Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Proxy-ARP implementation for the EX series Switches

0

0

Article ID: KB15534 KB Last Updated: 15 Oct 2009Version: 1.0
Summary:
This article explains the implementation of the "proxy-ARP" (Address Resolution Protocol) feature for the EX series Switch for JUNOS 9.5 releases and above.
Symptoms:
1. When proxy-arp is enable for a VLAN interface (RVI -Routed VLAN interface) on the EX Switch packets destined for the local VLAN also get forwarded by the RVI VLAN interface (RVI)

2. Gratuitous ARP is not working or IP address conflict found in the VLAN

RVI = Routed VLAN Interface
Solution:
You can configure Proxy Address Resolution Protocol (ARP) on your Juniper Networks EX Series Ethernet switch to enable the switch to respond to ARP queries for network addresses by offering its own Ethernet media access control (MAC) address. With proxy ARP enabled, the switch captures and routes traffic to the intended destination.

Proxy ARP is useful in situations where hosts are on different physical networks and you do not want to use subnet masking. Because ARP broadcasts are not propagated between hosts on different physical networks, hosts will not receive a response to their ARP request if the destination is on a different subnet. Enabling the switch to act as an ARP proxy allows the hosts to transparently communicate with each other through the switch. Proxy ARP can help hosts on a subnet reach remote subnets without configuring routing or a default gateway.

Currently (9.6 release) the EX Switch supports only "unrestricted proxy-arp" mode of proxy-arp feature and is applied to all interfaces in the switch. The switch responds to any ARP request as long as the switch has an active route to the destination address. The switch provides its own MAC address in the ARP response, thereby acting as a proxy for the destination host. The switch forwards subsequent messages from the requesting host to the appropriate destination host. Because proxy ARP applies to all the interfaces on the switch, all hosts attached to the switch receive the switch’s MAC address in response to their ARP requests and all hosts transmit subsequent messages to the switch’s MAC address. The switch routes subsequent messages from the hosts to the appropriate destination addresses.

If you do not enable proxy ARP, the switch responds to an ARP request only if the IP address of the destination device is configured on the switch.

One major disadvantage of the "unrestricted proxy-arp" is that, when the proxy-arp is enable for a VLAN interface (RVI), all the traffic from hosts in the same subnet (VLAN) will also get forwarded by the RVI VLAN interface. It means that ARP requests coming from a host connected in a VLAN for another host connected in the same VLAN will be intercepted by the VLAN interface and the ARP response will be sent to the client host on behalf of destination host. In this case the client host will have MAC address of the VLAN interface for the IP address of destination host. All the packets for destination host will be forwarded to VLAN interface.

Care needs to be taken while implementing proxy-arp and applying firewall filters to a VLAN interface (RVI). All firewall filter rules applied to a VLAN interface will be applicable to local traffic too.
If you enable proxy ARP we recommend that you disable the switch’s interfaces from responding to gratuitous ARP requests.

Gratuitous ARP

If you enable proxy ARP and do not disable gratuitous ARP requests the switch responds to all ARP requests, including gratuitous ARP requests. When the EX Switch receives a gratuitous ARP request the EX Switch might interpret it as an indication of an IP conflict.

Restricted proxy-arp

In case of "restricted proxy-arp" (which is currently not supported) ARP requests generated by local hosts will not be intercepted by VLAN interface. 
NOTE: Restricted proxy-arp will be available in a future JUNOS release 10.1 and onward (tentative release date).  Please contact Juniper Support for further details.


.



Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search