Managing the Router's ARP Cache
Problem
You want to adjust the ARP table timeout value.
Solution
To modify the ARP timeout value, use the arp timeout configuration command:
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#interface Ethernet0
Router1(config-if)#arp timeout 600
Router1(config-if)#end
Router1#
Discussion
Every LAN device has an Address Resolution Protocol (ARP) cache. This is a table that the device uses to map Layer 2 MAC addresses to Layer 3 IP addresses. Without this mapping, the device could build its IP packets, but couldn't build the Layer 2 frames to carry these packets.
Devices discover the information in the ARP cache dynamically. If a device needs to send a packet to an IP destination, and it doesn't have a corresponding MAC address, it sends out a broadcast ARP request packet. This packet reaches every device on the LAN segment, and the one that "owns" the IP address in question sends back an ARP response packet to complete the process.
Many LAN devices also automatically send a gratuitous ARP packet when they first connect to the network. A gratuitous ARP is a broadcast packet that is effectively an unsolicited ARP response. Every device on the LAN segment will receive this packet so it can update its ARP cache in case there is ever a need to talk to this new device.
The ARP request and response process obviously takes time to complete, introducing a delay in packet processing. Furthermore, because the ARP request packets are broadcasts, they go to every device on the LAN segment, where they interrupt whatever that device was doing. If there are too many of these packets on the segment, it can cause traffic congestion and CPU loading on the connected devices.
So to keep the ARP traffic down, all IP devices maintain a cache of these ARP entries. Old entries that are no longer valid need to be periodically removed. The router needs to flush out old ARP cache entries faster in environments where devices frequently change their address, such as when there are very short DHCP lease times. In some cases there are so many devices that the ARP cache table becomes unwieldy, taking up too much memory or too much CPU time to support. But you need to maintain a balance between removing old invalid entries and keeping the amount of ARP traffic down.
By default, Cisco routers use an ARP cache timeout period of four hours. This means that if the router hasn't sent or received any packets with a particular address for the last four hours, it will flush the ARP entry from its cache. This period usually works well on Ethernet networks. However, there are special situations when you can improve network performance by adjusting this period.
The example in this recipe reduces the ARP timeout period to 600 seconds (10 minutes):
Router1(config-if)#arp timeout 600
Of course, you could just as easily use this command to increase the default ARP timeout period. In general we don't recommend using an ARP timeout period of less than about five minutes because it tends to cause too much CPU and network loading.
The show ip arp command prints out the current contents of the router's ARP cache:
Router1#show ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 172.25.1.5 8 0001.9670.b780 ARPA Ethernet0
Internet 172.25.1.7 - 0000.0c92.bc6a ARPA Ethernet0
Internet 172.25.1.1 9 0010.4b09.5700 ARPA Ethernet0
Internet 172.25.1.3 2 0010.4b09.5715 ARPA Ethernet0
Router1#
Notice that this output includes the IP address, Age in minutes, MAC address, and the Interface information for each ARP entry. The router resets the ARP age counter to zero whenever it sees valid traffic from the corresponding device. This ensures that the addresses of active devices are never flushed out of the cache, no matter how long they have been known.
You can specify a particular IP address with the show ip arp command. This can be useful when you are only interested in particular entries in a large cache table. On a large LAN core router, there could be hundreds or even thousands of ARP entries in the cache, which is too many to scan by eye:
Router1#show ip arp 172.25.1.5
Protocol Address Age (min) Hardware Addr Type Interface
Internet 172.25.1.5 2 0001.9670.b780 ARPA Ethernet0
Router1#
The same command can also display the ARP information for a particular MAC address, as follows:
Router1#show ip arp 0010.4b09.5715
Protocol Address Age (min) Hardware Addr Type Interface
Internet 172.25.1.3 3 0010.4b09.5715 ARPA Ethernet0
Router1#
And you can even get a listing of ARP information for a particular router interface:
Router1#show ip arp Ethernet0
Protocol Address Age (min) Hardware Addr Type Interface
Internet 172.25.1.5 4 0001.9670.b780 ARPA Ethernet0
Internet 172.25.1.7 - 0000.0c92.bc6a ARPA Ethernet0
Internet 172.25.1.1 2 0010.4b09.5700 ARPA Ethernet0
Internet 172.25.1.3 4 0010.4b09.5715 ARPA Ethernet0
Router1#
When you are having an ARP problem, or when there are stale entries that you need to remove immediately, it can be useful to clear the entire cache. To manually clear the router's entire ARP cache, use the clear arp command:
Router1#clear arp
Router1#
Unfortunately, there is no way to remove a single ARP entry. If you need to manually clear an entry, you must erase the entire table. Doing this will cause a brief spike in ARP traffic as the router attempts to rebuild the ARP cache for the active device, so we recommend that you use this command very sparingly.
The show interface command includes information about the ARP timeout setting for a particular interface:
Router1#show interface Ethernet0
Ethernet0 is up, line protocol is up
Hardware is Lance, address is 0000.0c92.bc6a (bia 0000.0c92.bc6a)
Internet address is 172.25.1.7/24
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec, rely 255/255, load 1/255
Encapsulation ARPA, loopback not set, keepalive set (10 sec)
ARP type: ARPA, ARP Timeout 00:10:00