Practice: When multiple wireless routers are connected to the workshop, a large number of ARPs

The cases shared in this issue are related to wired/wireless network issues.

1. Background introduction
The client is a joint venture automobile company. Today, the IT department has built a new automated workshop. Considering the cost issue, the wired and wireless network of the workshop is considered to use a pure fool-proof network to deploy the LAN. A certain switch + wireless router is used. The wireless router only uses the LAN port as a wireless access point. As the number of wireless router terminals increases (to dozens of units), the host computer and the mobile phone in the network communicate with the equipment.

The simplified on-site topology is as follows:

The planning configuration is as follows:

Fool-proof network, network segment: 10.35.0.0/16
Only the core switch is a management type, and the others are fool-proof switches
2. Troubleshooting and analysis
The first step: Check the warning log of the management switch

Two conclusions can be drawn:

Through session statistics, these source MACs (that is, wireless routers), in the packets I captured for more than 100 seconds, each terminal sent more than 500 ARP packets in total, that is to say: each terminal sent 5 ARP broadcast queries per second;
So as the number of wireless routers increases, after adding dozens to hundreds of them, the ARP broadcast query packets will surge to hundreds per second.
Okay, next we have to think: Is it normal for each router to send 5 ARP broadcast queries per second? Is it a mechanism or a bug?

Step 3: Confirm the ARP query mechanism of the wireless router

IT staff found that with the increase of wireless routers, a certain switch would have a port protection alarm. The ARP count increased sharply, and they suspected that there were too many wireless routers connected, resulting in ARP broadcast flooding, which blocked the I/O communication between the host computer and the terminal:

Step 2: Capture packets to view ARP broadcast details

Since ARP packets are basically broadcast types (inquiry and free ARP are all broadcasts), you can just find a PC to connect to the switch and capture packets with wireshark:

It can be clearly seen that there is indeed ARP flooding in the network. Let's take a further look at the ARP volume of a single terminal: Open wireshark—>Statistics—>Sessions, and view



It has been confirmed that in order to maintain its own ARP table entries, the wireless router is also located in the network segment 10.35.0.0/24, so it is inevitable that it will learn the ARP entries of terminals, host computers, computers and other devices. When the ARP entry is aged, it will send a query message, which is in line with the device design and operation mechanism. There is no problem:

Okay, this kind of fool-proof network switch cannot be suppressed and isolated. How to solve it? It is recommended to think about it first, and then read the following~

3. Solution
In this local area network, change the network segment of the wireless router to a different network segment from 10.35.0.0/24, for example, change it to 192.168.1.1/24, and the wireless router will naturally not have too many ARP entries to maintain: