ARP table
The ARP table is used to determine the destination MAC addresses of the network nodes, as well as the VLANs and ports from where the nodes are reached.
To view the ARP table:
# get system arp Address Age(min) Hardware Addr Interface 10.10.1.3 1 50:b7:c3:75:ea:dd internal7 192.168.0.190 0 28:f1:0e:03:2a:97 wan1 192.168.0.97 0 f4:f2:6d:37:b0:99 wan1
To view the ARP cache in the system:
# diagnose ip arp list index=14 ifname=internal7 10.10.1.3 50:b7:c3:75:ea:dd state=00000004 use=2494 confirm=1995 update=374 ref=3 index=5 ifname=wan1 192.168.0.190 28:f1:0e:03:2a:97 state=00000002 use=88 confirm=86 update=977639 ref=2 index=22 ifname=internal 192.168.1.111 00:0c:29:c6:79:3d state=00000004 use=3724 confirm=9724 update=3724 ref=0 index=5 ifname=wan1 224.0.1.140 01:00:5e:00:01:8c state=00000040 use=924202 confirm=930202 update=924202 ref=1 index=5 ifname=wan1 192.168.0.97 f4:f2:6d:37:b0:99 state=00000002 use=78 confirm=486 update=614 ref=26 index=14 ifname=internal7 10.10.1.11 state=00000020 use=172 confirm=1037790 update=78 ref=2
ARP request and cache
The FortiGate must make an ARP request when it tries to reach a new destination. The base ARP reachable value determines how often an ARP request it sent; the default is 30 seconds. The actual ARP reachable time is a random number between half and three halves of the base reachable time, or 15 to 45 seconds. The random number is updated every five minutes.
ARP entries in the ARP cache are updated based on the state of the ARP entry and the objects that are using it, as highlighted in the following output sample:
index=5 ifname=wan1 224.0.1.140 01:00:5e:00:01:8c state=00000040 use=924202 confirm=930202 update=924202 ref=1
There are multiple possible states for an ARP entry, and the state-transition mechanism can be complex. Common states include the following:
State |
Meaning |
Description |
---|---|---|
000000002 or 0x02 |
REACHABLE |
An ARP response was received |
000000004 or 0x04 |
STALE |
No ARP response within the expected time |
000000008 or 0x08 |
DELAY |
A transition state between STALE and REACHABLE before Probes are sent out |
000000020 or 0x20 |
FAILED |
Did not manage to resolve within the maximum configured number of probes |
000000040 or 0x40 |
NOARP |
Device does not support ARP, e.g. IPsec interface |
000000080 or 0x80 |
PERMANENT |
A statically defined ARP entry |
An entry that is in the STALE (0x04) or FAILED (0x20) states with no references to it (ref=0) can be deleted. Many factors affect the state-transmit mechanism and if an entry is used by other subsystems. For example, ARP creation, ARP request/reply, neighbor lookup, routing, and others can cause an ARP entry to be in use or referenced.
The garbage collection mechanism runs every 30 seconds, and checks and removes stale and unreferenced entries if they have been stale for longer than 60 seconds. Garbage collection will also be triggered when the number of ARP entries exceeds the configured threshold. If the threshold is exceeded, no entries can be added to the ARP table.
To set the maximum number of ARP entries threshold:
config system global set arp-max-entry <integer> end
arp-max-entry <integer> |
The maximum number of dynamically learned MAC addresses that can be added to the ARP table (131072 to 2147483647, default = 131072). |
To set the ARP reachable time on an interface:
config system interface edit port1 set reachable-time <integer> next end
reachable-time <integer> |
The reachable time (30000 to 3600000, default = 30000). |
To clear all of the entries in the ARP table:
execute clear system arp table
To delete a single ARP entry from the ARP table:
diagnose ip arp delete <interface name> <IP address>
To add static ARP entries:
config system arp-table edit 1 set interface "internal" set ip 192.168.50.8 set mac bc:14:01:e9:77:02 next end
To view a summary of the ARP table:
# diagnose sys device list root list virtual firewall root info: ip4 route_cache: table_size=65536 max_depth=2 used=31 total=34 arp: table_size=16 max_depth=2 used=5 total=6 proxy_arp: table_size=256 max_depth=0 used=0 total=0 arp6: table_size=32 max_depth=1 used=3 total=3 proxy_arp6: table_size=256 max_depth=0 used=0 total=0 local table version=00000000 main table version=0000002b vf=root dev=root vrf=0 vf=root dev=ssl.root vrf=0 ... vf=root dev=internal5 vrf=0 ses=0/0 ses6=0/0 rt=0/0 rt6=0/0