Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[MX] How to match ARP traffic on a firewall filter

0

0

Article ID: KB34142 KB Last Updated: 10 May 2021Version: 2.0
Summary:

ARP packets do not have IP source/destination addresses, so we cannot easily match that traffic. They use the sender/target IP address inside the ARP information instead, which is not a matching criteria on Junos OS.

This article explains how to match Address Resolution Protocol (ARP) traffic on a firewall filter in MX Series routers.

Note: Firewall family bridge is not available on EX / QFX platforms; it is available only on MX platform. See family bridge and Understanding Layer 2 Bridge Domains.

Solution:

Traffic Capture Showing ARP Packets

> Frame 69: 64 bytes on wire (512 bits), 64 bytes captured (512 bits) on interface 0
> Ethernet II, Src: Private_66:68:00 (00:50:79:66:68:00), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
- Address Resolution Protocol (request)
Hardware type: Ethernet (1)
Protocol type: IPv4 (0x0800)
Hardware size: 6
Protocol size: 4
Opcode: request (1)
Sender MAC address: Private_66:68:00 (00:50:79:66:68:00)
Sender IP address: 10.20.30.101
Target MAC address: Broadcast (ff:ff:ff:ff:ff:ff)
Target IP address: 10.20.30.104

> Frame 59: 64 bytes on wire (512 bits), 64 bytes captured (512 bits) on interface 0
> Ethernet II, Src: Private_66:68:03 (00:50:79:66:68:03), Dst: Private_66:68:00 (00:50:79:66:68:00)
- Address Resolution Protocol (reply)
Hardware type: Ethernet (1)
Protocol type: IPv4 (0x0800)
Hardware size: 6
Protocol size: 4
Opcode: reply (2)
Sender MAC address: Private_66:68:03 (00:50:79:66:68:03)
Sender IP address: 10.20.30.104
Target MAC address: Private_66:68:00 (00:50:79:66:68:00)
Target IP address: 10.20.30.101

Within the Same Subnet

Verifying ARP for the same subnet, where the source MAC address in the firewall filter includes only host address, and does not require a gateway MAC address

ARP request

[edit]
root# show firewall 
family bridge {
    filter MATCH_ARP {
        term 1 {
            from {
                ether-type arp;
                source-mac-address {
                    00:50:79:66:68:00/48; ### arp source mac ### 
                }
            }
            then {
                count ARP_C;
                accept;
            }
        }
        term 2 {
            then accept;
        }
    }
}

ARP reply

[edit]
root# show firewall 
family bridge {
    filter MATCH_ARP {
        term 1 {
            from {
                ether-type arp;
                source-mac-address {
                    00:50:79:66:68:03/48; ### arp destination mac ### 
                }
            }
            then {
                count ARP_C;
                accept;
            }
        }
        term 2 {
            then accept;
        }
    }
}

Given the above setup in a switch, the ARP request that would come from the source host will be inbound to the switch and therefore the filter needs to be applied on the incoming interface; an ARP reply would be forwarded by the switch towards the destination host, so the filter needs to be applied on the outgoing interface to validate the ARP request and the ARP reply accordingly.

Different Subnets

Verifying ARP for different subnets, which needs a gateway address for the inter-subnet communication

Source MAC on FF for ARP Request

  • From source host to gateway, use the source host MAC address.

  • From gateway to destination host, use the gateway MAC address.

Source MAC on FF for ARP Reply

  • From destination host to gateway, use the destination host MAC address.

  • From gateway to source host, use the gateway MAC address.

Note: You can add an extra line to the firewall filter for destination-mac. Any ARP request will be a broadcast packet, so its destination MAC address will be FF:FF:FF:FF:FF:FF. An ARP reply, on the other hand, would be a unicast packet so we can include the intended destination-mac address in the filter to count the ARP reply packets.

Modification History:

2021-05-10: Made changes to platform because family "bridge" is available only in MX and not in EX / QFX

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search