[FROG] Where do those massive ARP tables come from?

Bernd bernd at kroenchenstadt.de
Thu Jul 11 08:15:47 EDT 2019


Am 2019-07-11 13:39, schrieb Don Slice:
> Any chance you have a default route pointing to a local interface, or
> have an invalid onlink route making it think destinations are local
> when they're not?  What does you config and routing table look like?
> Are all the extraneous arps pointing out the same interface?

Thanks a lot, Don! Your first thought was the perfect match.

The machines indeed had (for whatever historical reasons) a static route 
pointed onto themselves. After removing it, the switch CPU load dropped 
massively (from about 85% to less then 40%).

I assume the blackhole never was hit by traffic that was meant to be 
sent there?

Now:

funny_hostname# sh ip route a.b.c.d
Routing entry for 0.0.0.0/0
   Known via "ospf", distance 110, metric 190, best
   Last update 00:26:58 ago
   * n.o.p.q, via bond1.310

Routing entry for 0.0.0.0/0
   Known via "static", distance 240, metric 0
   Last update 1d00h53m ago
     unreachable (blackhole)

Best

Bernd

> On Thu, Jul 11, 2019 at 3:54 AM Bernd <bernd at kroenchenstadt.de> wrote:
> 
>> Hi list,
>> 
>> I have a bunch of three routers running in a project, let's call
>> them A,
>> B and C. They connect to multiple AS upstream and internally via
>> OSPF
>> and RIPng.
>> 
>> While B is based on an (ancient) Ubuntu 12.04.5 and (also ancient)
>> Quagga (0.99.20.1), A and C run very recent CentOS 7 and FRR 6.0.2.
>> 
>> B performs perfectly, while A and C put massive pressure on some
>> Cisco
>> switches they're connected to (OSPF and RIPng): They're sending
>> about 2k
>> ARP requests per second each.
>> 
>> Looking at the ARP table (``ip nei show'') of A and C, I see about
>> 20k
>> entries, almost all of them in nud "FAIL" (unreachable). Most of
>> them
>> are IPs within the customer's AS (this is VLAN310 in the graphs
>> attached), but some are random public IPv4 addresses.
>> 
>> I did compare all sysctl settings to no avail, they're all set in a
>> sane
>> and safe manner. Every daemon not needed or adding not necessary
>> complexity (like NetworkManager) is disabled and not running on A
>> and C.
>> ARP flux can be ruled out, too.
>> 
>> Any idea what is going on here?
>> 
>> Best
>> 
>> Bernd_______________________________________________
>> frog mailing list
>> frog at lists.frrouting.org
>> https://lists.frrouting.org/listinfo/frog
> 
> --
> 
> Don Slice
> Cumulus Networks



More information about the frog mailing list