6

Today we received email from our ISP saying they are performing maintenance on their network so if you have HSRP connectivity with them in that case you need to clear ARP table or reduce ARP timeout

We do have HSRP connectivity with our ISP and following i found where i got confused. 

#show mac address-table aging-time
Vlan    Aging Time  Configured Aging Time
----    ----------  ---------------------
Global Vlan Admin Age: 300
   1    300         300
   2    300         300

On interface: ARP timeout 4 hour 

#sh int te1/50
TenGigabitEthernet1/50 is up, line protocol is up (connected)
  Hardware is Ten Gigabit Ethernet Port, address is 68ef.bd75.7370 (bia 68ef.bd75.7370)
  Description: ISP_A
  MTU 1500 bytes, BW 10000000 Kbit, DLY 10 usec,
     reliability 255/255, txload 33/255, rxload 36/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 10Gb/s, link type is auto, media type is 10GBase-LR
  input flow-control is on, output flow-control is off
  ARP type: ARPA, ARP Timeout 04:00:00
  • what are those two timeout?
  • in Document saying you should keep CAM timeout and ARP timeout equal but how?
  • When ISP say you should reduce ARP timeout does that means only for specific interface which is connected to their router or whole switch?
Ron Maupin
  • 98,218
  • 26
  • 115
  • 191
Satish
  • 4,361
  • 12
  • 67
  • 120

1 Answers1

6

What the ISP means is that as they make changes, you may lose connectivity for a time because the ARP table entries your router has with them will not match the changes it is making. If you reduce the ARP timeout, you reduce the time you may have lost connectivity.

You really only need to change arp timeout on the interface used to connect to the ISP.

Router(config)# interface Ethernet0/0
 arp timeout <seconds>

The ARP timeout deals with the amount of time an ARP (layer-3 to layer-2 address resolution) entry remains in the ARP table before it is aged away.

The CAM table used by a switch deals with the MAC address to interface resolution. Layer-2 switches don't care about layer-3 or layer-3 addresses, so they don't use ARP, but they do care about which interface should be used for a MAC address, so they have a table to resolve that.

These two table deal with very different things. It may be desirable, on a layer-3 switch, to keep the two tables coordinated. The switch CAM timeout is set by:

mac address-table aging-time <seconds>
Ron Maupin
  • 98,218
  • 26
  • 115
  • 191
  • I heard they are replacing hardware so i am assuing they will shift traffic from A to B (HSRP) router, is there any downtime if i set `arp timeout` right now? what values i should use? `300` ? – Satish Feb 24 '17 at 17:40
  • Changing the timeout doesn't cause any disconnection. I really don't know the correct value, maybe the ISP has a recommendation. 300 seconds is five minutes. – Ron Maupin Feb 24 '17 at 17:44
  • I suspect that the ISP is changing their configuration such that the actual hardware address of the gateway is changing. The issue is that until the table times out, your router won't re-ARP. The duration between when this change occurs and when the timer hits will manifest as an outage. If this is the case you could honestly leave the timer alone and just clear the ARP table manually. The other point is that, under normal circumstances, lowering this timer will just drive up background traffic CPU utilization without providing much in the way of ongoing benefit. – rnxrx Feb 25 '17 at 04:04
  • @rnxrx but what happen in mid night if ISP router blow up in that case does my HSRP `arp` will take 4 hour to failover? – Satish Feb 26 '17 at 21:20
  • No. The issue is that the virtual address that HSRP puts up will be changing. Once the new HSRP address has been installed then the fail-over times will be the same as before. What they are trying to avoid is a one-time outage caused by the changing address, not an ongoing issue. – rnxrx Feb 26 '17 at 21:34
  • @rnxrx i am confused, you are saying if someone cut one leg `A` in that case immediately my `VIP IP` will goes to `B` right? it won't wait for `4 hour` arp timeout right... that's all i want to know. – Satish Feb 27 '17 at 16:21
  • 1
    That is really going to depend on what, exactly, the implementation plan is. If only one router is replaced, then that would be correct, but if both routers are replaced within the time period, then you could have a problem. It could be that both are replaced within four hours, but it is unlikely that both would be replaced in a much shorter time period. That is probably why the ISP is telling you to set the ARP timeout to something lower. – Ron Maupin Feb 27 '17 at 16:24