Switching

Expand all | Collapse all

Enabling Proxy Arp

Jump to Best Answer
  • 1.  Enabling Proxy Arp

    Posted 03-12-2018 08:49

    Coming from Cisco, proxy arp is enabled by default on switches.  I understand that on juniper switches (EX4300/4600) proxy arp is NOT enabled by default.  My question is, does proxy arp need to be enabled per interface or can it be enabled globaly on juniper switches?



  • 2.  RE: Enabling Proxy Arp
    Best Answer

     
    Posted 03-12-2018 09:11

    Your understanding is correct, its not enabled by default.

    The router or switch responds to an ARP request only if the destination IP address is its own.

    https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/proxy-arp-edit-interfaces.html

     

    It is interface level command and not global:

    https://www.juniper.net/documentation/en_US/junos/topics/example/port-security-proxy-arp-ex-series.html

    https://www.juniper.net/documentation/en_US/junos/topics/concept/port-security-ex-series-proxy-arp-understanding.html#jd0e47

     

    I think one way you can set global would be configire under the group & apply.

    set groups arp interfaces <*> unit <*> proxy-arp unrestricted

     

     

     



  • 3.  RE: Enabling Proxy Arp

    Posted 12-04-2018 09:08

    Just enabled proxy-arp unrestricted and broke direct communications on the subnet. So no hosts could see each other anymore.

    Gladfully had "commit confirmed 1"!

     

    No, it's not like Cisco. Cisco is just working out of the box and does what the user expects.

     

     

    user@sw1# show interfaces irb.20
    description "OAM Server LAN";
    proxy-arp restricted;
    family inet {
        mtu 1500;
        address 192.168.44.4/23 {
            preferred;
            vrrp-group 20 {
                virtual-address 192.168.45.254;
    

    And there is a route to somewhere:

    user@sw1# run show route table oam 192.168.44.132
    oam.inet.0: 43 destinations, 50 routes (43 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both
    192.168.44.0/23    *[Direct/0] 91w4d 04:04:33
                        > via irb.20


    user@sw1# run show route table oam 192.168.44.131
    oam.inet.0: 43 destinations, 50 routes (43 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both
    192.168.44.131/32  *[OSPF/10] 00:30:34, metric 51
                        > to 192.168.39.37 via irb.110
                          to 192.168.39.38 via irb.110

    https://www.juniper.net/documentation/en_US/junos/topics/concept/port-security-qfx-series-proxy-arp-understanding.html:

     

    Restricted—The switch responds to ARP requests in which the physical networks of the source and target are different and does not respond if the source and target IP addresses are on the same subnet. In this mode, hosts on the same subnet communicate without proxy ARP.

     

    So .131 is different to .130, the host which is asking. But EX4300 does not respond with his MAC.

     

    Setting unrestriced breaks the LAN. All my hosts in the segment got mad not reaching each other anymore. Why that? What makes the switch respond to these ARP requests? The default route? Hopefully not, because that makes no sense.

     

    IMHO restricted should do exactly what one expects. But it doesn't.

     

    br

    Walter

     



  • 4.  RE: Enabling Proxy Arp

     
    Posted 12-04-2018 20:14

    My understanding is switch/router won't do the proxy ARP if the destination is not reachable from the network from where the ARP is initiated. There could be some element in your network preventing restricted function. I would suggest to log a case with JTAC to further debug.



  • 5.  RE: Enabling Proxy Arp

    Posted 12-05-2018 03:06

    I found out the reason why my proxy arp restricted did not work.

    My conclusion: proxy arp is done only on the VRRP master interface.

     

    Additionally in my config I have two VRRP groups (rebuild in office now):

    user@sw2-office# show interfaces irb.500
    description testing;
    proxy-arp restricted;
    family inet {
        mtu 1500;
        address 5.5.5.5/24 {
            preferred;
            vrrp-group 50 {
                virtual-address 5.5.5.200;
                priority 80;
                preempt;
                accept-data;
                authentication-type simple;
                authentication-key "$9$2fgGiPfz6CuQFu1EyW8VwY"; ## SECRET-DATA
            }
            vrrp-group 51 {
                virtual-address 5.5.5.201;
                priority 120;
                preempt;
                accept-data;
                authentication-type simple;
                authentication-key "$9$2fgGiPfz6CuQFu1EyW8VwY"; ## SECRET-DATA
            }
        }
    }
    

    The idea behind is that on each side one IP is active (for some reason not relevant here).

     

    My conclusion based on tests: the proxy ARP is done on the side where the higher vrrp group is active.

    Means:

    - If vrrp-group 51 is backup, no proxy arp is done.

    - proxy arp is done only if at least vrrp-group 51 is master.

     

    br

    Walter



  • 6.  RE: Enabling Proxy Arp

    Posted 12-05-2018 03:22

    Correction: proxy-arp is doing that side that got the last transition to master.

    Means: As soon as one of the groups becomes master the arp response is then sent from there.