topic Re: ARP Cache Limit on PA-500 in General Topics

ARP Cache Limit on PA-500

kalyanram.piratla — Tue, 07 Feb 2012 17:32:46 GMT

Hi PAN,

When is that the PA-500 will have an ARP cache limit of 1000? I was promised during the launch of version 4.1 that the ARP cache limit had been increased to 1000 from 500 just to realise that it never happened.

I am desperately waiting for something on this as clients are not at all happy with this and having a work around just to avoid this is not an easy task specially when someone else does the installation.

Can someone from PAN give me some kind of a hope on this please. It would be very great of you.

Thank you

Regards,

Re: ARP Cache Limit on PA-500

mikand — Tue, 07 Feb 2012 23:39:17 GMT

I guess you already contacted your sales rep regarding this?

A workaround should be to use a L3-switch in front of your PAN and setup a linknet between your PAN and the L3-switch.

Like so (just an example):

Clients: 10.0.0.0/16 (shitload of clients :smileysilly:)

L3-switch int gi0/1: 10.0.255.254/16 (interface towards the clients, this ip is the defgw for the clients)

L3-switch int gi0/2: 192.168.0.1/30 (interface towards the PAN)

PAN int0: 192.168.0.2/30 (interface towards the L3-switch).

then routing in the L3-switch:

ip route 0.0.0.0 0.0.0.0 192.168.0.2

This way the PAN will only need to keep track of a single ARP entry (the mac-address for the L3-switch (192.168.0.1)) while your L3 switch will keep track (ARP-wise) of all the clients.

Re: ARP Cache Limit on PA-500

kalyanram.piratla — Wed, 08 Feb 2012 10:18:54 GMT

Hi... Based on the example you've provided, can you please let me know on how to create a static route on the Palo Alto.

Cheers...

Re: ARP Cache Limit on PA-500

gafrol — Wed, 08 Feb 2012 19:22:53 GMT

You'll find your virtual router(s) under Network - Virtual Routers. In the VR config you can define static routes.

Re: ARP Cache Limit on PA-500

kalyanram.piratla — Thu, 09 Feb 2012 09:23:37 GMT

I know about configuring where and how to configure static routes on the Palo Alto. But was just wondering what would be the static route in terms of Destination and Next hop value which would obviously be on the external interface of the PA.

Re: ARP Cache Limit on PA-500

mikand — Thu, 09 Feb 2012 09:51:58 GMT

If your clients have 10.0.0.0/16 and the L3-switch interface towards your PAN have ip 192.168.0.1 (your PAN have 192.168.0.2 at eth1/1 and the subnetmask for this linknet is /30 (255.255.255.252) then your routing in your PAN should be setup as:

              <ip>
                <static-route>
                  <entry name="ROUTE_CLIENTS">
                    <nexthop>
                      <ip-address>192.168.0.1</ip-address>
                    </nexthop>
                    <interface>ethernet1/1</interface>
                    <metric>10</metric>
                    <destination>10.0.0.0/16</destination>
                  </entry>
                </static-route>
              </ip>

Re: ARP Cache Limit on PA-500

kalyanram.piratla — Thu, 09 Feb 2012 11:08:52 GMT

Thank you for the information. Will try it out when i get a chance.

Regards,

Kal

Re: ARP Cache Limit on PA-500

mstevenson — Wed, 19 Sep 2012 11:05:53 GMT

what do you mean a linknet?

Thanks

Matt

Re: ARP Cache Limit on PA-500

mikand — Wed, 19 Sep 2012 20:18:59 GMT

A linknet is what you call the small network (usually /30 or /29 if using redundancy) setup between two layer3 (routing) devices.

This linknet is to be able to setup nexthop addresses in each device routingtable.

For example... lets assume you (for some odd reason) have 10.0.0.0/16 as client network (10.0.0.0 -> 10.0.255.255) which means 65534 mac addresses which the device which will be default gateway for all those must be able to handle.

However your PA can only do 1000 mac address per interface (or how large the limit now is).

So to fix this (except for doing a better segmentation than having 65k clients on the same layer2 network 😃 is to plugin a L3 device which can handle that many mac address on a single interface and then setup a linknet towards the PA device.

So the result will be:

PA <{192.168.0.0/30]> L3 device [10.0.0.0/16]

If the PA have 192.168.0.1 and the L3 device have 192.168.0.2 then the routing table in the L3 device will be:

ip route 0.0.0.0/0 nexthop 192.168.0.1

When looking in the PA you will see all the 10.0.0.0 -> 10.0.255.255 clients when looking at srcip, but when looking at mac address there will be only one - the mac address for 192.168.0.2 (the mac address of the L3 device).

The PA must of course have a returning route like:

ip route 10.0.0.0/16 nexthop 192.168.0.2

Re: ARP Cache Limit on PA-500

kalyanram.piratla — Wed, 17 Oct 2012 16:22:56 GMT

Version 5 will solve this issue... and I am glad..