ARP table
The ARP table is used to determine the destination MAC addresses of the network nodes, as well as the VLANs and ports that the nodes are reached from.
To view the ARP table:
# get system arp Address Age(min) Hardware Addr Interface 10.10.1.3 1 50:b7:c3:75:ea:dd internal7 192.168.0.190 0 28:f1:0e:03:2a:97 wan1 192.168.0.97 0 f4:f2:6d:37:b0:99 wan1
To view the ARP cache in the system:
# diagnose ip arp list index=14 ifname=internal7 10.10.1.3 50:b7:c3:75:ea:dd state=00000004 use=2494 confirm=1995 update=374 ref=3 index=5 ifname=wan1 192.168.0.190 28:f1:0e:03:2a:97 state=00000002 use=88 confirm=86 update=977639 ref=2 index=22 ifname=internal 192.168.1.111 00:0c:29:c6:79:3d state=00000004 use=3724 confirm=9724 update=3724 ref=0 index=5 ifname=wan1 224.0.1.140 01:00:5e:00:01:8c state=00000040 use=924202 confirm=930202 update=924202 ref=1 index=5 ifname=wan1 192.168.0.97 f4:f2:6d:37:b0:99 state=00000002 use=78 confirm=486 update=614 ref=26 index=14 ifname=internal7 10.10.1.11 state=00000020 use=172 confirm=1037790 update=78 ref=2
To view a summary of the ARP table:
# diagnose sys device list root list virtual firewall root info: ip4 route_cache: table_size=65536 max_depth=2 used=31 total=34 arp: table_size=16 max_depth=2 used=5 total=6 proxy_arp: table_size=256 max_depth=0 used=0 total=0 arp6: table_size=32 max_depth=1 used=3 total=3 proxy_arp6: table_size=256 max_depth=0 used=0 total=0 local table version=00000000 main table version=0000002b vf=root dev=root vrf=0 vf=root dev=ssl.root vrf=0 ... vf=root dev=internal5 vrf=0 ses=0/0 ses6=0/0 rt=0/0 rt6=0/0
ARP request, cache, and reachable time
When FortiGate tries to communication with a new destination it must resolve the destination's MAC address. The resolution depends on the IP address of the destination:
-
Directly connected destination: ARP request is sent for the destination IP address.
-
Non-directly connected destination: ARP request is sent for the gateway IP address of the exit interface.
After the ARP request is sent and an ARP reply is received, the corresponding ARP entry is added to the ARP cache, allowing FortiOS to use the cached entries for subsequent traffic and reducing the sending of frequent ARP request.
Entries in the ARP cache are valid for a duration equal to the actual ARP reachable time. The actual ARP reachable time is a random number between 50% and 150% of the base reachable time. The default base reachable time is 30 seconds, so the actual ARP reachable time is from 15 to 45 seconds. The actual ARP reachable time is recalculated and updated every five minutes. The frequency of ARP requests to populate the ARP cache and unicast ARP probes to refresh the ARP cache entries depend on the base ARP reachable time.
Each ARP entry in the ARP cache includes its state and the number of objects that are currently using it. For example:
index=5 ifname=wan1 224.0.1.140 01:00:5e:00:01:8c state=00000040 use=924202 confirm=930202 update=924202 ref=1
Based on the state assigned to the ARP entry, the ARP cache determines the validity of the entry. There are multiple possible states for an ARP entry, and the state-transition mechanism can be complex. Common states include the following:
|
State |
Meaning |
Description |
|---|---|---|
|
000000002 or 0x02 |
REACHABLE |
An ARP response was received |
|
000000004 or 0x04 |
STALE |
No ARP response within the expected time |
|
000000008 or 0x08 |
DELAY |
A transition state between STALE and REACHABLE before Probes are sent out |
|
000000020 or 0x20 |
FAILED |
Did not manage to resolve within the maximum configured number of probes |
|
000000040 or 0x40 |
NOARP |
Device does not support ARP, e.g. IPsec interface |
|
000000080 or 0x80 |
PERMANENT |
A statically defined ARP entry |
Multiple factors affect the state-transition mechanism and whether an entry is used by other subsystems. ARP creation, ARP request/reply, neighbor lookup, routing, and others can cause an ARP entry to be in use or referenced. Regular and successful unicast ARP probes initiated by FortiGate help maintain an ARP entry in Reachable state. By default, FortiGate disables regular unicast ARP probes for the sessions that are offloaded to the network processor (NP).
To set the ARP reachable time on an interface:
config system interface
edit port1
set reachable-time <integer>
next
end
|
reachable-time <integer> |
The reachable time (30000 to 3600000, default = 30000). |
ARP cache purging
An ARP cache entry that is in the STALE (0x04) or FAILED (0x20) states with no references to it (ref=0) is eligible to be removed from the ARP cache using the garbage collection mechanism. The garbage collection mechanism runs every 30 seconds, and checks and removes ARP entries that have been stale, failed, or unreferenced longer than 60 seconds. Garbage collection is also triggered when the number of ARP entries exceeds the configured threshold. If the threshold is exceeded, no entries can be added to the ARP table.
To set the maximum number of ARP entries threshold:
config system global
set arp-max-entry <integer>
end
|
arp-max-entry <integer> |
The maximum number of dynamically learned MAC addresses that can be added to the ARP table (131072 to 2147483647, default = 131072). |
ARP/ICMP6 probing for offloaded sessions
By default, FortiOS does not regularly send ARP probes for sessions offloaded to the NP. This can cause issues in environments where a session is established and offloaded to the NP, but no traffic flows through the FortiGate for an extended period of time, causing ARP entries on the FortiGate to expire and the MAC address table of upstream or downstream devices, such as switches, to age out. When this happens, an ARP broadcast request is triggered for any subsequent traffic passing through the session that generates a broadcast ARP request within the upstream or downstream switch network. To mitigate this, enable sending regular ARP probes for offloaded sessions.
To enable sending ARP/ICMP6 probing packets to update neighbors for offloaded sessions:
config system global set npu-neighbor-update enable end
The npu-neighbor-update option is disabled by default.
Manually adding and removing ARP cache entries
To add static ARP entries:
config system arp-table
edit 1
set interface "internal"
set ip 192.168.50.8
set mac bc:14:01:e9:77:02
next
end
To delete a single ARP entry from the ARP table:
diagnose ip arp delete <interface name> <IP address>
To clear all of the entries in the ARP table:
execute clear system arp table