ARP Cache Limit on PA-500

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

ARP Cache Limit on PA-500

L4 Transporter

Hi PAN,

When is that the PA-500 will have an ARP cache limit of 1000?  I was promised during the launch of version 4.1 that the ARP cache limit had been increased to 1000 from 500 just to realise that it never happened. 

I am desperately waiting for something on this as clients are not at all happy with this and having a work around just to avoid this is not an easy task specially when someone else does the installation.

Can someone from PAN give me some kind of a hope on this please.  It would be very great of you.

Thank you

Regards,

9 REPLIES 9

L6 Presenter

I guess you already contacted your sales rep regarding this?

A workaround should be to use a L3-switch in front of your PAN and setup a linknet between your PAN and the L3-switch.

Like so (just an example):

Clients: 10.0.0.0/16 (shitload of clients :smileysilly:)

L3-switch int gi0/1: 10.0.255.254/16 (interface towards the clients, this ip is the defgw for the clients)

L3-switch int gi0/2: 192.168.0.1/30 (interface towards the PAN)

PAN int0: 192.168.0.2/30 (interface towards the L3-switch).

then routing in the L3-switch:

ip route 0.0.0.0 0.0.0.0 192.168.0.2

This way the PAN will only need to keep track of a single ARP entry (the mac-address for the L3-switch (192.168.0.1)) while your L3 switch will keep track (ARP-wise) of all the clients.

Hi... Based on the example you've provided, can you please let me know on how to create a static route on the Palo Alto.

Cheers...

You'll find your virtual router(s) under Network - Virtual Routers. In the VR config you can define static routes.

I know about configuring where and how to configure static routes on the Palo Alto.  But was just wondering what would be the static route in terms of Destination and Next hop value which would obviously be on the external interface of the PA.

If your clients have 10.0.0.0/16 and the L3-switch interface towards your PAN have ip 192.168.0.1 (your PAN have 192.168.0.2 at eth1/1 and the subnetmask for this linknet is /30 (255.255.255.252) then your routing in your PAN should be setup as:

              <ip>
                <static-route>
                  <entry name="ROUTE_CLIENTS">
                    <nexthop>
                      <ip-address>192.168.0.1</ip-address>
                    </nexthop>
                    <interface>ethernet1/1</interface>
                    <metric>10</metric>
                    <destination>10.0.0.0/16</destination>
                  </entry>
                </static-route>
              </ip>

Thank you for the information.  Will try it out when i get a chance.

Regards,

Kal

what do you mean a linknet?

Thanks

Matt

A linknet is what you call the small network (usually /30 or /29 if using redundancy) setup between two layer3 (routing) devices.

This linknet is to be able to setup nexthop addresses in each device routingtable.

For example... lets assume you (for some odd reason) have 10.0.0.0/16 as client network (10.0.0.0 -> 10.0.255.255) which means 65534 mac addresses which the device which will be default gateway for all those must be able to handle.

However your PA can only do 1000 mac address per interface (or how large the limit now is).

So to fix this (except for doing a better segmentation than having 65k clients on the same layer2 network 😃 is to plugin a L3 device which can handle that many mac address on a single interface and then setup a linknet towards the PA device.

So the result will be:

PA <{192.168.0.0/30]> L3 device [10.0.0.0/16]

If the PA have 192.168.0.1 and the L3 device have 192.168.0.2 then the routing table in the L3 device will be:

ip route 0.0.0.0/0 nexthop 192.168.0.1

When looking in the PA you will see all the 10.0.0.0 -> 10.0.255.255 clients when looking at srcip, but when looking at mac address there will be only one - the mac address for 192.168.0.2 (the mac address of the L3 device).

The PA must of course have a returning route like:

ip route 10.0.0.0/16 nexthop 192.168.0.2

Version 5 will solve this issue... and I am glad.. Smiley Happy

  • 3182 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!