Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Example - Configuring restricted and unrestricted proxy ARP on an SRX device

0

0

Article ID: KB26906 KB Last Updated: 30 Jun 2020Version: 2.0
Summary:

This article provides information on how to configure restricted and unrestricted proxy ARPs on a SRX device.

Symptoms:
SRX devices do not respond to proxy ARP requests from remote peers, if the source IP addresses, which are present in the ARP request packets, do not belong to the same network segments as that of the interface that receives the ARP requests.
Solution:

Topology:

Source------10. 246.65.243/23[ge-0/0/12](SRX)10.246.69.1/24-----Destination
10.246.64.41/21 10.246.69.10/24

To configure restricted or unrestricted proxy ARP, include the proxy-arp statement:

proxy-arp (restricted |unrestricted);

You can include this statement at the following hierarchy levels:

  • [edit interfaces interface-name unit logical-unit-number ]
  • [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number]
Options:
  • none - The router or switch will respond to any ARP request for a local or remote address, if the router or switch has a route to the target IP address.
  • restricted (optional) - The router or switch will respond to ARP requests, in which the physical networks of the source and target are different and does not respond, if the source and target IP addresses are in the same subnet. The router or switch must also have a route to the target IP address.
  • unrestricted (optional) - The router or switch responds to any ARP request for a local or remote address, if the router or switch has a route to the target IP address.
The default is unrestricted. To return to the default option, that is,  to disable restricted or unrestricted proxy ARP, delete the proxy-arp statement from the configuration:
[edit]user@host# delete interfaces interface-name unit logical-unit-number proxy-arp
You can track the number of restricted or unrestricted proxy ARP requests that are processed by the router or switch by issuing the show system statistics arp operational mode command.
 

Configuration Example:

With the following configuration on SRX:
root@SRX240HM-8# show | match ge-0/0/12 | display set
set interfaces ge-0/0/12 unit 0 family inet address 10.246.65.252/23
set security zones security-zone ARP interfaces ge-0/0/12.0 host-inbound-traffic system-services all
set security zones security-zone ARP interfaces ge-0/0/12.0 host-inbound-traffic protocols all
Here what happens to the ARP request:
[edit]
root@SRX240HM-8# run monitor traffic interface ge-0/0/12
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is ON. Use <no-resolve> to avoid any reverse lookup delay.
Address resolution timeout is 4s.
Listening on ge-0/0/12, capture size 96 bytes

Reverse lookup for 10.246.69.10 failed (check DNS reachability).
Other reverse lookup failures will not be reported.
Use <no-resolve> to avoid reverse lookups on IP addresses.

20:17:01.688956 In arp who-has 10.246.69.10 tell 10.246.64.41
20:17:02.594916 In arp who-has 10.246.69.10 tell 10.246.64.41
20:17:03.300404 In arp who-has 10.246.69.10 tell 10.246.64.41
20:17:03.905087 In arp who-has 10.246.69.10 tell 10.246.64.41
20:17:04.812153 In arp who-has 10.246.69.10 tell 10.246.64.41
20:17:05.723088 In arp who-has 10.246.69.10 tell 10.246.64.41
20:17:06.327252 In arp who-has 10.246.69.10 tell 10.246.64.41
20:17:07.234327 In arp who-has 10.246.69.10 tell 10.246.64.41
20:17:08.040390 In arp who-has 10.246.69.10 tell 10.246.64.41
20:17:08.644876 In arp who-has 10.246.69.10 tell 10.246.64.41
20:17:09.757774 In arp who-has 10.246.69.10 tell 10.246.64.41
^C
12 packets received by filter
0 packets dropped by kernel

[edit]
root@SRX240HM-8#
When the following command is added, the ARP reply is sent:
root@SRX240HM-8# set interfaces ge-0/0/12 unit 0 proxy-arp restricted

[edit]
root@SRX240HM-8# show | match ge-0/0/12 | display set
set interfaces ge-0/0/12 unit 0 proxy-arp unrestricted
set interfaces ge-0/0/12 unit 0 family inet address 10.246.65.252/23
set security zones security-zone ARP interfaces ge-0/0/12.0 host-inbound-traffic system-services all
set security zones security-zone ARP interfaces ge-0/0/12.0 host-inbound-traffic protocols all

[edit]


[edit]
root@SRX240HM-8# run monitor traffic interface ge-0/0/12
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is ON. Use <no-resolve> to avoid any reverse lookup delay.
Address resolution timeout is 4s.
Listening on ge-0/0/12, capture size 96 bytes

Reverse lookup for 10.246.69.10 failed (check DNS reachability).
Other reverse lookup failures will not be reported.
Use <no-resolve> to avoid reverse lookups on IP addresses.

20:19:11.017490 In arp who-has 10.246.69.10 tell 10.246.64.41
20:19:11.017821 Out arp reply 10.246.69.10 is-at a8:d0:e5:a9:e4:8c <<<< ARP REPLY SENT
^C
2 packets received by filter
0 packets dropped by kernel

[edit]
root@SRX240HM-8#
Modification History:
2020-06-30: Article reviewed for accuracy; no changes required.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search