Guest

Cisco Services Modules

Firewall Services Module Connectivity Issues Due to Switch ARP Policing

Techzone Article content

Document ID: 116330

Updated: Jul 12, 2013

Contributed by Jay Johnston and Magnus Mortensen, Cisco TAC Engineers.

   Print

Introduction

This document describes a specific connectivity problem encountered when you use the Firewall Services Module (FWSM) in a Cisco 6500 or 7600 Series switch.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on these hardware and software versions:

  • Cisco 6500 Series Switch
  • Cisco 7600 Series Router Platforms
  • FWSM

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Problem

For this specific issue, any of these symptoms might be observed:

  • Network connectivity to or through the FWSM might fail intermittently.
  • Network connectivity through the switch (not through the FWSM) might fail intermittently. 

This specific situation is caused when the configured Address Resoution Protocol (ARP) policer on the Cisco 6500/7600 Series switches drops ARP packets because the aggregate amount of ARP traffic rises above the configured ARP policer threshold.

The switch configuration that causes this problem is:

mls qos protocol ARP police 32000 1000 mls qos


These minimum values cause the device to police ARP traffic through and to the device at approximately 60 ARP packets per second (30 requests and replies). The numeric policer values previously stated represent the absolute minium values that are accepted by the parser. Often, these values are not appropriate for the amount of legitimate ARP traffic that passes through the switch.

This output shows that the ARP policer drops ARP traffic that passes through the switch (AgPoliced-By indicates the number of bytes that are dropped for the protocol):

6500#show mls qos protocol
Modes: P - police, M - marking, * - passthrough
Module: All - all EARL slots; Dir: I&O - In & Out; F - Fail

Proto Mode Mod Dir AgId Prec Cir Burst AgForward-By AgPoliced-By
--------------------------------------------------------------------------------
OSPF * All I&O - - - - - -
ARP P 7 In 7 - 32000 1000 28207242542 7633398736
ARP P 13 In 1 - 32000 1000 7990748006 4555958320
6500#

In this case, 27% (7633398736 bytes dropped versus 28207242542 bytes passed) of the ARP traffic is dropped by the switch.

Solution

If the switch drops legitimate (not looped) ARP traffic, the configured ARP policer values on the switch might be too low. Determine the correct value for the policer based on the network traffic profile, and reconfigure the policer appropriately for those values.

Related Information

Updated: Jul 12, 2013
Document ID: 116330