IpArp not learning IP

  • 0
  • 1
  • Question
  • Updated 7 months ago
  • Answered
  • (Edited)
Hi,

i am trying to troubleshoot why IPARP is not showing the IP addresses of edge devices.
Slot-1 SEDUCA050100.3 # sh iparp stats ports 3:23
IP ARP Port Statistics                                 Thu Mar  8 08:55:47 2018
Port         Link State      Active ARP Total          Dynamic           Static
===============================================================================
3:23                  A                     0                0                0
===============================================================================
If i do a "sh fdb port 3:23" i can see the mac of the connected device, but for some reason IPARP is not storing the Mac and the IP address of the connected device, this is hapenning on all ports, also and since IPARP doest not store any IP addresses, IdMgr doesnt show them too.

I have all vlan interfaces configured with an ip address and IPARP is enabled by default on the switch.

I wondering what commands can i use to troubleshoot this situation. 

Br,
Gonçalo Reis
Photo of GONÇALO NUNO CONTENTE PIMENTEL DA SILVA REIS

Posted 7 months ago

  • 0
  • 1
Photo of Nick Yakimenko

Nick Yakimenko

  • 2,488 Points 2k badge 2x thumb
iparp works only if you have an ip interface in the corresponding vlan
Hi Yakimenko,

Thank you for the info, but has i said on my original post i have all vlan interfaces configured with an ip address.

Br,
Gonçalo Reis
Photo of David Coglianese

David Coglianese, Embassador

  • 7,138 Points 5k badge 2x thumb
I missed that in my first read too.

So what switches and code versions are we talking about. If its not the obvious it might be a bug that needs to be reported.

Are the devices getting IPs?
What is the output of [show ip arp]
Or [show ip arp port 3:23]

You said "IPARP is not showing the IP addresses of edge devices." does that mean you see the upstream switch IPS?
Hi David,

The EXOS version i am using is 22.4.1.4. All end devices have static IP addresses, and i can see them in the upstream switches, they dont have any connectivity problems.

On my original post you can see that port 3:23 is with link, but the iparp hasnt learn anything from that port, this can be confirmed with the command you suggested.
Slot-1 SEDUCA050100.1 # sh iparp port 3:23
VR            Destination      Mac                Age  Static  VLAN          VID   Port
Dynamic Entries  :         210             Static Entries            :          0
Pending Entries  :           0
In Request       :    36704719             In Response               :      34498
Out Request      :        5403             Out Response              :       3436
Failed Requests  :           0
Proxy Answered   :           0
Rx Error         :           0             Dup IP Addr               :         0.0.0.0
Rejected Count   :    33098174             Rejected IP               :     147.96.23.2
Rejected Port    :        1:49             Rejected I/F              : Docencia
Max ARP entries  :        8192             Max ARP pending entries   :        256
ARP address check:    Disabled             ARP refresh               :    Enabled
Timeout          :          20 minutes     ARP Sender-Mac Learning   :   Disabled
Locktime         :        1000 milliseconds
Retransmit Time  :        1000 milliseconds
Reachable Time   :      900000 milliseconds (Auto)
Fast Convergence :         Off
If i configure and Vlan assign an ip address to that vlan,  i can see the IP of the connected device, the problem arises when i put the default port configuration that i use on my network, this is when the iparp loses all information off the connected device. This is the deafult port configuration:
Slot-1 SEDUCA050100.2 # sh conf | in "3:23"
disable snmp traps port-up-down port 3:23
configure port 3:23 rate-limit flood broadcast 120 out-actions log trap
configure port 3:23 rate-limit flood multicast 120 out-actions log trap
configure port 3:23 rate-limit flood unknown-destmac 120 out-actions log trap
configure vlan DAPs add ports 3:23,3:45-47,4:10-13 untagged
configure port 3:23 link-flap-detection on
configure port 3:23 link-flap-detection interval 60 threshold 5
configure port 3:23 link-flap-detection action add log trap
enable mac-locking ports 3:23
configure mac-locking ports 3:23 first-arrival limit-learning 1
configure mac-locking ports 3:23 first-arrival aging enable
configure mac-locking ports 3:23 trap violation on
configure mac-locking ports 3:23 log violation on
configure policy rule admin-profile port 3:23 mask 16 port-string 3:23 admin-pid 8
disable edp ports 3:23
disable lldp ports 3:23
enable nodealias ports 3:23
configure nodealias ports 3:23 maxentries 20
configure stpd s0 ports link-type edge 3:23
configure stpd s0 ports edge-safeguard enable 3:23
configure stpd s0 ports bpdu-restrict enable 3:23
I dont have any problem on the switches that are on EXOS 21.x.x  version and all of them have the same configuration regardless of the EXOS version.

Let me know if i  was clear enough with my explation

Br,
Gonçalo Reis
Photo of M.Nees

M.Nees, Embassador

  • 9,538 Points 5k badge 2x thumb
Do you try to reproduce this issue on a small lab switch ?
On a lab switch it will be easier to troubleshoot.

If yes enable debugging for ARP or mirror the client traffic to better what is happened.
Photo of David Coglianese

David Coglianese, Embassador

  • 7,138 Points 5k badge 2x thumb
You have a fair amount going on there but I don't see what the issue could be. The fact that it varies based on code version makes me think it is a bug that TAC would need to look at.

I do not fully understand what you mean by "If i configure and Vlan assign an ip address to that vlan,  i can see the IP of the connected device, the problem arises when i put the default port configuration that i use on my network, this is when the iparp loses all information off the connected device."

This makes it sound like you see the arp entry until you apply the default port config. So can you narrow it down by adding one command at a time and checking to see when the arp entry disappears?  This does not mean its not a bug, but would help narrow down what causes the bug so  TAC could better assist you.
I have already reproduced this on a lab environment and narrow down all the configuration line by line and found that the policy applied to the port is preventing the iparp from learning the IP address of end devices, if i remove the policy rule i can see the ip address of the directly connected device.

However what is annoying me is that on a production switch with the same EXOS version and configuration the behaviour is not same, and when i remove the policy rule from the port i am still unable to see the ip address. 

To me this sounds like a bug and so far i havent found which configuration line is triggering it.
Photo of Sarah Seidl

Sarah Seidl

  • 1,356 Points 1k badge 2x thumb

We encounter what seems similar to what you are reporting from time to time (though ours is more sporadic - not all ports on all stacks).  Generally it seems more prevalent if we have a power outage and then power is restored but users can't get to their precious internet :-)   Almost like something got messed up in the boot up, even though the stack is a ring, slots all look good, fdb entries show perfectly on the switch but not consistent IPARP entries. A reboot of the entire stack generally resolves for us.  We are on 460g1 models running 16.2.2.4 code (I've seen it on other code versions in our environment previously).  We just had this the past weekend with wind storms after power was restored.  Slot 2 wasn't acting right, so I ran a diagnostics which returned all clear.  For good measure I rebooted the entire stack after diag was done.  Then slot 3 was showing fdb entries but no IPARP for the end devices (the problem hopped slots!).  So I individually rebooted slot 3 which got those devices back talking again.  Maybe it's cliché but rebooting seems to help us in most cases.


Photo of EtherMAN

EtherMAN, Embassador

  • 7,190 Points 5k badge 2x thumb
Am I missing something here... Show IPARP stats will not show you any ipa addresss and mac information.  It show you how many ipa it has learned on the port or vlan... 

Slot-2 PLW_X670G2_5959_Stack.5 # sh ipa sta por 1:32
IP ARP Port Statistics                                 Thu Mar  8 08:40:57 2018
Port         Link State      Active ARP Total          Dynamic           Static
===============================================================================
p1-32_Nim_Ctrl2_P1    A                     2                2                0


Slot-2 PLW_X670G2_5959_Stack.6 # sh ipa sta vlan "PLW_San_595"
IP ARP VLAN Statistics                                 Thu Mar  8 08:41:26 2018
VLAN                         Active ARP Total          Dynamic           Static
===============================================================================
PLW_San_595                                 7                7                0
 
You need to leave the stats command out to see entries 

Slot-2 PLW_X670G2_5959_Stack.7 # sh ipa port 1:32
VR            Destination      Mac                Age  Static  VLAN          VID   Port
VR-Default    172.16.59.10     00:e0:ed:2f:5a:c2    2      NO  PLW_San_595   595   1:32
VR-Default    172.16.59.11     00:e0:ed:2f:5a:c2    2      NO  PLW_San_595   595   1:32


Of course if there are arps that should be learned on the port and are not then you have a different issue. 
I have the same configuration applied on all switches, the ones that are on 22.4.1.4 have this problem, the others dont.
Photo of M.Nees

M.Nees, Embassador

  • 9,518 Points 5k badge 2x thumb
Compare 22.4 and 22.3 to 21.1 port related "policy framework" deny some basic protocols like EAP or ARP.

In this newer version you have to allow them if you use a deny all policy.
Hi M.Nees, Where can i get that information?? also the policy i am applying is a permit all.
(Edited)
Photo of M.Nees

M.Nees, Embassador

  • 9,518 Points 5k badge 2x thumb
Unfortunately this change is currently NOT documentated - this is tested in my lab.

I have same customers with a "deny all" policy - at this ports after upgrade to 22.3 P-EAP (=802.1x) does not work anymore. GTAC workaround is adding these needed basic protocols into "deny all" policy (as execption - allow it) - i older version i do not care about that.
Photo of OscarK

OscarK, ESE

  • 7,912 Points 5k badge 2x thumb
If the vlan IP is not used as default gateway bythe client devices the arp will not be learned by the switch just because it has an IP in the same range. 
Hi Oscar, thank you for replying. It is my bad for not explaining everything properly. On my network, access switches have a random IP Address outside the network range of each Vlan for each Vlan.

Example:

Vlan servers is assigned with the network range 10.147.254.0/24, the gateway for this Vlan is one of the core switches.  

On my access switch i assign the ip address of 172.16.254.1/32 to the vlan servers.

For the access switch to be able to learn the ip address of the end devices, it has to be configured with "disable iparp checking".

I have all my access switches configured this way and this works for all versions of the extreme EXOS, what is happening in version 22.4.1.4 is when i assign a policy rule to an edge port the switch is unable to learn the IP address of the directly connected device and when i remove the policy, it learns the IP address of the end device.

Regards
Gonçalo Reis
Photo of OscarK

OscarK, ESE

  • 7,912 Points 5k badge 2x thumb
I think policy denies or overrules the packet to CPU to learn the arp entry. Did you look into node alias ? That would learn the IP address too and should be a better method. Also XMC will check node alias tables if its enabled.
(Edited)