This document describes a specific connectivity problem encountered when you use the Firewall Services Module (FWSM) in a Cisco 6500 or 7600 Series switch.
There are no specific requirements for this document.
The information in this document is based on these hardware and software versions:
- Cisco 6500 Series Switch
- Cisco 7600 Series Router Platforms
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
For this specific issue, any of these symptoms might be observed:
- Network connectivity to or through the FWSM might fail intermittently.
- Network connectivity through the switch (not through the FWSM) might fail intermittently.
This specific situation is caused when the configured Address Resoution Protocol (ARP) policer on the Cisco 6500/7600 Series switches drops ARP packets because the aggregate amount of ARP traffic rises above the configured ARP policer threshold.
The switch configuration that causes this problem is:
mls qos protocol ARP police 32000 1000 mls qos
These minimum values cause the device to police ARP traffic through and to the device at approximately 60 ARP packets per second (30 requests and replies). The numeric policer values previously stated represent the absolute minium values that are accepted by the parser. Often, these values are not appropriate for the amount of legitimate ARP traffic that passes through the switch.
This output shows that the ARP policer drops ARP traffic that passes through the switch (AgPoliced-By indicates the number of bytes that are dropped for the protocol):
6500#show mls qos protocol
Modes: P - police, M - marking, * - passthrough
Module: All - all EARL slots; Dir: I&O - In & Out; F - Fail
Proto Mode Mod Dir AgId Prec Cir Burst AgForward-By AgPoliced-By
OSPF * All I&O - - - - - -
ARP P 7 In 7 - 32000 1000 28207242542 7633398736
ARP P 13 In 1 - 32000 1000 7990748006 4555958320
In this case, 27% (7633398736 bytes dropped versus 28207242542 bytes passed) of the ARP traffic is dropped by the switch.
If the switch drops legitimate (not looped) ARP traffic, the configured ARP policer values on the switch might be too low. Determine the correct value for the policer based on the network traffic profile, and reconfigure the policer appropriately for those values.