Knowledge Search


×
 

[EX/QFX] How to match ARP traffic on a firewall filter

  [KB34142] Show Article Properties


Summary:

ARP packets do not have IP source/destination, so we cannot easily match that traffic. It uses sender/target IP inside the ARP information instead, which is not a matching criteria on Junos.

Solution:

ARP packets

> Frame 69: 64 bytes on wire (512 bits), 64 bytes captured (512 bits) on interface 0
> Ethernet II, Src: Private_66:68:00 (00:50:79:66:68:00), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
- Address Resolution Protocol (request)
Hardware type: Ethernet (1)
Protocol type: IPv4 (0x0800)
Hardware size: 6
Protocol size: 4
Opcode: request (1)
Sender MAC address: Private_66:68:00 (00:50:79:66:68:00)
Sender IP address: 10.20.30.101
Target MAC address: Broadcast (ff:ff:ff:ff:ff:ff)
Target IP address: 10.20.30.104

> Frame 59: 64 bytes on wire (512 bits), 64 bytes captured (512 bits) on interface 0
> Ethernet II, Src: Private_66:68:03 (00:50:79:66:68:03), Dst: Private_66:68:00 (00:50:79:66:68:00)
- Address Resolution Protocol (reply)
Hardware type: Ethernet (1)
Protocol type: IPv4 (0x0800)
Hardware size: 6
Protocol size: 4
Opcode: reply (2)
Sender MAC address: Private_66:68:03 (00:50:79:66:68:03)
Sender IP address: 10.20.30.104
Target MAC address: Private_66:68:00 (00:50:79:66:68:00)
Target IP address: 10.20.30.101

Within same subnet

ARP request

[edit]
root# show firewall 
family bridge {
    filter MATCH_ARP {
        term 1 {
            from {
                ether-type arp;
                source-mac-address {
                    00:50:79:66:68:00/48; ### arp source mac ### 
                }
            }
            then {
                count ARP_C;
                accept;
            }
        }
        term 2 {
            then accept;
        }
    }
}

ARP reply

[edit]
root# show firewall 
family bridge {
    filter MATCH_ARP {
        term 1 {
            from {
                ether-type arp;
                source-mac-address {
                    00:50:79:66:68:03/48; ### arp destination mac ### 
                }
            }
            then {
                count ARP_C;
                accept;
            }
        }
        term 2 {
            then accept;
        }
    }
}

This can be applied as input on the incoming packet interface and output on the outgoing interface, source mac remains the same.

Different subnets


Source MAC on FF for ARP Request

  • From source host to gateway, use source host MAC.
  • From gateway to destination host, use gateway MAC.

Source MAC on FF for ARP Reply

  • From destination host to gateway, use destination host MAC
  • From gateway to source host, use gateway MAC

You can add from destination-mac for additional filtering on ARP reply (destination gateway and destination source ARP), ARP request destination is FF:FF:FF:FF:FF:FF

Related Links: