[c-nsp] Dynamic ARP timeout on ASR 1001

Mourad Berkane berkane at unhcr.org
Wed Oct 16 08:21:40 EDT 2013

Default EVC MAC aging-time is 300s (5 minutes) while ARP timeout is 14400s (4 hours).

You may have to lower ARP timeout to 5 minutes also

-----Original Message-----
From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Chris Gibbs
Sent: Wednesday, October 16, 2013 3:30 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Dynamic ARP timeout on ASR 1001

Hey all,

Having a bit of an issue with bridge-domains on ASR 1001 and dynamic ARP entries.

Looking through the packet captures, I see the following events

1.       DHCP request from CPE

2.       DHCP ACK and assignment from DHCP server to CPE

3.       Gratuitous ARP sent from CPE.

4.       Packets flow as normal.

5.       Something triggers dynamic ARP entry to timeout on the BNG (Cisco ASR 1001).

a.       Suspect this may be triggered by the DHCP Request renew or the following gratuitous ARP received.

b.      See the debug message on the ASR:

*Oct 15 18:18:29.376: IP ARP: rcvd rep src 5475.d0df.7f48, dst BDI100 *Oct 15 18:18:29.376: ARP DB: ARP entry of key found *Oct 15 18:18:29.376: ARP TABLE: modifying entry on BD100 for Dynamic *Oct 15 18:18:29.376: ARP DYNAMIC[N]: Dynamic timeout occurredtimeout = 14400000, refresh_token = 2,refresh_timeout = 60000 *Oct 15 18:18:29.376: ARP DB: ARP entry of key found

6.       DHCP client on the CPE eventually sends through a DHCP request for the IP

7.       DHCP server replies with ACK.

8.       Gratuitous ARP sent from CPE.

9.       Dynamic ARP entry is populated.

10.   Packets flow as normal.

If I attempt to ping manually from the CPE, the dynamic arp entry is restored on the ASR.

Further details:

                Platform: ASR 1001
                Software: 3.10a (asr1001-universalk9.03.10.00a.S.153-3.S0a-ext.bin)

                interface Port-channel2
description Uplink - <redacted>
mtu 2000
ip dhcp relay information option-insert
 ip dhcp relay information check-reply none no ip address no ip unreachables no negotiation auto lacp fast-switchover lacp max-bundle 1 service instance 1101 ethernet
  encapsulation dot1q 80 second-dot1q 1101
  rewrite ingress tag pop 2 symmetric
  ip dhcp relay information option subscriber-id GCC-CPE-1-1
  service-policy output pm_BNG-WAN-wVoice-Out-12Mbps
  bridge-domain 100
service instance 1102 ethernet
  encapsulation dot1q 80 second-dot1q 1102
  rewrite ingress tag pop 2 symmetric
  ip dhcp relay information option subscriber-id GCC-CPE-2-1
  service-policy output pm_BNG-WAN-wVoice-Out-25Mbps
  bridge-domain 100
                interface BDI100
ip address
ip helper-address

GCC-BNG-1#sh run | i bridge
bridge-domain 100
bridge-domain 912
bridge irb
  bridge-domain 100
  bridge-domain 100
bridge 100 protocol vlan-bridge
bridge 100 route ip

Any ideas?



Chris Gibbs
Network and Security Engineer | Information Management & Technology Gosford City Council www.gosford.nsw.gov.au<http://www.gosford.nsw.gov.au/>

PO Box 21 Gosford NSW 2250
Phone: (02) 4325 8888
Mobile: 0408 222 496
Fax:    (02) 4323 2477
chris.gibbs at gosford.nsw.gov.au<mailto:chris.gibbs at gosford.nsw.gov.au>

The information contained in this email may be confidential. 
You should only disclose, re-transmit, copy, distribute, act in reliance on or commercialise the information if you are authorised to do so. Gosford City Council does not represent, warrant or guarantee that the communication is free of errors, virus or interference.

Gosford City Council complies with the Privacy and Personal Information Protection Act (1998). 
See Council's Privacy Statement at
cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
We believe 1 family torn apart by war is too many.
Tell the world you do too: http://www.unhcr.org/1family?link=email

More information about the cisco-nsp mailing list