MAC / ARP Table Stress — primer¶
Help Center primer for the L2 forwarding-table + ARP/NDP saturation engine. Pairs with
pkg/macarp-stress-agent/and ADR 0011. Patent claim #24 anchors the saturation pattern + cgroup-aware rate limiting.
What it tests¶
Vendor NGFW lab sheets measure throughput (Gbps). They very rarely measure capacity of the L2 forwarding tables that sit underneath every encrypted session:
- CAM / MAC table — finite, vendor-specific (often quoted as "128k MACs" or "256k MACs")
- ARP table (IPv4) — finite, eviction policy varies by vendor
- NDP table (IPv6) — finite, sometimes smaller than ARP
- Hash-bucket distribution — table layout can saturate per-bucket before the global count is reached
When a table fills, the NGFW either evicts (causing flooding-equivalent behaviour at L2) or drops new entries (causing connectivity loss). Both modes are observable and characterise the deployment ceiling for dense-VM environments.
Three-axis configuration¶
| Axis | Options |
|---|---|
enabled |
yes / no |
target_table_size |
10k / 50k / 100k (default) / 250k / 500k / 1M |
rate_pps |
50 / 100 / 500 (default) / 1k / 5k / line-rate |
cgroup-aware rate limiting (Patent #24) keeps the agent inside its container CPU envelope — runaway PPS that would starve neighbour pods is impossible.
The dashboard pre-validates (SKU, target_table_size) against the
DUT catalog when vendor-published. A SKU below target returns a
"capture eviction signature" recommendation.
Static-route precedence — safety guarantee¶
The stress agent operates on VLAN 2900 (172.19.0.0/16,
gateway .1 on TRUST side) via Multus macvlan. The generated MAC
+ IP pairs are isolated to that VLAN — they cannot bleed into
persona VLANs (101-120) or cloned-persona VLANs (200-209).
Layered vs standalone¶
- Standalone:
test_kind = mac-arp-stress. Pure L2 capacity test, no L7 / TLS load. - Layered: enable the
mac_arp_layeredmodifier on any TLS test to observe whether the DUT's L7 inspection throughput drops when the underlying L2 tables fill.
Reading the report¶
Each MAC/ARP run adds an "Annex L (MAC/ARP)" block:
- DUT → vendor MAC table capacity claim (if known)
- Run config → 3 axes + IPv6 toggle
- Saturation envelope → time to first eviction, time to drop
- Hash signature → distribution skew if any
- Cohabitation signature (layered mode) → L7 throughput delta under L2 pressure
Common patterns¶
| Symptom | Likely cause |
|---|---|
| Eviction starts before nominal capacity | Hash-bucket skew — DUT undersizes per-bucket capacity |
| New entries silently drop | DUT hit the hard ceiling; capture exact MAC count for sales conversation |
| Persona unreachability appears | (Should not happen) Verify VLAN isolation — stress is on VLAN 2900 |
| L7 throughput drops in layered mode | DUT shares L2 + L7 ASIC resources — primary marketing data point |
Related¶
pkg/macarp-stress-agent/— module README- ADR 0011 — topology axes
- STRESS_ENGINES_CATALOG — engine matrix
- Patent #24 — saturation pattern + cgroup-aware rate limiting
Last verified against shipping code: v3.7.0 (2026-05-12).