Axarpsc: Scalable arp snooping using policy-based mirroring of core switches with arp log contraction

In order to handle a computer security incident or network failure, it is important to grasp a list of pairs of IP and MAC addresses of the hosts. A traditional method based upon ARP table polling, however, has two major drawbacks that 1) some pairs of IP and MAC addresses may not be obtained and 2) it incurs a heavy load on a core switch. In order to overcome these drawbacks, this paper proposes AXARPSC that is the novel scalable ARP snooping to build a list of pairs of IP and MAC addresses. AXARPSC can avoid missing pairs of IP and MAC addresses by monitoring all ARP traffic. AXARPSC also can reduce a CPU load on a recent high-end core switch by approximately 20%. AXARPSC is scalable because AXARPSC incurs no additional CPU load even though the number of hosts increases. AXARPSC employs a policy-based mirroring of a switch that mirrors traffic that matches a specified filter. The policy-based mirroring can mirror ARP traffic only, and reduce the load on an ARP parsing server. AXARPSC can also contract multiple contiguous ARP messages that have the same pair of an IP address and MAC address, as if one ARP message is observed.