Manual Chapter : Address Resolution Protocol

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 12.1.0

BIG-IP APM

  • 12.1.0

BIG-IP Link Controller

  • 12.1.0

BIG-IP Analytics

  • 12.1.0

BIG-IP LTM

  • 12.1.0

BIG-IP PEM

  • 12.1.0

BIG-IP AFM

  • 12.1.0

BIG-IP DNS

  • 12.1.0

BIG-IP ASM

  • 12.1.0
Manual Chapter

Address Resolution Protocol

Address Resolution Protocol on the BIG-IP system

The BIG-IP® system is a multi-layer network device, and as such, needs to perform routing functions. To do this, the BIG-IP system must be able to find destination MAC addresses on the network, based on known IP addresses. The way that the BIG-IP system does this is by supporting Address Resolution Protocol (ARP), an industry-standard Layer 3 protocol.

What are the states of ARP entries?

When you use the BIG-IP Configuration utility to view the entries in the ARP cache, you can view the state of each entry:

RESOLVED
Indicates that the system has successfully received an ARP response (a MAC address) for the requested IP address within two seconds of initiating the request. An entry in a RESOLVED state remains in the ARP cache until the timeout period has expired.
INCOMPLETE
Indicates that the system has made one or more ARP requests within the maximum number of requests allowed, but has not yet received a response.
DOWN
Indicates that the system has made the maximum number of requests allowed, and still receives no response. In this case, the system discards the packet, and sends an ICMP host unreachable message to the sender. An entry with a DOWN state remains in the ARP cache until the first of these events occurs:
  • Twenty seconds elapse.
  • The BIG-IP system receives either a resolution response or a gratuitous ARP from the destination host. (A gratuitous ARP is an ARP message that a host sends without having been prompted by an ARP request.)
  • You explicitly delete the entry from the ARP cache.

About BIG-IP responses to ARP requests from firewall devices

The system does not respond to ARP requests sent from any firewall that uses a multicast IP address as its source address.

About gratuitous ARP messages

When dynamically updating the ARP cache, the BIG-IP system includes not only entries resulting from responses to ARP requests, but also entries resulting from gratuitous ARP messages.

For security reasons, the system does not fully trust gratuitous ARP entries. Consequently, if there is no existing entry in the cache for the IP address/MAC pair, and the BIG-IP system cannot verify the validity of the gratuitous ARP entry within a short period of time, the BIG-IP system deletes the entry.

Management of static ARP entries

You can manage static entries in the ARP cache in various ways.

Task summary

Adding a static ARP entry

Perform this task to add entries to the ARP cache on the BIG-IP system. Adding a static entry for a destination server to the ARP cache saves the BIG-IP system from having to send an ARP broadcast request for that destination server. This can be useful when you want the system to forward packets to a special MAC address, such as a shared MAC address, or you want to ensure that the MAC address never changes for a given IP address.
  1. On the Main tab, click Network > ARP > Static List .
  2. Click Create.
  3. In the Name field, type a name for the ARP entry.
  4. In the IP Address field, type the IP address with which you want to associate a MAC address.
  5. In the MAC Address field, type the MAC address that you want to associate with the specified IP address.
  6. Click Finished.
When the BIG-IP system must forward packets to the specified IP address, the system checks the ARP cache to find the MAC address. The system then checks the VLAN’s Layer 2 forwarding table to determine the appropriate outgoing interface.

Viewing static ARP entries

Perform this task to view static entries in the ARP cache.
  1. On the Main tab, click Network > ARP > Static List .
  2. View the list of static ARP entries.
You can now see all static entries in the ARP cache.

Deleting static ARP entries

Perform this task to delete a static entry from the ARP cache.
  1. On the Main tab, click Network > ARP > Static List .
  2. Locate the entry you want to delete, and to the left of the entry, select the check box.
  3. Click Delete.
    A confirmation message appears.
  4. Click Delete.
The deleted entry is no longer in the BIG-IP system ARP cache.

Management of dynamic ARP entries

You can manage dynamic entries in the ARP cache in various ways.

Task summary

Viewing dynamic ARP entries

Perform this task to view dynamic entries in the ARP cache.
  1. On the Main tab, click Network > ARP > Dynamic List .
  2. View the list of dynamic ARP entries.
You can now see the list of dynamic ARP entries.

Deleting dynamic ARP entries

Perform this task to delete a dynamic entry from the ARP cache.
  1. On the Main tab, click Network > ARP > Dynamic List .
  2. Locate the entry you want to delete and, to the left of the entry, select the check box.
  3. Click Delete.
    A confirmation message appears.
  4. Click Delete.
The deleted entry is no longer in the BIG-IP system ARP cache.

Configuring global options for dynamic ARP entries

Perform this task to apply global options to all dynamic ARP entries.

  1. On the Main tab, click Network > ARP > Options .
  2. In the Dynamic Timeout field, specify a value, in seconds.
    The seconds begin to count down toward 0 for any dynamically-added entry. When the value reaches 0, the BIG-IP system automatically deletes the entry from the cache. If the entry is actively being used as the time approaches 0, ARP attempts to refresh the entry by sending an ARP request.
  3. In the Maximum Dynamic Entries field, specify a maximum number of entries.
    Configure a value large enough to maintain entries for all directly-connected hosts with which the BIG-IP system must communicate. If you have more than 2000 hosts that are directly connected to the BIG-IP system, you should specify a value that exceeds the default value of 2048.
    If the number of dynamic entries in the cache reaches the limit that you specified, you can still add static entries to the cache. This is possible because the system can remove an older dynamic entry prematurely to make space for a new static entry that you add.
  4. In the Request Retries field, specify the number of times that the system can resend an ARP request before marking the host as unreachable.
  5. For the Reciprocal Update setting, select or clear the check box to enable or disable the setting.
    Option Description
    Enabled Creates an entry in the ARP cache whenever the system receives who-has packets from another host on the network. When you enable this option, you slightly enhance system performance by eliminating the need for the BIG-IP system to perform an additional ARP exchange later.
    Disabled Prevents a malicious action known as ARP poisoning. ARP poisoning occurs when a host is intentionally altered to send an ARP response containing a false MAC address.
  6. Click Update.
The BIG-IP system now applies these values to all dynamic ARP entries.

Global options for dynamic ARP cache entries

You can configure a set of global options for controlling dynamic ARP cache entries.

Table 1. Global options for dynamic ARP entries
Option Description
Dynamic Timeout Specifies the maximum number of seconds that a dynamic entry can remain in the ARP cache before the BIG-IP system automatically removes it.
Maximum Dynamic Entries Limits the number of dynamic entries that the BIG-IP system can hold in the ARP cache at any given time. This setting has no effect on the number of static entries that the ARP cache can hold.
Request Retries Specifies the number of times that the BIG-IP system resends an ARP request before finally marking the host as unreachable.
Reciprocal Update Enables the BIG-IP system to store additional information, which is information that the system learns as a result of other hosts on the network sending ARP broadcast requests to the BIG-IP system.