Firewall Services Module Connectivity Issues Due
to Switch ARP Policing
Document ID: 116330
Contributed by Jay Johnston and Magnus Mortensen, Cisco TAC
Engineers.
Jul 12, 2013
Contents
Introduction
Prerequisites
Requirements
Components Used
Problem
Solution
Related Information
Introduction
This document describes a specific connectivity problem encountered when you use the Firewall Services
Module (FWSM) in a Cisco 6500 or 7600 Series switch.
Prerequisites
Requirements
There are no specific requirements for this document.
Components Used
The information in this document is based on these hardware and software versions:
• Cisco 6500 Series Switch
• Cisco 7600 Series Router Platforms
• FWSM
The information in this document was created from the devices in a specific lab environment. All of the
devices used in this document started with a cleared (default) configuration. If your network is live, make sure
that you understand the potential impact of any command.
Problem
For this specific issue, any of these symptoms might be observed:
• Network connectivity to or through the FWSM might fail intermittently.
• Network connectivity through the switch (not through the FWSM) might fail intermittently.
This specific situation is caused when the configured Address Resoution Protocol (ARP) policer on the Cisco
6500/7600 Series switches drops ARP packets because the aggregate amount of ARP traffic rises above the
configured ARP policer threshold.
The switch configuration that causes this problem is:
mls qos protocol ARP police 32000 1000 mls qos
These minimum values cause the device to police ARP traffic through and to the device at approximately 60
ARP packets per second (30 requests and replies). The numeric policer values previously stated represent the
absolute minium values that are accepted by the parser. Often, these values are not appropriate for the amount
of legitimate ARP traffic that passes through the switch.
This output shows that the ARP policer drops ARP traffic that passes through the switch (AgPoliced−By
indicates the number of bytes that are dropped for the protocol):
6500#show mls qos protocol
Modes: P − police, M − marking, * − passthrough
Module: All − all EARL slots;
Dir: I&O − In & Out;
F − Fail
Proto Mode Mod Dir AgId Prec
Cir
Burst
AgForward−By AgPoliced−By
−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
OSPF
* All I&O
−
−
−
−
−
−
ARP
P
7 In
7
−
32000
1000
28207242542 7633398736
ARP
P 13 In
1
−
32000
1000
7990748006 4555958320
6500#
In this case, 27% (7633398736 bytes dropped versus 28207242542 bytes passed) of the ARP traffic is
dropped by the switch.
Solution
If the switch drops legitimate (not looped) ARP traffic, the configured ARP policer values on the switch
might be too low. Determine the correct value for the policer based on the network traffic profile, and
reconfigure the policer appropriately for those values.
Related Information
• Cisco IOS® Quality of Service Solutions Command Reference
• Catalyst 6500 Release 12.2SX Software Configuration Guide − Protocol Packet Policing
• Catalyst 6500 Release 12.2SX Software Configuration Guide − Dynamic ARP Inspection
• Technical Support & Documentation − Cisco Systems
Updated: Jul 12, 2013
Document ID: 116330