Configuring Static ARP for Unicast Traffic
A static Address Resolution Protocol (ARP) entry is a permanent entry in your ARP cache. You can create mappings between IP addresses and MAC addresses (called static ARP entry), which can remain active without aging out for the specified time. Netvisor ONE enables you to create static ARP entries for security and troubleshooting purposes.
One of the use cases in configuring static ARP table entries is to keep the Layer 2 and Layer 3 entries active for select hosts (IP addresses) even if those hosts do not send traffic very often. Another reason to add a static ARP entry is if you want two hosts to communicate regularly and can have a binding of the MAC address and the IP address of the hosts in general.
Note: You must create a vRouter interface on the switch to send ARP requests and enable ARP binding.
The static ARP binding is established only after the first ARP packet is communicated (received and replied) between the vRouter and the host. Thereafter, the binding remains permanent by sending and receiving the ARP requests and replies as in the case of host refresh requests.
Note: You can enable a static ARP on a Layer 3 entry only if the Layer 3 entry is active (see l3-table-show output below).
To create a static ARP entry using MAC address, use the command:
CLI (network-admin@switch) > static-arp-create scope [local|cluster|fabric] mac mac-address ip ip-address
static-arp-create |
Creates a unique static ARP entry |
scope [local|cluster|fabric] |
Specify the scope. A static entry with scope, cluster or fabric creates a static ARP entry configuration on one switch and enables the static flag for Layer 3 entry in the L3 table for all the other switches in the fabric or cluster. |
mac mac-address |
Unicast MAC address to bind with the IP address of the host |
ip ip-address |
IP address of the host to bind with the MAC address. |
vlan/vxlan (optional keywords) |
Specify the VLAN ID or VXLAN name for the static ARP entry configuration. You cannot specify both VLAN and VXLAN on the same configuration at the same time. You can specify either VLAN or VXLAN (both are optional parameters in establishing a static ARP entry. |
To have the static ARP entries functional, you must have an active Layer 2 entry and a corresponding Layer 3 entry in the system.
After configuring the static ARP entry using the above CLI command, follow the tasks to ensure a working configuration:
- Check the matching Layer 3 entry ( i.e, the host interface IP address and MAC address) on the switch
- If there is no information available, no action is required. You can view the details using the static-arp-show command.
- If a matching Layer 3 entry is found, that entry is marked with a static flag and you can verify this using the l3-table-show ip <ip-address> mac <mac-address> command.
- When the Layer 3 entry age-out timer expires, The static Layer 3 entries are kept alive by forced arp-refresh. That is, the vRouter sends an ARP request to the host and when a ARP reply is received. the L3 entry gets refreshed and remains active. This ARP reply ensures that the Layer 2 entry is refreshed, thereby, keeping the Layer 3 entry active and hence keeping the static ARP binding intact.
- If no ARP reply is received (when the port is down), then the Layer 2 entry ages out and the corresponding Layer 3 entry also ages out, keeping the static flag on the Layer 3 entry.
- If the ARP replies are received on a different port for the same IP address or MAC address, that triggers a modification of the previous Layer 2 entry with the new port details, which reactivates the previous Layer 3 entry and send out the ARP refresh messages. (MAC move happens)
- When the Layer 2 entry age-out timer expires, it deactivates the Layer 2 entry and the corresponding Layer 3 entry.
Note: While configuring static ARP, ensure that:
- the IP address is not 0.0.0.0 or :: for IPv6 addresses.
- the IP address is not multicast or broadcast
- the MAC is unicast only.
To delete a static ARP entry, use the command:
CLI (network-admin@switch) > static-arp-delete ip ip-address
When you delete the static ARP configuration, the corresponding Layer 3 entry is cleared off the static flag. In cases where there are multiple static ARP entries within the same VLAN, you must use specific parameters to delete the static ARP entry. For example, in such cases, include the required parameters in the command:
CLI (network-admin@switch) > static-arp-delete ip ip-address mac mac-address vlan/vxlan
To view the details, use the command:
CLI (network-admin@switch) > static-arp-show scope [local|cluster|fabric] mac mac-address ip ip-address
Below is a sample configuration for creating static ARP using the commands described earlier in this section. To create a static ARP binding between the host IP address 172.179.1.120 with the host MAC address 00:12:c0:88:0c:1d, use the command:
CLI (network-admin@switch) > static-arp-create ip 172.148.0.0 mac 00:12:00:88:0c:00
CLI (network-admin@switch) > static-arp-show scope local ip 172.148.0.0
switch scope ip mac
------- ------ ------------ --------------------
switch local 172.148.0.0 00:12:00:88:0c:00
When the host is actively sending ARP replies, the show command displays:
CLI (network-admin@switch) > l3-table-show ip 172.148.0.0 format all show-interval 1 layout vertical
mac: 00:12:00:88:0c:00
ip: 172.148.0.0
vlan: 4092
intf: 29
hw-intf: 29
rt-if: eth1.4092
state: active,static
egress-id: 100008
hit: 1
When the static ARP entry is removed, the show output displays:
CLI (network-admin@switch) > l3-table-show ip 172.148.0.0 format all show-interval 1 layout vertical
mac: 00:12:00:88:0c:00
ip: 172.148.0.0
vlan: 4092
intf: 29
hw-intf: 29
rt-if: eth1.4092
state: active
egress-id: 100008
hit: 23