IPv4 ARP and IPv6 ND
Address Resolution Protocol (ARP) allows an IPv4 host or router to learn the link-layer (MAC) address that is associated with a neighbor's IPv4 address. IPv4 ARP also provides address conflict detection.
Similarly, the Neighbor Discovery (ND) protocol allows an IPv6 host or router to learn the link-layer address that is associated with a neighbor's IPv6 address. IPv6 ND also supports duplicate address detection (DAD) and neighbor unreachability detection (NUD).
In SR Linux the arp_nd_mgr is the software process that handles the sending and receiving of ARP and ND messages.
Interaction between SR Linux and the underlying Linux OS
The underlying Linux OS uses its own ARP/ND stack to send ARP requests and neighbor solicitations as required by native Linux applications. The SR Linux arp_nd_mgr intercepts each request and, if it has a matching neighbor entry, replies to it immediately. Otherwise arp_nd_mgr sends the request and processes the neighbor responses, which it then forwards back to the underlying Linux OS.
In addition, if network-instance protocols linux export-neighbors is set to true, linux_mgr adds all neighbors that are known to arp_nd_mgr as static neighbors in the underlying Linux OS.
IPv4 ARP
ARP allows a router to determine the next-hop MAC address for a particular destination IPv4 address. SR Linux provides the following ARP support on IPv4 routed subinterfaces:
- static ARP entries
- dynamic ARP entries with configurable timeout per subinterface
- EVPN entries (on platforms where EVPN is enabled)
- address conflict detection (ACD) per RFC 5227
Static ARP entries
A static ARP entry associates an IPv4 address with a MAC address on a subinterface. When the configuration is committed, arp_nd_mgr interacts with the Nokia eXtensible Data Path (XDP) hardware abstraction layer to add the ARP entry into the relevant hardware tables.
Dynamic ARP entries
-
Routing next-hop groups: When you create a static next-hop-group with an IPv4 next-hop (or when fib_mgr creates a dynamic next-hop-group with an IPv4 next-hop) and no ARP entry exists for the next-hop, SR Linux immediately sends an ARP request for the next-hop, even without a traffic trigger.
- Locally connected hosts: When the system receives an IPv4 packet and the destination is a host address on a local subnet for which there is no ARP entry, arp_nd_mgr sends an ARP request for the destination. While the system waits for a reply, additional packets destined for the destination may be buffered.
- Linux applications: When a Linux application sends an ARP request for an address, arp_nd_mgr intercepts the message and if no matching ARP entry exists, arp_nd_mgr creates its own ARP request for the address.
After arp_nd_mgr sends an ARP request, it performs the following steps:
- If no ARP reply is received, the ARP entry is put on the retry list that the system revisits every 30 seconds. The ARP entry does not appear in info from state output yet.
- When the system receives an ARP reply, a dynamic entry is programmed and its expiration timeout is based on the subinterface configuration; the default is 4 hours. The expiration timeout is reset whenever the subinterface receives any ARP packet from the associated source address.
-
30 seconds before the expiration timeout ends, arp_nd_mgr considers the ARP entry to be stale and automatically sends a new ARP request for the address. If it receives a response, the expiration timeout is reset. If no response is received when the expiration timeout ends, the ARP entry is deleted and removed from info from state.
For expired next-hop route addresses, the system periodically resends new ARP requests to attempt to resolve those entries.
Address conflict detection
By default, address conflict detection is enabled on every router subinterface, but it can be disabled per subinterface.
Configuring static ARP entries
To create a static ARP entry on a subinterface, use the ipv4 arp neighbor ipv4-address link-layer-address mac-address command to associate the IPv4 address of a neighbor with its MAC address.
Configure a static ARP entry
--{ + candidate shared default }--[ ]--
# info interface ethernet-1/1 subinterface 2 ipv4 arp
interface ethernet-1/1 {
subinterface 2 {
ipv4 {
arp {
timeout 28800
neighbor 192.168.10.3 {
link-layer-address 00:00:5E:00:53:EF
}
}
}
}
}
Configuring dynamic ARP timeout
For dynamic ARP entries, you can optionally modify the expiration timeout value on a subinterface using the ipv4 arp timeout command. The time remaining for existing dynamic ARP entries on the subinterface is not affected by this update.
Configure dynamic ARP timeout on a subinterface
--{ + candidate shared default }--[ ]--
# info interface ethernet-1/1 subinterface 2 ipv4 arp timeout
interface ethernet-1/1 {
subinterface 2 {
ipv4 {
arp {
timeout 28800
}
}
}
}
Disabling ARP address conflict detection
By default, address conflict detection (ACD) is enabled on every router subinterface, but you can disable it for a subinterface by setting ipv4 arp duplicate-address-detection to false.
However, if the subinterface is configured as a DHCPv4 client, ACD is always performed, regardless of this per-subinterface setting.
Disable ARP address conflict detection on a subinterface
--{ + candidate shared default }--[ ]--
# info interface ethernet-1/1 subinterface 1 ipv4 arp
interface ethernet-1/1 {
subinterface 1 {
ipv4 {
arp {
duplicate-address-detection false
}
}
}
}
IPv6 Neighbor Discovery
Neighbor Discovery (ND) protocol allows a router to determine the next-hop MAC address for a particular destination IPv6 address. SR Linux provides the following ND support on IPv6 routed subinterfaces:
- support for all 5 neighbor states: incomplete, reachable, stale, delay, and probe
- static neighbor cache entries
- dynamic neighbor cache entries with configurable timeout per subinterface
- duplicate address detection
- neighbor unreachability detection
Static IPv6 Neighbor Entries
A static neighbor entry associates an IPv6 address with a MAC address on a subinterface. When the configuration is committed, arp_nd_mgr interacts with XDP to add the neighbor entry into the relevant hardware tables.
IPv6 Neighbor Entries for Routing Next-Hops
When you create a static next-hop-group with an IPv6 next-hop (or when fib_mgr creates a dynamic next-hop-group with an IPv6 next-hop) and no neighbor entry exists for that address, arp_nd_mgr immediately sends a neighbor solicitation request for the address, even without a traffic trigger. The neighbor solicitation process is as follows:
- If no neighbor advertisement is received for the target address, the neighbor solicitation message is retransmitted every 1 second (with some randomization). The retransmit interval is not configurable. The neighbor entry does not appear in info from state yet.
- If a neighbor advertisement is received for the target address, a dynamic entry is programmed with an initial state of reachable. The state changes to stale after the reachable time expires. The reachable time is configurable per subinterface with a default of 30 seconds.
- While the neighbor is stale, the system makes no attempt to confirm reachability using neighbor solicitations, even if there is traffic destined for the target address. The neighbor state changes from stale to delay (and subsequently probe) after the stale time expires. Stale time is configurable per subinterface with a default of 14 400 seconds. The arp_nd_mgr attempts to refresh the neighbor entry by sending a neighbor solicitation (and retransmitting twice if required). If no response is received, the neighbor entry is deleted and removed from info from state.
IPv6 neighbor limit on subinterfaces
You can set a limit on the number of IPv6 neighbors that a subinterface can learn. The following considerations apply:
- The limit only applies to dynamic neighbors. Static and EVPN neighbors do not count towards the limit and can still be added when the dynamic neighbor limit is exceeded.
- If a subinterface already has a number of dynamic neighbor entries and you set the neighbor limit to below the current number of entries, the router does not remove the exceeding entries. Existing neighbors are still refreshed. The limit only applies to new learned neighbors.
- The system provides two log events that warn about the number of entries exceeding the configured threshold.
Configuring static ND entries
To create a static ND entry on a subinterface, use the ipv6 neighbor discovery neighbor ipv6-address link-layer-address mac-address command to associate the IPv6 address of a neighbor with its MAC address.
Configure a static ND entry for a subinterface
--{ +* candidate shared default }--[ ]--
# info interface ethernet-1/1 subinterface 2 ipv6 neighbor-discovery neighbor 2001:db8::1
interface ethernet-1/1 {
subinterface 2 {
ipv6 {
neighbor-discovery {
neighbor 2001:db8::1 {
link-layer-address 00:00:5E:00:53:AF
}
}
}
}
}
Configuring ND reachable time and stale time
Configure ND reachable time and stale time on a subinterface
--{ + candidate shared default }--[ ]--
# info interface ethernet-1/1 subinterface 1 ipv6 neighbor-discovery
interface ethernet-1/1 {
subinterface 1 {
ipv6 {
neighbor-discovery {
reachable-time 50
stale-time 28800
}
}
}
}
Configuring IPv6 neighbor limit on subinterfaces
To set a limit for IPv6 neighbors, use the subinterface ipv6 neighbor-discovery limit command, which has the following configurable parameters:
- max-entries: Sets the maximum number of neighbor entries allowed on the subinterface.
- log-only: Defines the action taken when the subinterface exceeds the max-entries limit. When set to true, the system keeps learning entries on the subinterface and only logs an event.
-
warning-threshold-pct: Sets the percentage of max-entries that triggers a log event indicating the limit is approaching. The default value is 90 percent of the configured max-entries limit. The event is logged only the first time a neighbor exceeds the limit, and the condition is cleared if the limit falls back below the threshold.
The threshold value is calculated as follows:
(max-entries * warning-threshold-pct)/100However, the system rounds the result down. Therefore, a max-entries setting of 2 provides the same result whether the warning-threshold-pct is 90 percent or 50 percent:
2*90/100 = 2*50/100 = 1
Configure IPv6 neighbor limit on a subinterface
--{ * candidate shared default }--[ ]--
# info interface ethernet-1/1 subinterface 3 ipv6 neighbor-discovery
interface ethernet-1/1 {
subinterface 3 {
ipv6 {
neighbor-discovery {
limit {
max-entries 10
log-only false
warning-threshold-pct 85
}
}
}
}
}