamic ARP entries.

Global options for dynamic ARP cache entries

You can configure a set of global options for controlling dynamic ARP cache entries.
Global options for dynamic ARP entries
Option
Description
Dynamic Timeout
Specifies the maximum number of seconds that a dynamic entry can remain in the ARP cache before the BIG-IP system automatically removes it.
Maximum Dynamic Entries
Limits the number of dynamic entries that the BIG-IP system can hold in the ARP cache at any given time. This setting has no effect on the number of static entries that the ARP cache can hold.
Request Retries
Specifies the number of times that the BIG-IP system resends an ARP request before finally marking the host as unreachable.
Reciprocal Update
Enables the BIG-IP system to store additional information, which is information that the system learns as a result of other hosts on the network sending ARP broadcast requests to the BIG-IP system.