Understanding the ARP Hit Rate

08/25/2022 34 People found this article helpful 337,063 Views

Description

In this knowledge article we will discuss the ARP Hit Rate. We will provide a number of different reasons for the low ARP hit rate and how to monitor ARP traffic generated by and passing through the firewall.

Cause

The ARP hit rate is the ratio of cached ARP entries to newly arriving ARP requests. An ARP request will count as a miss if no previous entry exists. Subsequent packets, from the same source, will count as a hit because the source will have been recorded in the cache. If the number of ARP packets, from previously seen sources, far exceeds the number of cached entries then these will result in a low hit rate. A hit rate of 99% signifies that almost all the ARP requests the firewall have been matched to previously cached entries. A hit rate of 17%, for example, would mean that the firewall is receiving ARP packets from previously unseen sources, for which there are no cached entries.

Large subnets, those with a subnet mask of 255.255.0.0, or less, could result in a large amount of ARP traffic being generated, especially if network scans are being run from within those subnets. SNMP servers, for example, may run discovery scans which could result in all addresses on the /16 subnet being scanned. Network scanning and network discovery tools could also increase the number of ARP Requests arriving at the firewall and as a consequence could potentially lead to an increased number of firewall generated ARP requests. Depending on the ratio of new requests to cached entries the Hit Rate will rise and fall accordingly.

Outages on a large subnet may also cause entries in the ARP cache to expire. As soon as the hosts on the network begin to come back online they will generate a large amount of ARP traffic. This may result in a large number of ARP broadcasts from previously unseen sources. Although cached entries may previously have existed, once the timer has expired, many new requests cannot be served from the cache and will count as a miss.

ARP packets which have been incorrectly tagged, may at arrive at incorrect interfaces. This could potentially cause an increase in broadcast traffic and lead to flooding on multiple interfaces.

Resolution

Use the Packet Monitor to run an ARP capture. KB articles 170513143911627 and 170503324845334 provide instructions on how to use the Packet Monitor to capture traffic. The monitor buffer is relatively small and does not offer much storage space. For this reason capture time may be limited. Captures, which need to be run over a longer period, may require the FTP or mirroring options as detailed in KB articles 170503699687976 and 170504587646444

Ideally for a broadcast domain, running mixed protocols, no more than 200 hosts should be configured. Large networks should be segmented into separate VLANs. The firewall offers the opportunitity for VLANs to be integrated on the firewall through the use of virtual interfaces (KB170503889544086)

It is also advisable to suppress ARP broadcasts at the switch level to reduce the amount of traffic arriving at the firewall. Many switches provide an option to contain the broadcast traffic and limit it to a specified threshold.

Not Finding Your Answers?

ASK THE COMMUNITY

Was This Article Helpful?

YES NO

Understanding the ARP Hit Rate

Description

Cause

Resolution

Related Articles

Categories

Not Finding Your Answers?

Was This Article Helpful?

Article Helpful Form

Article Not Helpful Form

Follow Us

Subscribe to newsletter

Stay In Touch