Solved

switch and ARP question

Posted on 2006-11-15
13
624 Views
Last Modified: 2008-02-20
Here's a situation, our network has a extreme blackdiamond box. And all the switches on the network are extreme switches. We also run vlans through the network.

recently we purchase a device which seems to die after a while on the network (yes on a vlan). You can't ping it after an hour and all network connectivity ends. Computers, printers and so on do not have this problem excet this device. And after much testing we determined that it's not the vlan but the device that was causing this.

We talked to the manufacture and they issued a XML configuration file to us to load on the device. I took a look at the XML file and all it does is tell the device to do a gratiutious arp every 2 mins. The manufacturer tells me that this arp will keep arp cached updated in the switch with the device Mac.

Now that the file has been loaded the device functions perfertly fine with no issues on the network.


I had a chance to talk to one of our network consultants about this and the tells me that none of the switches keep an arp table and that the manufacturer is lying and that it's something else. But ever since we did the upload the unit has been working fine with no issues.

So part of what he says make sense because when we were testing the unit, we have a continous ping going from a pc to the device and it still timed out eventually. But if what our consultants say is true then how do you explain the arp keeping the clock alive on the network?



0
Comment
Question by:iamuser
  • 4
  • 4
  • 4
  • +1
13 Comments
 
LVL 8

Accepted Solution

by:
saw830 earned 250 total points
ID: 17950609
Hi iamuser,

I'm not familiar with the brands you are talking about, but I tend to agree with your consultant regarding ARP tables on switches.  Switches do have MAC to Port tables, but not MAC to IP Address tables (at least usually, but someone will probalby come along and prove me wrong here).

But that's about as far as I'll go with agreeing with the consultant, and saying that a manufacturer is lying without being able to explain why it fixes something is a bold thing.

My thoughts based on what I've understood?  I expect that the ARP Cache isn't the issue, but I expect that the manufacture is having a problem keeping something from timing out (going to sleep) and is using the ARP Cache timer to keep it awake by keepingit busy or perhaps by quietly causing a port or protocal reset.

Hope this helps,
Alan
0
 

Author Comment

by:iamuser
ID: 17950645
so while a ping from a machine to the device won't keep it alive, an arp coming from the device to the network will keep the device alive?

in general what protocol or network issues would cause this to happen on a device?

0
 
LVL 25

Assisted Solution

by:Cyclops3590
Cyclops3590 earned 250 total points
ID: 17950747
icmp packets are generally processed by the nic itself and thus the machine's os/firmware/whatever never really has to worry about it.  Could be the arp from the device makes it process stuff like saw830 is talking about and thus it can't timeout

BTW, the manufacturer wasn't exactly lying about the arp table on the switch.  Its mostly a semantics thing.  Many people use mac table (found on L2 devices) and arp tables (found on L3 devices) interchangeably even though they are actually different things, just both happen to map MAC addresses to something.
0
 

Author Comment

by:iamuser
ID: 17950845
but a layer 3 switch would have both I assume right?
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 17950928
not really.  again this is mostly semantics.

MAC Table

MAC           Port
-----------      -----------
XXXX          Fa0/1
YYYY          Fa0/10

ARP Table

MAC          IP
---------       -------------
XXXX       192.168.1.1
YYYY       192.168.1.2

L3 Devices version of MAC Table, or a routing table

Subnet                  Interface
----------------            -------------------------
192.168.1.0/24      eth0
0/0                         eth1

So a mac table tells an L2 device which port to forward the packet out of, an arp table tells an L3 device which mac address to communicate to for a given IP, and the routing table tells the L3 device which of its interfaces to go out to communicate to that mac address.
0
 

Author Comment

by:iamuser
ID: 17950960
I assume that all devices including pc's do an arp/broadcast out to the network from time to time to let the layer 2, layer 3 switches, other devices  know that they exist on the network. if they didn't the arp table would be cleared out right? I mean the arp table isn't there for weeks or even hours on a swtich or router.
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 
LVL 8

Expert Comment

by:saw830
ID: 17951044
Hi all,

Cyclops3590 -  wouldn't the router need to know that the arp translation for 192.168.1.5 (another router in the same subnet) so that the packet could be forwarded?  Or is this the difference between a L3 switch and a Router?

Switches learn about MAC addresses on it's ports by hearing responses from those devices.  When a switch is powered up (or otherwise freshly cleared it's arp cache) it broadcasts all messages on all ports.  As devices begin answering those messages the switch learns about them and stops broadcasting messages to those devices.

Want to see how this can fall over?  Connect a two hubs to two ports on a switch.  connect a pc switch, and connect another pc or whatever into one of the hubs.  using the PC (on the switch), talk to the device (a ping is enough) and note that the first packet is sent out all ports until the device answers.  The switch has not found the device connected through a hub.  Now unplug the device from the hub and connect it to the other hub (the hubs keep the switch from seeing the port change).  talk to the device again.  the device will not hear the message because the switch will be sending the message to the old port.

I don't know how long this will remain, but I believe that items do expire from ARP caches but I don't know how fast.
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 17951047
arp timeouts can vary.  however I remember right, the devices don't technically broadcast out the way I believe you're thinking.  For example, you have device A, B, and C.  A ping C.  A sends an arp broadcast out asking who is <ip address of C>.  C sees that packet and tells A its mac info so that A can now talk to C.  A and C now have each others information in their arp table cached for so long (since you don't know how long a MAC to IP mapping is good for it needs to expire to keep things accurate).  However B knows nothing of A or C.  Also, the switch should now know of A and C. If A pings B. Then A knows of B and C, B knows of A, and C knows of A, but B and C don't know of each other yet.  And the switch should now know of all three.  Keep in mind that switches learn mac addresses via source addresses in L2 packets.  This is the only trustworthy way of knowing where devices are at (yes macs can be spoofed, but its still a far more accurate method learning by source than destination address).

This is typically why switches mac table entries generally expire after a fairly short while, because they see so many host address.  Some devices are on the order of minutes, some hours.  But generally I would think you're looking at under 30 minutes for most all devices.  However that's just from my experience.  I could be full of it as well.
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 17951075
>>Cyclops3590 -  wouldn't the router need to know that the arp translation for 192.168.1.5 (another router in the same subnet) so that the
>>packet could be forwarded?  Or is this the difference between a L3 switch and a Router?
same method.  router A thru its routing table knows the next hop is 192.168.1.5.  sends arp request to see who has 192.168.1.5.  gets that answer and forwards the packet via that mac address.  That is why I say the mac table for a switch (L2 device) is like the routing table of a router (L3 device).  It is used for routing/switching(that's a whole new semantics issue of which I'm not getting into) purposes only.
0
 
LVL 8

Expert Comment

by:saw830
ID: 17951150
okay... firstly, my last post is a classic example of why not to try doing two things at once.....

to wit:

Firstly, the paragraph that starts with "Cyclops3590" was for intended for Cyclops3590, but the following paragraphs were actually intended for iamuser.  I forgot to show that when I typed it.

Secondly, I kept referring to the ARP cache on the switch, which L2 switches don't actually have, since they don't give a hoot about IP addresses (management consoles aside).  They do have a MAC address to "last known port" lookup table.  And Cyclops3590 is correct that they learn from looking at the packets coming through.

sorry for the confusion....
0
 
LVL 27

Expert Comment

by:pseudocyber
ID: 17955571
If you're capable, here's a test you could do.

Change the device back the way it was - without the gratuidous ARP.
Put in a static arp entry on a PC on the SAME layer 2 net/vlan like this:
   arp -s 157.55.85.212   00-aa-00-62-c6-09  .... Adds a static entry.
Then, wait for the device to "die" - disappear from the net.
Now, from the machine with the static arp, can it see it - ping it?

If yes, then the issue may very well be the ARP table - resolving the IP address to a MAC address.

If no, then the issue is NOT the ARP table, but possibly the MAC forwarding table on the local switch.  However, the behavior for an incoming ping to a layer 2 unknown address is to forward the frame to ALL ports on the switch (except where it came from) and presumably, the "dead" device would see the ping and respond.

For the whole ARP table discussion - on a pure layer 2 switch, it has a MAC forwarding table - called different things by different vendors (CAM table for instance).  Basically, a table matchine MAC address to ports.  Learned by observing source addresses from traffic passing through.

A router - a layer 3 device - has an ARP table, and Address Resolution Protocol table which resolves IP address to MAC addresses.

If you combine routing functionality on a switch, then you have a layer 3 switch which has both an ARP table and a MAC forwarding table.  Sometimes these are combined on ONE table.
0
 

Author Comment

by:iamuser
ID: 17955893
We did that earlier, after the device died on the vlan we checked the computer that was attempting to ping it. THe computer still had the mac address in it's arp table. But when we took a look at the switch side, we couldn't see the Mac address in it's Mac forwarding table.

What's weird is that even if i do a continous ping on the device from a pc, it will eventually die. And when I check the switch it shows the Mac missing again.

Now what's weirder is if i plug the device into a hub with a computer and do a continous ping, the device never dies, it's constantly alive.





0
 
LVL 8

Expert Comment

by:saw830
ID: 17958846
Perhaps the problem is not as it appears.  Are you able to confirm that the PINGs actually make it to the device or not?  Suppose that the PING reaches the device, but that the device is not able to respond.  If that is the case, then no amount of adjustment on the PC is going to fix this, hence the fix on the device.

Another thought....
You say that it stops working when connected to your black diamond switch, but continues to work when connected through a hub.  Have you tried a different switch?  I'm not sure what this test will tell you, but it might suggest that the device doesn't play well with black diamond, or that the device does play well with switches in general.  Although it is my understanding that netword devices (PCs, printers, routers, etc.) are not supposed to be able to tell the difference, there's is compatable and then there's compatable..
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

New Server 172.16.200.2  was moved from behind Router R2 f0/1 to behind router R1 int f/01 and has now address 172.16.100.2. But we want users still to be able to connected to it by old IP. How to do it ? We can used destination NAT (DNAT).  In DNAT…
This article is a guide to configure bridging on Cisco Routers.  This is something I never knew was possible until after making a few phone calls to Cisco.  Using bridging saved our company money by not requiring us to purchase a new switch.  Bridgi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now